Update dependency turbo to v2.9.14 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
turbo (source)	2.5.6 → 2.9.14

---

Turbo: Unexpected local code execution during Yarn Berry detection

CVE-2026-45772 / GHSA-3qcw-2rhx-2726

More information

Details

Impact

Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, which could cause Yarn to load and execute a project-controlled yarnPath from .yarnrc.yml. An attacker who controls repository contents could cause code execution when a user or CI system runs affected turbo, @turbo/codemod, or @turbo/workspace conversion commands.

Fix

Turbo now avoids executing project-local Yarn during package manager detection. Yarn versions and paths are inferred from metadata such as package.json, parsing the value of yarnPath in .yarnrc.yml rather than executing it, and yarn.lock, and unrecognized Yarn lockfile formats are rejected instead of falling back to executing yarn.

Workarounds

If you cannot upgrade immediately, do not run Turborepo commands in untrusted repositories. Review or remove .yarnrc.yml files that define yarnPath before running Turborepo, especially in CI or automated tooling that processes external projects.

Severity

• CVSS Score: 0.0 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/vercel/turborepo/security/advisories/GHSA-3qcw-2rhx-2726
• https://nvd.nist.gov/vuln/detail/CVE-2026-45772
• https://github.com/advisories/GHSA-3qcw-2rhx-2726

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Trubo: Login callback CSRF/session fixation

CVE-2026-45773 / GHSA-hcf7-66rw-9f5r

More information

Details

Impact

Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials.

This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected.

Fix

The login and SSO redirect flows now generate a random state value, include it in the browser authentication URL, and require the same value on the localhost callback before accepting a token. Callbacks with a missing or mismatched state are rejected.

Workarounds

If you cannot upgrade immediately, avoid browser-based self-hosted turbo login or SSO flows on machines that may load untrusted web content during authentication. Use a pre-provisioned token or environment-based authentication instead.

Severity

• CVSS Score: 5.1 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N

References

• https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r
• https://nvd.nist.gov/vuln/detail/CVE-2026-45773
• https://github.com/advisories/GHSA-hcf7-66rw-9f5r

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vercel/turborepo (turbo)

v2.9.14: Turborepo v2.9.14

Compare Source

[!NOTE]
This release contains important security fixes.

High:

• GHSA-5xc8-49mv-x4mm: Turborepo VSCode Extension command injection

Low:

• GHSA-hcf7-66rw-9f5r: Login callback CSRF/session fixation
• GHSA-3qcw-2rhx-2726: Unexpected local code execution during Yarn Berry detection

What's Changed

Changelog

• release(turborepo): 2.9.12 by @​github-actions[bot] in #​12774
• fix: Restore docs mobile menu by @​anthonyshew in #​12782
• ci: Use pull_request for PR title linting by @​anthonyshew in #​12787
• ci: Scope GitHub Actions caches by branch by @​anthonyshew in #​12788
• test: Validate lockfiles without dependency downloads by @​anthonyshew in #​12789
• Removed unneeded import form hash creation script in docs by @​dancrumb in #​12799
• fix: Validate auth callback state by @​anthonyshew in #​12802
• fix: Harden VS Code extension command execution by @​anthonyshew in #​12800
• fix: Avoid project-local Yarn during detection by @​anthonyshew in #​12801
• chore: Release 2.9.13 by @​anthonyshew in #​12803

New Contributors

• @​dancrumb made their first contribution in #​12799

Full Changelog: vercel/turborepo@v2.9.12...v2.9.14

v2.9.12: Turborepo v2.9.12

Compare Source

What's Changed

Changelog

• release(turborepo): 2.9.11 by @​github-actions[bot] in #​12771
• fix: Allow transit nodes in LSP diagnostics by @​anthonyshew in #​12773

Full Changelog: vercel/turborepo@v2.9.11...v2.9.12

v2.9.11: Turborepo v2.9.11

Compare Source

What's Changed

Changelog

• release(turborepo): 2.9.10 by @​github-actions[bot] in #​12745
• ci: Publish VS Code extension on release by @​anthonyshew in #​12747
• fix: Start daemon for VSCode Extension from the extension itself by @​anthonyshew in #​12749
• release(turborepo): 2.9.11-canary.1 by @​github-actions[bot] in #​12748
• fix: Include file URIs in LSP lifecycle logs by @​anthonyshew in #​12751
• fix: Handle JSON decoration visitor depth by @​anthonyshew in #​12752
• fix: Resolve relative turbo path in VS Code extension by @​anthonyshew in #​12753
• fix: Preserve Bun nested dependencies during prune by @​anthonyshew in #​12754
• fix: Prefer installed Turbo for LSP by @​anthonyshew in #​12755
• release(turborepo): 2.9.11-canary.2 by @​github-actions[bot] in #​12750
• ci: Parallelize LSP release publishing by @​anthonyshew in #​12758
• fix: Reduce VS Code extension startup popups by @​anthonyshew in #​12759
• fix: Support turbo.jsonc in VS Code extension by @​anthonyshew in #​12760
• fix: Remove VS Code task key gradient by @​anthonyshew in #​12761
• release(turborepo): 2.9.11-canary.3 by @​github-actions[bot] in #​12756
• chore: Release v2.9.11-canary.4 by @​anthonyshew in #​12762
• ci: Stop VS Code publish from blocking release PR by @​anthonyshew in #​12763
• release(turborepo): 2.9.11-canary.5 by @​github-actions[bot] in #​12764
• fix: Publish VS Code extension from release tag by @​anthonyshew in #​12765
• fix: Support shimmed VS Code LSP probes by @​anthonyshew in #​12767
• release(turborepo): 2.9.11-canary.6 by @​github-actions[bot] in #​12766
• release(turborepo): 2.9.11-canary.7 by @​github-actions[bot] in #​12768
• fix: Allow $TURBO_EXTENDS$ in LSP diagnostics by @​anthonyshew in #​12770

Full Changelog: vercel/turborepo@v2.9.10...v2.9.11

v2.9.10: Turborepo v2.9.10

Compare Source

What's Changed

Changelog

• release(turborepo): 2.9.9-canary.4 by @​github-actions[bot] in #​12716
• release(turborepo): 2.9.9 by @​github-actions[bot] in #​12719
• fix: Respect SCM env vars in turbo query affected by @​anthonyshew in #​12722
• ci: Package VSCode extension in release workflow by @​anthonyshew in #​12723
• fix: Avoid some raw create-turbo example telemetry by @​anthonyshew in #​12725
• fix: Escape graph HTML payloads by @​anthonyshew in #​12726
• fix: Prevent OTEL token injection to spoofed origins by @​anthonyshew in #​12727
• fix: Retry HTTP status failures by @​anthonyshew in #​12728
• fix: Validate microfrontend proxy Host header by @​anthonyshew in #​12730
• fix: Redact task hash env debug logs by @​anthonyshew in #​12733
• fix: Filter microfrontend proxy environments by @​anthonyshew in #​12732
• fix: Preserve FSEvents mount points for device-relative paths by @​anthonyshew in #​12729
• fix: Validate proxy Host headers by @​anthonyshew in #​12731
• fix: Resolve TypeScript .js extension imports to .ts files in boundaries by @​maschwenk in #​12644
• fix: Use random temp path for repo downloads by @​anthonyshew in #​12736
• release(turborepo): 2.9.10-canary.1 by @​github-actions[bot] in #​12734
• fix: Reject OTel endpoints with userinfo by @​anthonyshew in #​12737
• fix: Authenticate local devtools WebSocket by @​anthonyshew in #​12738
• fix: Handle clipboard exec errors by @​anthonyshew in #​12739
• fix: Restrict Vercel token reuse to trusted API origins by @​anthonyshew in #​12740
• fix: Keep workspace config discovery inside root by @​anthonyshew in #​12741
• fix: Hardening for daemon IPC endpoints by @​anthonyshew in #​12742
• fix: Enforce cache filesystem boundaries by @​anthonyshew in #​12743

Full Changelog: vercel/turborepo@v2.9.9...v2.9.10

v2.9.9: Turborepo v2.9.9

Compare Source

What's Changed

Changelog

• release(turborepo): 2.9.8 by @​github-actions[bot] in #​12700
• fix: Remove Unix parent death watchdogs by @​anthonyshew in #​12699
• release(turborepo): 2.9.9-canary.1 by @​github-actions[bot] in #​12705
• fix: Scope repo index prefixes to Git root by @​anthonyshew in #​12706
• release(turborepo): 2.9.9-canary.2 by @​github-actions[bot] in #​12708
• ci: Harden non-release GitHub Actions by @​anthonyshew in #​12707
• docs: Add pnpm workspace flag (-w) to Oxc setup docs by @​mattjoll in #​12655
• fix: Harden OG image signatures by @​anthonyshew in #​12709
• fix: Scope release npm publishing credentials by @​anthonyshew in #​12710
• ci: Harden release workflows by @​anthonyshew in #​12711
• release(turborepo): 2.9.9-canary.3 by @​github-actions[bot] in #​12712
• fix: Harden docs security endpoints by @​anthonyshew in #​12713
• ci: Harden internal GitHub Actions by @​anthonyshew in #​12714
• ci: Harden release workflow handling by @​anthonyshew in #​12715
• fix: Preserve lockfiles during dry-run conversion by @​anthonyshew in #​12717
• ci: Fix LSP workflow container matrix by @​anthonyshew in #​12718

New Contributors

• @​mattjoll made their first contribution in #​12655

Full Changelog: vercel/turborepo@v2.9.8...v2.9.9

v2.9.8: Turborepo v2.9.8

Compare Source

What's Changed

@​turbo/repository

• chore: Update to Rust 1.95.0 by @​ognevny in #​12636

Changelog

• release(turborepo): 2.9.7 by @​github-actions[bot] in #​12679
• test: Add regression for gitignored output restore by @​anthonyshew in #​12681
• docs: Clarify root task guidance by @​anthonyshew in #​12683
• fix: Preserve concrete dependency precedence by @​anthonyshew in #​12682
• release(turborepo): 2.9.8-canary.1 by @​github-actions[bot] in #​12685
• fix: Resolve Yarn catalog affected packages by @​anthonyshew in #​12684
• release(turborepo): 2.9.8-canary.2 by @​github-actions[bot] in #​12687
• fix: Preserve Bun prune lockfile validity by @​anthonyshew in #​12686
• release(turborepo): 2.9.8-canary.3 by @​github-actions[bot] in #​12689
• fix: Create prune docker bin stubs by @​anthonyshew in #​12688
• release(turborepo): 2.9.8-canary.4 by @​github-actions[bot] in #​12690
• fix: Keep tbx shell connections stable by @​anthonyshew in #​12692
• perf: Reduce turbo watch hash memory spikes by @​anthonyshew in #​12695
• release(turborepo): 2.9.8-canary.5 by @​github-actions[bot] in #​12696
• fix: Reduce parent-death watchdog CPU usage by @​anthonyshew in #​12697
• release(turborepo): 2.9.8-canary.6 by @​github-actions[bot] in #​12698

Full Changelog: vercel/turborepo@v2.9.7...v2.9.8

v2.9.7: Turborepo v2.9.7

Compare Source

What's Changed

eslint

• chore: Upgrade dependencies to resolve their known vulnerabilities by @​anthonyshew in #​12604

Examples

• feat(sandbox): Bump @​vercel/sandbox from v1 to beta by @​marc-vercel in #​12595
• chore: Update examples to Turbo 2.9.6 by @​cursor[bot] in #​12600
• examples: Add Ultracite example by @​haydenbleasel in #​12615

Changelog

• fix: Align Markdown docs routing with docs/md endpoints by @​molebox in #​12596
• fix: Support two-dot git ranges in filter selectors by @​anthonyshew in #​12599
• feat: Graceful shutdown by @​anthonyshew in #​12607
• test: Add stdin EOF startup regression coverage by @​anthonyshew in #​12609
• fix: Ignore SIGINT in shim after spawning local turbo by @​anthonyshew in #​12612
• fix: Support pnpm v11 multi-document lockfiles by @​anthonyshew in #​12616
• fix: Preserve graceful shutdown exit code by @​anthonyshew in #​12620
• fix: Keep Node wrapper alive during graceful shutdown by @​anthonyshew in #​12622
• fix: Preserve PTY graceful shutdown semantics by @​anthonyshew in #​12624
• feat: Move Vercel auth to standard OAuth/device flows by @​markandrus in #​12526
• fix: Preserve legacy Vercel auth compatibility by @​anthonyshew in #​12629
• fix: Recover Vercel auth tokens across login flows by @​anthonyshew in #​12631
• docs: Fix TURBO_PLATFORM_ENV_DISABLED value in docs (true, not false) by @​sleitor in #​12633
• chore: Update flags SDK by @​AndyBitz in #​12646
• ci: Disable AWS-backed sccache by @​anthonyshew in #​12663
• fix: Prevent prune from overmatching gitignore entries by @​anthonyshew in #​12662
• ci: Harden release API commits by @​anthonyshew in #​12664
• ci: Fix release API commit paths by @​anthonyshew in #​12665
• release(turborepo): 2.9.7-canary.14 by @​github-actions[bot] in #​12666
• chore: Add tbx sandbox helper by @​anthonyshew in #​12668
• fix: Allow npm registry in tbx sandboxes by @​anthonyshew in #​12669
• fix: Install turbo globally in tbx base by @​anthonyshew in #​12670
• docs: Clarify package hash file inputs by @​anthonyshew in #​12671
• fix: Allow tbx sandboxes to use stale bases by @​anthonyshew in #​12672
• fix: Install dotfiles during tbx base refresh by @​anthonyshew in #​12673
• fix: Improve tbx sandbox startup by @​anthonyshew in #​12674
• fix: Improve tbx sandbox startup defaults by @​anthonyshew in #​12675
• fix: Support pnpm 11 flat patch lockfiles by @​anthonyshew in #​12676
• docs: Fix link to passthrough variables source code by @​Wartijn in #​12643
• release(turborepo): 2.9.7-canary.15 by @​github-actions[bot] in #​12677
• fix: Avoid rerunning non-cacheable watch dependencies by @​anthonyshew in #​12678

New Contributors

• @​marc-vercel made their first contribution in #​12595
• @​cursor[bot] made their first contribution in #​12600
• @​markandrus made their first contribution in #​12526
• @​AndyBitz made their first contribution in #​12646
• @​Wartijn made their first contribution in #​12643

Full Changelog: vercel/turborepo@v2.9.6...v2.9.7

v2.9.6: Turborepo v2.9.6

Compare Source

What's Changed

create-turbo

• chore: Update dependencies found in audits by @​anthonyshew in #​12586

Examples

• fix: Add missing @types/node to with-svelte example apps by @​anthonyshew in #​12585

Changelog

• docs: Add Bun equivalent for updating dependencies by @​anthonyshew in #​12580
• fix: Mention turbo.json in concurrency error message by @​anthonyshew in #​12582
• fix: Surface actionable message when remote cache is requested but not linked by @​anthonyshew in #​12584
• chore: Delete agents app by @​anthonyshew in #​12587
• fix: Load custom CA certificates in fast webpki-only HTTP client by @​anthonyshew in #​12591
• docs: Remove pre-release badges by @​anthonyshew in #​12592

Full Changelog: vercel/turborepo@v2.9.5...v2.9.6

v2.9.5: Turborepo v2.9.5

Compare Source

What's Changed

create-turbo

• feat: Replace package manager commands in scaffolded README files by @​DependerKumarSoni in #​6747

@​turbo/telemetry

• fix: Suppress telemetry alert when running on Vercel by @​anthonyshew in #​12576

Changelog

• feat: Add circular package dependency detection to boundaries by @​anthonyshew in #​12567
• perf: Increase remote cache upload chunk size from 8KB to 256KB by @​anthonyshew in #​12568
• perf: Parallelize boundaries checking with Rayon and cache DFS traversals by @​anthonyshew in #​12569

New Contributors

• @​DependerKumarSoni made their first contribution in #​6747

Full Changelog: vercel/turborepo@v2.9.4...v2.9.5

v2.9.4: Turborepo v2.9.4

Compare Source

What's Changed

@​turbo/codemod

• fix: Always update $schema URL to versioned format during migration by @​anthonyshew in #​12529
• fix: Support turbo.jsonc in codemod transforms by @​anthonyshew in #​12532
• fix: Preserve prerelease info in schema URL during codemod migration by @​anthonyshew in #​12542

Examples

• build(deps): Bump @​xmldom/xmldom from 0.8.11 to 0.8.12 in /examples/with-react-native-web by @​dependabot[bot] in #​12537

Changelog

• feat: Add incremental task caching by @​anthonyshew in #​12531
• docs: Send siteId as label on feedback GitHub issues by @​molebox in #​12527
• Replace local ai-agent-detection with @​vercel/agent-readability by @​molebox in #​12528
• fix: Prevent filterUsingTasks --filter from pulling dependents into Task Graph by @​anthonyshew in #​12535
• fix: Only enforce signature key length for keys that exist by @​anthonyshew in #​12538
• fix: Validate engine concurrency after task-level filtering by @​anthonyshew in #​12540
• feat: Allow --affected and --filter to be combined by @​anthonyshew in #​12543
• fix(config): Deep-merge nested OTEL config across priority sources by @​bitttttten in #​12513
• fix: Retain microfrontend proxy tasks when using filterUsingTasks by @​anthonyshew in #​12545
• fix: Bun workspace lockfile pruning producing invalid output by @​JRoy in #​12548
• fix: Respect dirty .gitignore patterns during task input hashing by @​anthonyshew in #​12557

New Contributors

• @​JRoy made their first contribution in #​12548

Full Changelog: vercel/turborepo@v2.9.3...v2.9.4

v2.9.3: Turborepo v2.9.3

Compare Source

What's Changed

Changelog

• fix: Preserve per-workspace lockfiles during pnpm pruning by @​anthonyshew in #​12519

Full Changelog: vercel/turborepo@v2.9.2...v2.9.3

v2.9.2: Turborepo v2.9.2

Compare Source

What's Changed

Examples

• feat(examples): Add Next.js + Elysia full-stack starter template by @​eastgold15 in #​12414

Changelog

• docs: Add documentation for cacheMaxAge and cacheMaxSize options by @​anthonyshew in #​12500
• fix: Resolve correct nested bun lockfile versions during prune by @​anthonyshew in #​12506
• Revert "fix: Avoid setsid() in PTY spawn to prevent macOS Gatekeeper CPU spikes" by @​anthonyshew in #​12507
• fix: Unblock watch loop so interruptible persistent tasks restart on file changes by @​anthonyshew in #​12509
• fix(api-client): Treat * as wildcard in preflight Access-Control-Allow-Headers by @​bitttttten in #​12503
• docs: Document turbo.* generator variables by @​anthonyshew in #​12511
• fix: Backfill missing pnpm workspace importer entries during prune by @​anthonyshew in #​12514
• fix: Include transitive dependencies in engine graph pruning for affected paths using Task Graph by @​anthonyshew in #​12516
• fix: Update AI-generated response disclaimer to include human attribution by @​Copilot in #​12517
• fix: Preserve shallow install strategy during npm lockfile pruning by @​anthonyshew in #​12520

New Contributors

• @​eastgold15 made their first contribution in #​12414

Full Changelog: vercel/turborepo@v2.9.1...v2.9.2

v2.9.1: Turborepo v2.9.1

Compare Source

What's Changed

@​turbo/codemod

• feat: Handle package manager catalogs in migration codemod by @​anthonyshew in #​12496

@​turbo/repository

• feat: Add cacheMaxAge and cacheMaxSize for local cache eviction by @​anthonyshew in #​12487

Changelog

• docs: Release post for 2.9 by @​anthonyshew in #​12441

Full Changelog: vercel/turborepo@v2.9.0...v2.9.1

v2.9.0: Turborepo v2.9.0

Compare Source

What's Changed

Docs

• docs: Release post for 2.8 by @​anthonyshew in #​11559
• docs: Update oxc.mdx to include cache false by @​bestickley in #​11571
• docs: Fix curl markdown Accept header syntax in 2.8 release blog by @​marko-hologram in #​11580
• docs: Fix worktree command in blog post by @​anthonyshew in #​11583
• docs: Rename command → subcommand by @​anthonyshew in #​11584
• feat: Add requestType tracking for header-negotiated markdown by @​molebox in #​11585
• fix: Upgrade next to fix HTTP deserialization DoS by @​anthonyshew in #​11597
• fix: Upgrade mermaid to fix lodash-es vulnerability by @​anthonyshew in #​11611
• fix: Upgrade recharts to fix lodash vulnerability by @​anthonyshew in #​11606
• chore: Move applications to apps/ directory by @​anthonyshew in #​11613
• fix: Upgrade rehype packages to fix mdast-util-to-hast vulnerability by @​anthonyshew in #​11616
• chore: Migrate to Ultracite by @​haydenbleasel in #​11948
• fix: Strip JSX components from heading anchors and TOC entries by @​anthonyshew in #​12404

create-turbo

• fix: Upgrade tsup to fix rollup and glob vulnerabilities by @​anthonyshew in #​11601
• fix: Upgrade inquirer to 8.2.7 to fix tmp vulnerability by @​anthonyshew in #​11622
• fix: Upgrade ts-jest to 29.4.6 to fix brace-expansion ReDoS vulnerabilities by @​anthonyshew in #​11623
• feat: Migrate from tsup to tsdown by @​anthonyshew in #​11649
• fix: Upgrade semver to fix ReDoS vulnerability by @​anthonyshew in #​11683
• fix: Upgrade inquirer to remove lodash dependency by @​anthonyshew in #​11709
• fix: Upgrade tsdown in create-turbo to resolve valibot ReDoS vulnerability by @​anthonyshew in #​11702
• fix: Upgrade jest to v30 to resolve brace-expansion ReDoS vulnerability by @​anthonyshew in #​11706
• fix: Recover version numbering to 2.8.9-canary.0 by @​anthonyshew in #​11853
• fix: Sanitize git command inputs in create-turbo by @​anthonyshew in #​11876
• chore: Remove pnpm-eslint .vscode transform from create-turbo by @​anthonyshew in #​12186
• fix: Improve create-turbo connectivity check and offline error messages by @​anthonyshew in #​12257
• feat: Add affectedUsingTaskInputs future flag for task-level --affected detection by @​anthonyshew in #​12247
• fix: Replace dns.lookup with https.get for create-turbo online check by @​anthonyshew in #​12277
• fix: Remove redundant online check from create-turbo by @​anthonyshew in #​12281
• fix: Sort uninstalled package managers to bottom of create-turbo selection by @​anthonyshew in #​12353

turbo-ignore

• fix: Resolve pnpm audit vulnerabilities via dependency bumps by @​anthonyshew in #​12220
• feat: Deprecate turbo-ignore in favor of turbo query affected by @​anthonyshew in #​12382
• fix: Tailored turbo-ignore deprecation notice for Vercel users by @​anthonyshew in #​12385

@​turbo/codemod

• fix: Upgrade axios to fix SSRF vulnerability by @​anthonyshew in #​11599
• fix: Replace axios with native fetch in turbo-codemod by @​anthonyshew in #​11600
• fix: Upgrade diff to fix DoS vulnerabilities by @​anthonyshew in #​11621
• fix: Upgrade tsdown to fix valibot and diff vulnerabilities by @​anthonyshew in #​11766
• fix: Upgrade semver to fix ReDoS vulnerability by @​anthonyshew in #​11765
• fix: Enhance path validation in assertSafeGitArgument by @​odaysec in #​11788
• fix: Guard against missing pipeline key in clean-globs codemod by @​anthonyshew in #​12235
• fix: Stop add-package-names codemod from silently renaming existing packages by @​anthonyshew in #​12332
• fix: Handle Yarn 2+ in @​turbo/codemod install commands by @​anthonyshew in #​12477

eslint

• fix: Upgrade eslint devDependency to fix stack overflow vulnerability by @​anthonyshew in #​11610
• fix: Upgrade esbuild to fix arbitrary request vulnerability by @​anthonyshew in #​11615
• fix: Upgrade Next.js to 16.1.5 to fix DoS vulnerabilities by @​anthonyshew in #​11681
• fix: Upgrade eslint to v10 to resolve @​eslint/plugin-kit ReDoS vulnerability by @​anthonyshew in #​11705
• fix(eslint-plugin-turbo): Guard against missing tasks/pipeline in forEachTaskDef by @​sleitor in #​12411

@​turbo/repository

• fix: Rename cli workspace package to avoid false audit match by @​anthonyshew in #​11767
• perf: Defer TLS initialization to a background thread by @​anthonyshew in #​11967
• fix: Add repository field to @​turbo/repository package.json by @​anthonyshew in #​11982
• release(library): 0.0.1-canary.19 by @​github-actions[bot] in #​11983
• feat: Add experimentalObservability with an OTel backend by @​bkonkle in #​11130
• release(library): 0.0.1-canary.20 by @​github-actions[bot] in #​12116
• chore: Update to Rust 1.94.0 by @​ognevny in #​12192
• feat: Add packagesFromLockfile() NAPI binding to @turbo/repository by [@​anthonyshew](https://redirect.g

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!