[codex] Upgrade css-minimizer-webpack-plugin for #1416

[justin808]

Closes #1416.

What changed

• remove the unused top-level css-minimizer-webpack-plugin dependency from the published react_ujs package
• upgrade the dummy app's direct css-minimizer-webpack-plugin dependency from ^2.0.0 to ^8.0.0
• regenerate the root and dummy Yarn lockfiles
• pin GitHub Actions jobs to Node 20 so the CI runtime matches the new dependency floor

Why

Issue #1416 called out that older css-minimizer-webpack-plugin releases pull vulnerable serialize-javascript versions.

In this repo, the gem-level package was carrying css-minimizer-webpack-plugin as an unused dependency, while the dummy app still referenced an older version directly. This change removes the unused root dependency and upgrades the dummy app path that actually exercises the plugin.

Impact

• the published react_ujs package no longer ships an unused dependency on css-minimizer-webpack-plugin
• the dummy Shakapacker/Webpack setup now resolves css-minimizer-webpack-plugin@8
• CI no longer relies on an implicit runner Node version for this dependency chain

Validation

• PACKAGE_JSON_FALLBACK_MANAGER=yarn_classic bundle exec rake react:update
• PACKAGE_JSON_FALLBACK_MANAGER=yarn_classic bundle exec rake ujs:update
• MT_KWARGS_HACK=1 PACKAGE_JSON_FALLBACK_MANAGER=yarn_classic SHAKAPACKER_USE_PACKAGE_JSON_GEM=true NODE_OPTIONS=--openssl-legacy-provider bundle exec rake test

Note

The dummy lockfile still contains serialize-javascript@6.0.1 through compression-webpack-plugin and terser-webpack-plugin. That is separate from the css-minimizer-webpack-plugin upgrade requested in #1416.

[claude]

Code Review

Thanks for addressing the security issue from #1416! The PR is well-structured with clear documentation. Here are my observations:

---

What's good

• Correctly removes an unused dependency: css-minimizer-webpack-plugin was never imported in the root react_ujs webpack config, so removing it from package.json is the right call. This keeps the published package lean.
• Targeted dummy-app upgrade: Upgrading from ^2.0.0 → ^8.0.0 in test/dummy/package.json resolves the serialize-javascript vulnerability in that dependency chain.
• Explicit Node version pinning: Removing the implicit runner default is good CI hygiene; it prevents silent breakage when the runner image updates.
• Honest about scope: The PR note acknowledging serialize-javascript@6.0.1 still appearing via compression-webpack-plugin / terser-webpack-plugin is appreciated — that should be tracked as a follow-up issue.

---

Concerns / Suggestions

1. Node 20 is reaching EOL in ~17 days

Node 20 enters End-of-Life on April 30, 2026. Since the goal is to pin a stable, long-supported version, consider pinning to Node 22 (LTS until April 2027) instead. The css-minimizer-webpack-plugin@8 peer dependency is node >= 18.12.0, so Node 22 satisfies it equally well.

# Suggested change
node-version: 22

2. actions/setup-node is on v3 — v4 is current

This predates the PR, but since you're already touching these lines it's a good time to bump:

- uses: actions/setup-node@v4   # was @v3
  with:
    node-version: 22

v4 uses Node 20 internally (v3 uses Node 16) and is the currently maintained version.

3. Major version jump (v2 → v8) deserves an explicit compat note

css-minimizer-webpack-plugin went through several breaking changes between v2 and v8 (notably the minimizerOptions API and the default cssnano preset). The PR description mentions running the full test suite via bundle exec rake test, which is the right check — but it would help reviewers to see that CSS assets are actually minified in the build output (not just that tests pass). If there's a built asset to inspect or a webpack build log, linking it in the PR description would increase confidence.

4. serialize-javascript version in the dummy lockfile

The diff shows serialize-javascript@^5.0.1 being removed (from the old css-minimizer-webpack-plugin@2), which is great. But serialize-javascript@^6.0.1 remains via compression-webpack-plugin and terser-webpack-plugin as noted. Worth opening a follow-up issue to track that path.

---

Minor

The [codex] prefix in the title is an artifact of the AI-assisted workflow. Conventional commit style (e.g., fix: remove unused css-minimizer-webpack-plugin dep, upgrade dummy app to v8) would be more consistent with the project's history and easier to parse in changelogs.

---

Overall this is a solid, well-scoped dependency hygiene PR. The main actionable item before merging is the Node 20 EOL concern — pinning to 22 now avoids having to revisit this immediately after merge.