chore(deps): update dependency turbo to v2.9.14 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
turbo (source)	2.9.6 → 2.9.14

---

Trubo: Login callback CSRF/session fixation

CVE-2026-45773 / GHSA-hcf7-66rw-9f5r

More information

Details

Impact

Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials.

This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected.

Fix

The login and SSO redirect flows now generate a random state value, include it in the browser authentication URL, and require the same value on the localhost callback before accepting a token. Callbacks with a missing or mismatched state are rejected.

Workarounds

If you cannot upgrade immediately, avoid browser-based self-hosted turbo login or SSO flows on machines that may load untrusted web content during authentication. Use a pre-provisioned token or environment-based authentication instead.

Severity

• CVSS Score: 5.1 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N

References

• https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r
• https://nvd.nist.gov/vuln/detail/CVE-2026-45773
• https://github.com/advisories/GHSA-hcf7-66rw-9f5r

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vercel/turborepo (turbo)

v2.9.14: Turborepo v2.9.14

Compare Source

[!NOTE]
This release contains important security fixes.

High:

• GHSA-5xc8-49mv-x4mm: Turborepo VSCode Extension command injection

Low:

• GHSA-hcf7-66rw-9f5r: Login callback CSRF/session fixation
• GHSA-3qcw-2rhx-2726: Unexpected local code execution during Yarn Berry detection

What's Changed

Changelog

• release(turborepo): 2.9.12 by @​github-actions[bot] in #​12774
• fix: Restore docs mobile menu by @​anthonyshew in #​12782
• ci: Use pull_request for PR title linting by @​anthonyshew in #​12787
• ci: Scope GitHub Actions caches by branch by @​anthonyshew in #​12788
• test: Validate lockfiles without dependency downloads by @​anthonyshew in #​12789
• Removed unneeded import form hash creation script in docs by @​dancrumb in #​12799
• fix: Validate auth callback state by @​anthonyshew in #​12802
• fix: Harden VS Code extension command execution by @​anthonyshew in #​12800
• fix: Avoid project-local Yarn during detection by @​anthonyshew in #​12801
• chore: Release 2.9.13 by @​anthonyshew in #​12803

New Contributors

• @​dancrumb made their first contribution in #​12799

Full Changelog: vercel/turborepo@v2.9.12...v2.9.14

v2.9.12: Turborepo v2.9.12

Compare Source

What's Changed

Changelog

• release(turborepo): 2.9.11 by @​github-actions[bot] in #​12771
• fix: Allow transit nodes in LSP diagnostics by @​anthonyshew in #​12773

Full Changelog: vercel/turborepo@v2.9.11...v2.9.12

v2.9.11: Turborepo v2.9.11

Compare Source

What's Changed

Changelog

• release(turborepo): 2.9.10 by @​github-actions[bot] in #​12745
• ci: Publish VS Code extension on release by @​anthonyshew in #​12747
• fix: Start daemon for VSCode Extension from the extension itself by @​anthonyshew in #​12749
• release(turborepo): 2.9.11-canary.1 by @​github-actions[bot] in #​12748
• fix: Include file URIs in LSP lifecycle logs by @​anthonyshew in #​12751
• fix: Handle JSON decoration visitor depth by @​anthonyshew in #​12752
• fix: Resolve relative turbo path in VS Code extension by @​anthonyshew in #​12753
• fix: Preserve Bun nested dependencies during prune by @​anthonyshew in #​12754
• fix: Prefer installed Turbo for LSP by @​anthonyshew in #​12755
• release(turborepo): 2.9.11-canary.2 by @​github-actions[bot] in #​12750
• ci: Parallelize LSP release publishing by @​anthonyshew in #​12758
• fix: Reduce VS Code extension startup popups by @​anthonyshew in #​12759
• fix: Support turbo.jsonc in VS Code extension by @​anthonyshew in #​12760
• fix: Remove VS Code task key gradient by @​anthonyshew in #​12761
• release(turborepo): 2.9.11-canary.3 by @​github-actions[bot] in #​12756
• chore: Release v2.9.11-canary.4 by @​anthonyshew in #​12762
• ci: Stop VS Code publish from blocking release PR by @​anthonyshew in #​12763
• release(turborepo): 2.9.11-canary.5 by @​github-actions[bot] in #​12764
• fix: Publish VS Code extension from release tag by @​anthonyshew in #​12765
• fix: Support shimmed VS Code LSP probes by @​anthonyshew in #​12767
• release(turborepo): 2.9.11-canary.6 by @​github-actions[bot] in #​12766
• release(turborepo): 2.9.11-canary.7 by @​github-actions[bot] in #​12768
• fix: Allow $TURBO_EXTENDS$ in LSP diagnostics by @​anthonyshew in #​12770

Full Changelog: vercel/turborepo@v2.9.10...v2.9.11

v2.9.10: Turborepo v2.9.10

Compare Source

What's Changed

Changelog

• release(turborepo): 2.9.9-canary.4 by @​github-actions[bot] in #​12716
• release(turborepo): 2.9.9 by @​github-actions[bot] in #​12719
• fix: Respect SCM env vars in turbo query affected by @​anthonyshew in #​12722
• ci: Package VSCode extension in release workflow by @​anthonyshew in #​12723
• fix: Avoid some raw create-turbo example telemetry by @​anthonyshew in #​12725
• fix: Escape graph HTML payloads by @​anthonyshew in #​12726
• fix: Prevent OTEL token injection to spoofed origins by @​anthonyshew in #​12727
• fix: Retry HTTP status failures by @​anthonyshew in #​12728
• fix: Validate microfrontend proxy Host header by @​anthonyshew in #​12730
• fix: Redact task hash env debug logs by @​anthonyshew in #​12733
• fix: Filter microfrontend proxy environments by @​anthonyshew in #​12732
• fix: Preserve FSEvents mount points for device-relative paths by @​anthonyshew in #​12729
• fix: Validate proxy Host headers by @​anthonyshew in #​12731
• fix: Resolve TypeScript .js extension imports to .ts files in boundaries by @​maschwenk in #​12644
• fix: Use random temp path for repo downloads by @​anthonyshew in #​12736
• release(turborepo): 2.9.10-canary.1 by @​github-actions[bot] in #​12734
• fix: Reject OTel endpoints with userinfo by @​anthonyshew in #​12737
• fix: Authenticate local devtools WebSocket by @​anthonyshew in #​12738
• fix: Handle clipboard exec errors by @​anthonyshew in #​12739
• fix: Restrict Vercel token reuse to trusted API origins by @​anthonyshew in #​12740
• fix: Keep workspace config discovery inside root by @​anthonyshew in #​12741
• fix: Hardening for daemon IPC endpoints by @​anthonyshew in #​12742
• fix: Enforce cache filesystem boundaries by @​anthonyshew in #​12743

Full Changelog: vercel/turborepo@v2.9.9...v2.9.10

v2.9.9: Turborepo v2.9.9

Compare Source

What's Changed

Changelog

• release(turborepo): 2.9.8 by @​github-actions[bot] in #​12700
• fix: Remove Unix parent death watchdogs by @​anthonyshew in #​12699
• release(turborepo): 2.9.9-canary.1 by @​github-actions[bot] in #​12705
• fix: Scope repo index prefixes to Git root by @​anthonyshew in #​12706
• release(turborepo): 2.9.9-canary.2 by @​github-actions[bot] in #​12708
• ci: Harden non-release GitHub Actions by @​anthonyshew in #​12707
• docs: Add pnpm workspace flag (-w) to Oxc setup docs by @​mattjoll in #​12655
• fix: Harden OG image signatures by @​anthonyshew in #​12709
• fix: Scope release npm publishing credentials by @​anthonyshew in #​12710
• ci: Harden release workflows by @​anthonyshew in #​12711
• release(turborepo): 2.9.9-canary.3 by @​github-actions[bot] in #​12712
• fix: Harden docs security endpoints by @​anthonyshew in #​12713
• ci: Harden internal GitHub Actions by @​anthonyshew in #​12714
• ci: Harden release workflow handling by @​anthonyshew in #​12715
• fix: Preserve lockfiles during dry-run conversion by @​anthonyshew in #​12717
• ci: Fix LSP workflow container matrix by @​anthonyshew in #​12718

New Contributors

• @​mattjoll made their first contribution in #​12655

Full Changelog: vercel/turborepo@v2.9.8...v2.9.9

v2.9.8: Turborepo v2.9.8

Compare Source

What's Changed

@​turbo/repository

• chore: Update to Rust 1.95.0 by @​ognevny in #​12636

Changelog

• release(turborepo): 2.9.7 by @​github-actions[bot] in #​12679
• test: Add regression for gitignored output restore by @​anthonyshew in #​12681
• docs: Clarify root task guidance by @​anthonyshew in #​12683
• fix: Preserve concrete dependency precedence by @​anthonyshew in #​12682
• release(turborepo): 2.9.8-canary.1 by @​github-actions[bot] in #​12685
• fix: Resolve Yarn catalog affected packages by @​anthonyshew in #​12684
• release(turborepo): 2.9.8-canary.2 by @​github-actions[bot] in #​12687
• fix: Preserve Bun prune lockfile validity by @​anthonyshew in #​12686
• release(turborepo): 2.9.8-canary.3 by @​github-actions[bot] in #​12689
• fix: Create prune docker bin stubs by @​anthonyshew in #​12688
• release(turborepo): 2.9.8-canary.4 by @​github-actions[bot] in #​12690
• fix: Keep tbx shell connections stable by @​anthonyshew in #​12692
• perf: Reduce turbo watch hash memory spikes by @​anthonyshew in #​12695
• release(turborepo): 2.9.8-canary.5 by @​github-actions[bot] in #​12696
• fix: Reduce parent-death watchdog CPU usage by @​anthonyshew in #​12697
• release(turborepo): 2.9.8-canary.6 by @​github-actions[bot] in #​12698

Full Changelog: vercel/turborepo@v2.9.7...v2.9.8

v2.9.7: Turborepo v2.9.7

Compare Source

What's Changed

eslint

• chore: Upgrade dependencies to resolve their known vulnerabilities by @​anthonyshew in #​12604

Examples

• feat(sandbox): Bump @​vercel/sandbox from v1 to beta by @​marc-vercel in #​12595
• chore: Update examples to Turbo 2.9.6 by @​cursor[bot] in #​12600
• examples: Add Ultracite example by @​haydenbleasel in #​12615

Changelog

• fix: Align Markdown docs routing with docs/md endpoints by @​molebox in #​12596
• fix: Support two-dot git ranges in filter selectors by @​anthonyshew in #​12599
• feat: Graceful shutdown by @​anthonyshew in #​12607
• test: Add stdin EOF startup regression coverage by @​anthonyshew in #​12609
• fix: Ignore SIGINT in shim after spawning local turbo by @​anthonyshew in #​12612
• fix: Support pnpm v11 multi-document lockfiles by @​anthonyshew in #​12616
• fix: Preserve graceful shutdown exit code by @​anthonyshew in #​12620
• fix: Keep Node wrapper alive during graceful shutdown by @​anthonyshew in #​12622
• fix: Preserve PTY graceful shutdown semantics by @​anthonyshew in #​12624
• feat: Move Vercel auth to standard OAuth/device flows by @​markandrus in #​12526
• fix: Preserve legacy Vercel auth compatibility by @​anthonyshew in #​12629
• fix: Recover Vercel auth tokens across login flows by @​anthonyshew in #​12631
• docs: Fix TURBO_PLATFORM_ENV_DISABLED value in docs (true, not false) by @​sleitor in #​12633
• chore: Update flags SDK by @​AndyBitz in #​12646
• ci: Disable AWS-backed sccache by @​anthonyshew in #​12663
• fix: Prevent prune from overmatching gitignore entries by @​anthonyshew in #​12662
• ci: Harden release API commits by @​anthonyshew in #​12664
• ci: Fix release API commit paths by @​anthonyshew in #​12665
• release(turborepo): 2.9.7-canary.14 by @​github-actions[bot] in #​12666
• chore: Add tbx sandbox helper by @​anthonyshew in #​12668
• fix: Allow npm registry in tbx sandboxes by @​anthonyshew in #​12669
• fix: Install turbo globally in tbx base by @​anthonyshew in #​12670
• docs: Clarify package hash file inputs by @​anthonyshew in #​12671
• fix: Allow tbx sandboxes to use stale bases by @​anthonyshew in #​12672
• fix: Install dotfiles during tbx base refresh by @​anthonyshew in #​12673
• fix: Improve tbx sandbox startup by @​anthonyshew in #​12674
• fix: Improve tbx sandbox startup defaults by @​anthonyshew in #​12675
• fix: Support pnpm 11 flat patch lockfiles by @​anthonyshew in #​12676
• docs: Fix link to passthrough variables source code by @​Wartijn in #​12643
• release(turborepo): 2.9.7-canary.15 by @​github-actions[bot] in #​12677
• fix: Avoid rerunning non-cacheable watch dependencies by @​anthonyshew in #​12678

New Contributors

• @​marc-vercel made their first contribution in #​12595
• @​cursor[bot] made their first contribution in #​12600
• @​markandrus made their first contribution in #​12526
• @​AndyBitz made their first contribution in #​12646
• @​Wartijn made their first contribution in #​12643

Full Changelog: vercel/turborepo@v2.9.6...v2.9.7

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.