🚨 [security] Update turbo 2.9.6 → 2.9.14 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ turbo (2.9.6 → 2.9.14) · Repo · Changelog

Security Advisories 🚨

🚨 Turbo: Unexpected local code execution during Yarn Berry detection

Impact

Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, which could cause Yarn to load and execute a project-controlled yarnPath from .yarnrc.yml. An attacker who controls repository contents could cause code execution when a user or CI system runs affected turbo, @turbo/codemod, or @turbo/workspace conversion commands.

Fix

Turbo now avoids executing project-local Yarn during package manager detection. Yarn versions and paths are inferred from metadata such as package.json, parsing the value of yarnPath in .yarnrc.yml rather than executing it, and yarn.lock, and unrecognized Yarn lockfile formats are rejected instead of falling back to executing yarn.

Workarounds

If you cannot upgrade immediately, do not run Turborepo commands in untrusted repositories. Review or remove .yarnrc.yml files that define yarnPath before running Turborepo, especially in CI or automated tooling that processes external projects.

🚨 Trubo: Login callback CSRF/session fixation

Impact

Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials.

This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected.

Fix

The login and SSO redirect flows now generate a random state value, include it in the browser authentication URL, and require the same value on the localhost callback before accepting a token. Callbacks with a missing or mismatched state are rejected.

Workarounds

If you cannot upgrade immediately, avoid browser-based self-hosted turbo login or SSO flows on machines that may load untrusted web content during authentication. Use a pre-provisioned token or environment-based authentication instead.

Release Notes

2.9.14

Note

This release contains important security fixes.

High:

• GHSA-5xc8-49mv-x4mm: Turborepo VSCode Extension command injection

Low:

• GHSA-hcf7-66rw-9f5r: Login callback CSRF/session fixation
• GHSA-3qcw-2rhx-2726: Unexpected local code execution during Yarn Berry detection

What's Changed

Changelog

• release(turborepo): 2.9.12 by @github-actions[bot] in #12774
• fix: Restore docs mobile menu by @anthonyshew in #12782
• ci: Use pull_request for PR title linting by @anthonyshew in #12787
• ci: Scope GitHub Actions caches by branch by @anthonyshew in #12788
• test: Validate lockfiles without dependency downloads by @anthonyshew in #12789
• Removed unneeded import form hash creation script in docs by @dancrumb in #12799
• fix: Validate auth callback state by @anthonyshew in #12802
• fix: Harden VS Code extension command execution by @anthonyshew in #12800
• fix: Avoid project-local Yarn during detection by @anthonyshew in #12801
• chore: Release 2.9.13 by @anthonyshew in #12803

New Contributors

• @dancrumb made their first contribution in #12799

Full Changelog: v2.9.12...v2.9.14

2.9.12

What's Changed

Changelog

• release(turborepo): 2.9.11 by @github-actions[bot] in #12771
• fix: Allow transit nodes in LSP diagnostics by @anthonyshew in #12773

Full Changelog: v2.9.11...v2.9.12

2.9.11

What's Changed

Changelog

• release(turborepo): 2.9.10 by @github-actions[bot] in #12745
• ci: Publish VS Code extension on release by @anthonyshew in #12747
• fix: Start daemon for VSCode Extension from the extension itself by @anthonyshew in #12749
• release(turborepo): 2.9.11-canary.1 by @github-actions[bot] in #12748
• fix: Include file URIs in LSP lifecycle logs by @anthonyshew in #12751
• fix: Handle JSON decoration visitor depth by @anthonyshew in #12752
• fix: Resolve relative turbo path in VS Code extension by @anthonyshew in #12753
• fix: Preserve Bun nested dependencies during prune by @anthonyshew in #12754
• fix: Prefer installed Turbo for LSP by @anthonyshew in #12755
• release(turborepo): 2.9.11-canary.2 by @github-actions[bot] in #12750
• ci: Parallelize LSP release publishing by @anthonyshew in #12758
• fix: Reduce VS Code extension startup popups by @anthonyshew in #12759
• fix: Support turbo.jsonc in VS Code extension by @anthonyshew in #12760
• fix: Remove VS Code task key gradient by @anthonyshew in #12761
• release(turborepo): 2.9.11-canary.3 by @github-actions[bot] in #12756
• chore: Release v2.9.11-canary.4 by @anthonyshew in #12762
• ci: Stop VS Code publish from blocking release PR by @anthonyshew in #12763
• release(turborepo): 2.9.11-canary.5 by @github-actions[bot] in #12764
• fix: Publish VS Code extension from release tag by @anthonyshew in #12765
• fix: Support shimmed VS Code LSP probes by @anthonyshew in #12767
• release(turborepo): 2.9.11-canary.6 by @github-actions[bot] in #12766
• release(turborepo): 2.9.11-canary.7 by @github-actions[bot] in #12768
• fix: Allow $TURBO_EXTENDS$ in LSP diagnostics by @anthonyshew in #12770

Full Changelog: v2.9.10...v2.9.11

2.9.10

What's Changed

Changelog

• release(turborepo): 2.9.9-canary.4 by @github-actions[bot] in #12716
• release(turborepo): 2.9.9 by @github-actions[bot] in #12719
• fix: Respect SCM env vars in turbo query affected by @anthonyshew in #12722
• ci: Package VSCode extension in release workflow by @anthonyshew in #12723
• fix: Avoid some raw create-turbo example telemetry by @anthonyshew in #12725
• fix: Escape graph HTML payloads by @anthonyshew in #12726
• fix: Prevent OTEL token injection to spoofed origins by @anthonyshew in #12727
• fix: Retry HTTP status failures by @anthonyshew in #12728
• fix: Validate microfrontend proxy Host header by @anthonyshew in #12730
• fix: Redact task hash env debug logs by @anthonyshew in #12733
• fix: Filter microfrontend proxy environments by @anthonyshew in #12732
• fix: Preserve FSEvents mount points for device-relative paths by @anthonyshew in #12729
• fix: Validate proxy Host headers by @anthonyshew in #12731
• fix: Resolve TypeScript .js extension imports to .ts files in boundaries by @maschwenk in #12644
• fix: Use random temp path for repo downloads by @anthonyshew in #12736
• release(turborepo): 2.9.10-canary.1 by @github-actions[bot] in #12734
• fix: Reject OTel endpoints with userinfo by @anthonyshew in #12737
• fix: Authenticate local devtools WebSocket by @anthonyshew in #12738
• fix: Handle clipboard exec errors by @anthonyshew in #12739
• fix: Restrict Vercel token reuse to trusted API origins by @anthonyshew in #12740
• fix: Keep workspace config discovery inside root by @anthonyshew in #12741
• fix: Hardening for daemon IPC endpoints by @anthonyshew in #12742
• fix: Enforce cache filesystem boundaries by @anthonyshew in #12743

Full Changelog: v2.9.9...v2.9.10

2.9.9

What's Changed

Changelog

• release(turborepo): 2.9.8 by @github-actions[bot] in #12700
• fix: Remove Unix parent death watchdogs by @anthonyshew in #12699
• release(turborepo): 2.9.9-canary.1 by @github-actions[bot] in #12705
• fix: Scope repo index prefixes to Git root by @anthonyshew in #12706
• release(turborepo): 2.9.9-canary.2 by @github-actions[bot] in #12708
• ci: Harden non-release GitHub Actions by @anthonyshew in #12707
• docs: Add pnpm workspace flag (-w) to Oxc setup docs by @mattjoll in #12655
• fix: Harden OG image signatures by @anthonyshew in #12709
• fix: Scope release npm publishing credentials by @anthonyshew in #12710
• ci: Harden release workflows by @anthonyshew in #12711
• release(turborepo): 2.9.9-canary.3 by @github-actions[bot] in #12712
• fix: Harden docs security endpoints by @anthonyshew in #12713
• ci: Harden internal GitHub Actions by @anthonyshew in #12714
• ci: Harden release workflow handling by @anthonyshew in #12715
• fix: Preserve lockfiles during dry-run conversion by @anthonyshew in #12717
• ci: Fix LSP workflow container matrix by @anthonyshew in #12718

New Contributors

• @mattjoll made their first contribution in #12655

Full Changelog: v2.9.8...v2.9.9

2.9.8

What's Changed

@turbo/repository

• chore: Update to Rust 1.95.0 by @ognevny in #12636

Changelog

• release(turborepo): 2.9.7 by @github-actions[bot] in #12679
• test: Add regression for gitignored output restore by @anthonyshew in #12681
• docs: Clarify root task guidance by @anthonyshew in #12683
• fix: Preserve concrete dependency precedence by @anthonyshew in #12682
• release(turborepo): 2.9.8-canary.1 by @github-actions[bot] in #12685
• fix: Resolve Yarn catalog affected packages by @anthonyshew in #12684
• release(turborepo): 2.9.8-canary.2 by @github-actions[bot] in #12687
• fix: Preserve Bun prune lockfile validity by @anthonyshew in #12686
• release(turborepo): 2.9.8-canary.3 by @github-actions[bot] in #12689
• fix: Create prune docker bin stubs by @anthonyshew in #12688
• release(turborepo): 2.9.8-canary.4 by @github-actions[bot] in #12690
• fix: Keep tbx shell connections stable by @anthonyshew in #12692
• perf: Reduce turbo watch hash memory spikes by @anthonyshew in #12695
• release(turborepo): 2.9.8-canary.5 by @github-actions[bot] in #12696
• fix: Reduce parent-death watchdog CPU usage by @anthonyshew in #12697
• release(turborepo): 2.9.8-canary.6 by @github-actions[bot] in #12698

Full Changelog: v2.9.7...v2.9.8

2.9.7

What's Changed

eslint

• chore: Upgrade dependencies to resolve their known vulnerabilities by @anthonyshew in #12604

Examples

• feat(sandbox): Bump @vercel/sandbox from v1 to beta by @marc-vercel in #12595
• chore: Update examples to Turbo 2.9.6 by @cursor[bot] in #12600
• examples: Add Ultracite example by @haydenbleasel in #12615

Changelog

• fix: Align Markdown docs routing with docs/md endpoints by @molebox in #12596
• fix: Support two-dot git ranges in filter selectors by @anthonyshew in #12599
• feat: Graceful shutdown by @anthonyshew in #12607
• test: Add stdin EOF startup regression coverage by @anthonyshew in #12609
• fix: Ignore SIGINT in shim after spawning local turbo by @anthonyshew in #12612
• fix: Support pnpm v11 multi-document lockfiles by @anthonyshew in #12616
• fix: Preserve graceful shutdown exit code by @anthonyshew in #12620
• fix: Keep Node wrapper alive during graceful shutdown by @anthonyshew in #12622
• fix: Preserve PTY graceful shutdown semantics by @anthonyshew in #12624
• feat: Move Vercel auth to standard OAuth/device flows by @markandrus in #12526
• fix: Preserve legacy Vercel auth compatibility by @anthonyshew in #12629
• fix: Recover Vercel auth tokens across login flows by @anthonyshew in #12631
• docs: Fix TURBO_PLATFORM_ENV_DISABLED value in docs (true, not false) by @sleitor in #12633
• chore: Update flags SDK by @AndyBitz in #12646
• ci: Disable AWS-backed sccache by @anthonyshew in #12663
• fix: Prevent prune from overmatching gitignore entries by @anthonyshew in #12662
• ci: Harden release API commits by @anthonyshew in #12664
• ci: Fix release API commit paths by @anthonyshew in #12665
• release(turborepo): 2.9.7-canary.14 by @github-actions[bot] in #12666
• chore: Add tbx sandbox helper by @anthonyshew in #12668
• fix: Allow npm registry in tbx sandboxes by @anthonyshew in #12669
• fix: Install turbo globally in tbx base by @anthonyshew in #12670
• docs: Clarify package hash file inputs by @anthonyshew in #12671
• fix: Allow tbx sandboxes to use stale bases by @anthonyshew in #12672
• fix: Install dotfiles during tbx base refresh by @anthonyshew in #12673
• fix: Improve tbx sandbox startup by @anthonyshew in #12674
• fix: Improve tbx sandbox startup defaults by @anthonyshew in #12675
• fix: Support pnpm 11 flat patch lockfiles by @anthonyshew in #12676
• docs: Fix link to passthrough variables source code by @Wartijn in #12643
• release(turborepo): 2.9.7-canary.15 by @github-actions[bot] in #12677
• fix: Avoid rerunning non-cacheable watch dependencies by @anthonyshew in #12678

New Contributors

• @marc-vercel made their first contribution in #12595
• @cursor[bot] made their first contribution in #12600
• @markandrus made their first contribution in #12526
• @AndyBitz made their first contribution in #12646
• @Wartijn made their first contribution in #12643

Full Changelog: v2.9.6...v2.9.7

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[greptile-apps]

Confidence Score: 5/5

Safe to merge — this is a clean, mechanical version bump with no logic changes.

The only changes are version strings and integrity hashes in package.json and pnpm-lock.yaml. All six platform binaries are updated in lockstep, the lockfile is consistent, and the update brings in important security patches without touching any application code.

No files require special attention.

_{Reviews (1): Last reviewed commit: "Update turbo to version 2.9.14" | Re-trigger Greptile}

[coderabbitai]

Walkthrough

This pull request updates the turbo development dependency in package.json from version ^2.9.6 to ^2.9.14. This is a minor version bump within the 2.9.x release series that brings in recent updates and fixes to the turbo build tool used by the project's development environment.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title clearly identifies the dependency update from turbo 2.9.6 to 2.9.14 and emphasizes it as a security patch, directly matching the main change in the PR.
Description check	✅ Passed	The pull request description clearly relates to the changeset, describing a dependency update from turbo 2.9.6 to 2.9.14 with details about security vulnerabilities, release notes, and changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[depfu]

Sorry, but the merge failed with:

At least 1 approving review is required by reviewers with write access.