fix(nextjs): remove unnecessary csrfToken dependency from useCallback

[muneebs]

This PR addresses issue #53.

Problem

The React secureFetch wrapper included csrfToken in the useCallback dependency array. This caused the function reference to change every time a new token was received, which in turn made CsrfContextValue unstable and triggered unnecessary re-renders in any component consuming useCsrf().

Solution

1. Removed csrfToken from the dependency array — the callback only needs config to remain stable.
2. Removed the redundant newToken !== csrfToken check — React's setState already bails out for identical primitive string values, so manual equality checking was unnecessary.

Verification

• pnpm --filter @csrf-armor/nextjs test → 48 passed
• pnpm type-check → clean
• pnpm lint → clean

Changeset

Patch bump for @csrf-armor/nextjs.

Fixes #53

Summary by CodeRabbit

Bug Fixes

• Improved CSRF token handling to reduce unnecessary component re-renders and enhance application performance while maintaining security and token update functionality.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 59410d27-5fa8-4f5d-bb6a-6ded2fbd194a

📥 Commits

Reviewing files that changed from the base of the PR and between 17708d8 and efa037b.

📒 Files selected for processing (2)

• .changeset/fix-usecallback-csrftoken-dep.md
• packages/nextjs/src/client/react.tsx

---

Walkthrough

A bug fix was implemented to reduce unnecessary re-renders in the CSRF context by removing csrfToken from the useCallback dependency array and eliminating a redundant equality check in the secureFetch function.

Changes

Cohort / File(s)	Summary
Bug Fix Documentation .changeset/fix-usecallback-csrftoken-dep.md	Added Changesets entry documenting the patch-level fix for unnecessary csrfToken dependency and redundant state equality check.
React Context Update packages/nextjs/src/client/react.tsx	Removed csrfToken from useCallback dependency array (changed from [config, csrfToken] to [config]) and eliminated redundant equality check newToken !== csrfToken, now unconditionally updating state when a new token is received in the response.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

bug

Suggested reviewers

• raulcrisan

Poem

🐰 A hop and a skip, we've trimmed the fat,
No needless checks or deps like that!
State updates flow, so smooth and clean,
Re-renders reduced—a rabbit's dream! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: removing the csrfToken dependency from useCallback to fix unnecessary re-renders.
Linked Issues check	✅ Passed	The PR fully implements the proposed solution from issue #53: removes csrfToken from useCallback dependency, eliminates redundant token equality check, and maintains token update behavior.
Out of Scope Changes check	✅ Passed	All changes are directly related to the stated objective of issue #53; no out-of-scope modifications are present in the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/usecallback-csrftoken-dep

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}