Update turbo 2.9.6 → 2.9.14 (patch)

[depfu]

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ turbo (2.9.6 → 2.9.14) · Repo · Changelog

Release Notes

2.9.14

Note

This release contains important security fixes.

High:

• GHSA-5xc8-49mv-x4mm: Turborepo VSCode Extension command injection

Low:

• GHSA-hcf7-66rw-9f5r: Login callback CSRF/session fixation
• GHSA-3qcw-2rhx-2726: Unexpected local code execution during Yarn Berry detection

What's Changed

Changelog

• release(turborepo): 2.9.12 by @github-actions[bot] in #12774
• fix: Restore docs mobile menu by @anthonyshew in #12782
• ci: Use pull_request for PR title linting by @anthonyshew in #12787
• ci: Scope GitHub Actions caches by branch by @anthonyshew in #12788
• test: Validate lockfiles without dependency downloads by @anthonyshew in #12789
• Removed unneeded import form hash creation script in docs by @dancrumb in #12799
• fix: Validate auth callback state by @anthonyshew in #12802
• fix: Harden VS Code extension command execution by @anthonyshew in #12800
• fix: Avoid project-local Yarn during detection by @anthonyshew in #12801
• chore: Release 2.9.13 by @anthonyshew in #12803

New Contributors

• @dancrumb made their first contribution in #12799

Full Changelog: v2.9.12...v2.9.14

2.9.12

What's Changed

Changelog

• release(turborepo): 2.9.11 by @github-actions[bot] in #12771
• fix: Allow transit nodes in LSP diagnostics by @anthonyshew in #12773

Full Changelog: v2.9.11...v2.9.12

2.9.11

What's Changed

Changelog

• release(turborepo): 2.9.10 by @github-actions[bot] in #12745
• ci: Publish VS Code extension on release by @anthonyshew in #12747
• fix: Start daemon for VSCode Extension from the extension itself by @anthonyshew in #12749
• release(turborepo): 2.9.11-canary.1 by @github-actions[bot] in #12748
• fix: Include file URIs in LSP lifecycle logs by @anthonyshew in #12751
• fix: Handle JSON decoration visitor depth by @anthonyshew in #12752
• fix: Resolve relative turbo path in VS Code extension by @anthonyshew in #12753
• fix: Preserve Bun nested dependencies during prune by @anthonyshew in #12754
• fix: Prefer installed Turbo for LSP by @anthonyshew in #12755
• release(turborepo): 2.9.11-canary.2 by @github-actions[bot] in #12750
• ci: Parallelize LSP release publishing by @anthonyshew in #12758
• fix: Reduce VS Code extension startup popups by @anthonyshew in #12759
• fix: Support turbo.jsonc in VS Code extension by @anthonyshew in #12760
• fix: Remove VS Code task key gradient by @anthonyshew in #12761
• release(turborepo): 2.9.11-canary.3 by @github-actions[bot] in #12756
• chore: Release v2.9.11-canary.4 by @anthonyshew in #12762
• ci: Stop VS Code publish from blocking release PR by @anthonyshew in #12763
• release(turborepo): 2.9.11-canary.5 by @github-actions[bot] in #12764
• fix: Publish VS Code extension from release tag by @anthonyshew in #12765
• fix: Support shimmed VS Code LSP probes by @anthonyshew in #12767
• release(turborepo): 2.9.11-canary.6 by @github-actions[bot] in #12766
• release(turborepo): 2.9.11-canary.7 by @github-actions[bot] in #12768
• fix: Allow $TURBO_EXTENDS$ in LSP diagnostics by @anthonyshew in #12770

Full Changelog: v2.9.10...v2.9.11

2.9.10

What's Changed

Changelog

• release(turborepo): 2.9.9-canary.4 by @github-actions[bot] in #12716
• release(turborepo): 2.9.9 by @github-actions[bot] in #12719
• fix: Respect SCM env vars in turbo query affected by @anthonyshew in #12722
• ci: Package VSCode extension in release workflow by @anthonyshew in #12723
• fix: Avoid some raw create-turbo example telemetry by @anthonyshew in #12725
• fix: Escape graph HTML payloads by @anthonyshew in #12726
• fix: Prevent OTEL token injection to spoofed origins by @anthonyshew in #12727
• fix: Retry HTTP status failures by @anthonyshew in #12728
• fix: Validate microfrontend proxy Host header by @anthonyshew in #12730
• fix: Redact task hash env debug logs by @anthonyshew in #12733
• fix: Filter microfrontend proxy environments by @anthonyshew in #12732
• fix: Preserve FSEvents mount points for device-relative paths by @anthonyshew in #12729
• fix: Validate proxy Host headers by @anthonyshew in #12731
• fix: Resolve TypeScript .js extension imports to .ts files in boundaries by @maschwenk in #12644
• fix: Use random temp path for repo downloads by @anthonyshew in #12736
• release(turborepo): 2.9.10-canary.1 by @github-actions[bot] in #12734
• fix: Reject OTel endpoints with userinfo by @anthonyshew in #12737
• fix: Authenticate local devtools WebSocket by @anthonyshew in #12738
• fix: Handle clipboard exec errors by @anthonyshew in #12739
• fix: Restrict Vercel token reuse to trusted API origins by @anthonyshew in #12740
• fix: Keep workspace config discovery inside root by @anthonyshew in #12741
• fix: Hardening for daemon IPC endpoints by @anthonyshew in #12742
• fix: Enforce cache filesystem boundaries by @anthonyshew in #12743

Full Changelog: v2.9.9...v2.9.10

2.9.9

What's Changed

Changelog

• release(turborepo): 2.9.8 by @github-actions[bot] in #12700
• fix: Remove Unix parent death watchdogs by @anthonyshew in #12699
• release(turborepo): 2.9.9-canary.1 by @github-actions[bot] in #12705
• fix: Scope repo index prefixes to Git root by @anthonyshew in #12706
• release(turborepo): 2.9.9-canary.2 by @github-actions[bot] in #12708
• ci: Harden non-release GitHub Actions by @anthonyshew in #12707
• docs: Add pnpm workspace flag (-w) to Oxc setup docs by @mattjoll in #12655
• fix: Harden OG image signatures by @anthonyshew in #12709
• fix: Scope release npm publishing credentials by @anthonyshew in #12710
• ci: Harden release workflows by @anthonyshew in #12711
• release(turborepo): 2.9.9-canary.3 by @github-actions[bot] in #12712
• fix: Harden docs security endpoints by @anthonyshew in #12713
• ci: Harden internal GitHub Actions by @anthonyshew in #12714
• ci: Harden release workflow handling by @anthonyshew in #12715
• fix: Preserve lockfiles during dry-run conversion by @anthonyshew in #12717
• ci: Fix LSP workflow container matrix by @anthonyshew in #12718

New Contributors

• @mattjoll made their first contribution in #12655

Full Changelog: v2.9.8...v2.9.9

2.9.8

What's Changed

@turbo/repository

• chore: Update to Rust 1.95.0 by @ognevny in #12636

Changelog

• release(turborepo): 2.9.7 by @github-actions[bot] in #12679
• test: Add regression for gitignored output restore by @anthonyshew in #12681
• docs: Clarify root task guidance by @anthonyshew in #12683
• fix: Preserve concrete dependency precedence by @anthonyshew in #12682
• release(turborepo): 2.9.8-canary.1 by @github-actions[bot] in #12685
• fix: Resolve Yarn catalog affected packages by @anthonyshew in #12684
• release(turborepo): 2.9.8-canary.2 by @github-actions[bot] in #12687
• fix: Preserve Bun prune lockfile validity by @anthonyshew in #12686
• release(turborepo): 2.9.8-canary.3 by @github-actions[bot] in #12689
• fix: Create prune docker bin stubs by @anthonyshew in #12688
• release(turborepo): 2.9.8-canary.4 by @github-actions[bot] in #12690
• fix: Keep tbx shell connections stable by @anthonyshew in #12692
• perf: Reduce turbo watch hash memory spikes by @anthonyshew in #12695
• release(turborepo): 2.9.8-canary.5 by @github-actions[bot] in #12696
• fix: Reduce parent-death watchdog CPU usage by @anthonyshew in #12697
• release(turborepo): 2.9.8-canary.6 by @github-actions[bot] in #12698

Full Changelog: v2.9.7...v2.9.8

2.9.7

What's Changed

eslint

• chore: Upgrade dependencies to resolve their known vulnerabilities by @anthonyshew in #12604

Examples

• feat(sandbox): Bump @vercel/sandbox from v1 to beta by @marc-vercel in #12595
• chore: Update examples to Turbo 2.9.6 by @cursor[bot] in #12600
• examples: Add Ultracite example by @haydenbleasel in #12615

Changelog

• fix: Align Markdown docs routing with docs/md endpoints by @molebox in #12596
• fix: Support two-dot git ranges in filter selectors by @anthonyshew in #12599
• feat: Graceful shutdown by @anthonyshew in #12607
• test: Add stdin EOF startup regression coverage by @anthonyshew in #12609
• fix: Ignore SIGINT in shim after spawning local turbo by @anthonyshew in #12612
• fix: Support pnpm v11 multi-document lockfiles by @anthonyshew in #12616
• fix: Preserve graceful shutdown exit code by @anthonyshew in #12620
• fix: Keep Node wrapper alive during graceful shutdown by @anthonyshew in #12622
• fix: Preserve PTY graceful shutdown semantics by @anthonyshew in #12624
• feat: Move Vercel auth to standard OAuth/device flows by @markandrus in #12526
• fix: Preserve legacy Vercel auth compatibility by @anthonyshew in #12629
• fix: Recover Vercel auth tokens across login flows by @anthonyshew in #12631
• docs: Fix TURBO_PLATFORM_ENV_DISABLED value in docs (true, not false) by @sleitor in #12633
• chore: Update flags SDK by @AndyBitz in #12646
• ci: Disable AWS-backed sccache by @anthonyshew in #12663
• fix: Prevent prune from overmatching gitignore entries by @anthonyshew in #12662
• ci: Harden release API commits by @anthonyshew in #12664
• ci: Fix release API commit paths by @anthonyshew in #12665
• release(turborepo): 2.9.7-canary.14 by @github-actions[bot] in #12666
• chore: Add tbx sandbox helper by @anthonyshew in #12668
• fix: Allow npm registry in tbx sandboxes by @anthonyshew in #12669
• fix: Install turbo globally in tbx base by @anthonyshew in #12670
• docs: Clarify package hash file inputs by @anthonyshew in #12671
• fix: Allow tbx sandboxes to use stale bases by @anthonyshew in #12672
• fix: Install dotfiles during tbx base refresh by @anthonyshew in #12673
• fix: Improve tbx sandbox startup by @anthonyshew in #12674
• fix: Improve tbx sandbox startup defaults by @anthonyshew in #12675
• fix: Support pnpm 11 flat patch lockfiles by @anthonyshew in #12676
• docs: Fix link to passthrough variables source code by @Wartijn in #12643
• release(turborepo): 2.9.7-canary.15 by @github-actions[bot] in #12677
• fix: Avoid rerunning non-cacheable watch dependencies by @anthonyshew in #12678

New Contributors

• @marc-vercel made their first contribution in #12595
• @cursor[bot] made their first contribution in #12600
• @markandrus made their first contribution in #12526
• @AndyBitz made their first contribution in #12646
• @Wartijn made their first contribution in #12643

Full Changelog: v2.9.6...v2.9.7

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[greptile-apps]

Confidence Score: 5/5

Safe to merge — this is a clean, mechanical version bump with no logic changes.

The only changes are version strings and integrity hashes in package.json and pnpm-lock.yaml. All six platform binaries are updated in lockstep, the lockfile is consistent, and the update brings in important security patches without touching any application code.

No files require special attention.

_{Reviews (1): Last reviewed commit: "Update turbo to version 2.9.14" | Re-trigger Greptile}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 13536d84-a588-4b2d-a63f-6f05350dae33

📥 Commits

Reviewing files that changed from the base of the PR and between 36417cb and 67e7654.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

---

Walkthrough

This pull request updates the turbo development dependency in package.json from version ^2.9.6 to ^2.9.14. This is a minor version bump within the 2.9.x release series that brings in recent updates and fixes to the turbo build tool used by the project's development environment.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: updating turbo from version 2.9.6 to 2.9.14 with patch designation.
Description check	✅ Passed	The description is directly related to the changeset, providing comprehensive details about the turbo dependency update including release notes, security fixes, changelog items, and commit history.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[depfu]

Sorry, but the merge failed with:

At least 1 approving review is required by reviewers with write access.