chore(deps): Bump shakapacker from 8.4.0 to 9.5.0 in the npm_and_yarn group across 1 directory

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: shakapacker.

Updates shakapacker from 8.4.0 to 9.5.0

Changelog

Sourced from shakapacker's changelog.

[v9.5.0] - January 7, 2026

Security

• CRITICAL: Fixed environment variable leak via EnvironmentPlugin. [PR #857](shakacode/shakapacker#857) by justin808. The default webpack and rspack plugins were passing the entire process.env to EnvironmentPlugin, which exposed ALL build environment variables (including secrets like DATABASE_URL, AWS_SECRET_ACCESS_KEY, RAILS_MASTER_KEY, etc.) to client-side JavaScript bundles when code referenced process.env.VARIABLE_NAME. Note: This issue is especially critical with webpack 5.103+ due to a serialization change that can embed all environment variables into bundles when import.meta.env is accessed conditionally. This vulnerability was inherited from webpacker v1.0.0 (January 2017) and has been present in all versions of webpacker and shakapacker. Action required: After upgrading, rotate any secrets that may have been exposed in production JavaScript bundles.

Added

• Added SHAKAPACKER_PUBLIC_* prefix convention for client-side environment variables. [PR #857](shakacode/shakapacker#857) by justin808. Any environment variable prefixed with SHAKAPACKER_PUBLIC_ is automatically exposed to client-side JavaScript. This follows the same convention used by Next.js (NEXT_PUBLIC_*) and Vite (VITE_*), making it explicit which variables are intended for client-side use.

  # These are automatically available in your JavaScript
  export SHAKAPACKER_PUBLIC_API_URL=https://api.example.com
  export SHAKAPACKER_PUBLIC_ANALYTICS_ID=UA-12345

• Added SHAKAPACKER_ENV_VARS environment variable as escape hatch for extending allowed client-side env vars. [PR #857](shakacode/shakapacker#857) by justin808. Set SHAKAPACKER_ENV_VARS=VAR1,VAR2,VAR3 to expose additional environment variables to client-side JavaScript beyond the default allowlist (NODE_ENV, RAILS_ENV, WEBPACK_SERVE). Only add non-sensitive variables that are safe to embed in public JavaScript bundles.

Changed

• BREAKING: EnvironmentPlugin now uses allowlist instead of exposing all env vars. [PR #857](shakacode/shakapacker#857) by justin808. Only NODE_ENV, RAILS_ENV, WEBPACK_SERVE, and any SHAKAPACKER_PUBLIC_* variables are exposed by default. If your client-side code relies on other environment variables, either rename them with the SHAKAPACKER_PUBLIC_ prefix (recommended), add them via SHAKAPACKER_ENV_VARS, or customize your webpack/rspack config. This is a security fix - the previous behavior was dangerous.

  Migration examples:

  # Option 1 (recommended): Use the SHAKAPACKER_PUBLIC_ prefix
  export SHAKAPACKER_PUBLIC_API_BASE_URL=https://api.example.com
  Option 2: Use SHAKAPACKER_ENV_VARS for existing variable names
  SHAKAPACKER_ENV_VARS=API_BASE_URL bundle exec rails assets:precompile

Fixed

• Fixed gemspec to exclude Gemfile.lock from published gem. [PR #856](shakacode/shakapacker#856) by adrien-k. The gemspec's file pattern now correctly excludes Gemfile.lock, preventing vulnerability alerts during Docker image scans caused by outdated pinned versions in the lock file.

[v9.4.0] - November 22, 2025

Added

• Added SHAKAPACKER_SKIP_PRECOMPILE_HOOK environment variable to skip precompile hook. [PR #850](shakacode/shakapacker#850) by justin808. Set SHAKAPACKER_SKIP_PRECOMPILE_HOOK=true to skip the precompile hook during compilation. This is useful when using process managers like Foreman or Overmind to run the hook once before starting multiple webpack processes, preventing duplicate hook execution. Migration tip: If you have a custom bin/dev script that starts multiple webpack processes, you can now run the precompile hook once in the script and set this environment variable to prevent each webpack process from running the hook again. See the precompile hook documentation for implementation examples.

[v9.3.4-beta.0] - November 17, 2025

Fixed

• Fixed switch_bundler task to remove packages from both dependencies and devDependencies. [PR #838](shakacode/shakapacker#838) by justin808. The task now correctly removes old bundler packages regardless of whether they're in dependencies or devDependencies sections, fixing an issue where packages in dependencies were not being removed when switching bundlers.

[v9.3.3] - November 15, 2025

... (truncated)

Commits

• 594c561 Release 9.5.0
• 6e89a7a Add npm auth pre-flight check to release script (#862)
• ea4f9e8 Update CHANGELOG for v9.5.0 release (#861)
• 3074164 Fix gemspec's files regexp to exclude Gemfile.lock (#856)
• 3e06781 fix(security): prevent environment variable leak via EnvironmentPlugin (#857)
• 86de096 Fix CI failures: restore root bin/shakapacker-config and fix prettier (#858)
• 2d74b61 Improve test assertions using explicit have_received checks (#854)
• 5c89f18 Update CHANGELOG for v9.4.0 release (#851)
• 32c6adf Improve SHAKAPACKER_SKIP_PRECOMPILE_HOOK documentation (#852)
• 3b3e3c9 Update spec/dummy lockfiles after release
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[sentry]

Bug: The shakapacker npm package is updated to 9.5.0 but the corresponding Ruby gem remains at 8.4.0. These versions must be identical to prevent build failures.
_{Severity: CRITICAL}

🔍 Detailed Analysis

The shakapacker npm package is updated to version 9.5.0 in package.json, but the corresponding Ruby gem in the Gemfile remains at 8.4.0. Shakapacker requires exact version matching between its npm package and Ruby gem. The major version bump from 8.x to 9.x includes breaking API changes. This mismatch will cause the rake assets:precompile task, which runs in CI, to fail because the Ruby gem (v8.4.0) will attempt to use APIs that have changed or been removed in the npm package (v9.5.0).

💡 Suggested Fix

Update the shakapacker gem version in the Gemfile to match the npm package version: gem 'shakapacker', '9.5.0'. Then, run bundle update shakapacker to update the Gemfile.lock.

🤖 Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: package.json#L44

Potential issue: The `shakapacker` npm package is updated to version `9.5.0` in
`package.json`, but the corresponding Ruby gem in the `Gemfile` remains at `8.4.0`.
Shakapacker requires exact version matching between its npm package and Ruby gem. The
major version bump from 8.x to 9.x includes breaking API changes. This mismatch will
cause the `rake assets:precompile` task, which runs in CI, to fail because the Ruby gem
(v8.4.0) will attempt to use APIs that have changed or been removed in the npm package
(v9.5.0).

_{Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 8365213}