Skip to content

chore: Upgrade dependencies to resolve their known vulnerabilities#12604

Merged
anthonyshew merged 4 commits into
mainfrom
shew/weekly-security-audits-96a8
Apr 13, 2026
Merged

chore: Upgrade dependencies to resolve their known vulnerabilities#12604
anthonyshew merged 4 commits into
mainfrom
shew/weekly-security-audits-96a8

Conversation

@anthonyshew

@anthonyshew anthonyshew commented Apr 13, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

This PR resolves the current dependency alerts on this branch without hand-editing lockfiles.

  • pnpm audit is clean after upgrading next in apps/docs and proxy-agent in packages/turbo-gen.
  • @turbo/gen now uses bundler-style TypeScript resolution so proxy-agent@8 typechecks correctly, and its check-types task now depends on build:embed.
  • Rust dependency upgrades now come from Cargo.toml changes (rand, quickcheck, and tokio-tungstenite) followed by regenerating Cargo.lock.
  • The remaining assigned next alerts are covered by upgrading the framework-inference fixture apps to next@16.2.3 and regenerating the npm fixture lockfile with npm 8.
  • cargo audit is improved, but still reports upstream warnings that need separate follow-up: proc-macro-error, rustls-pemfile, and rand 0.8.5 via tokio-retry.

@anthonyshew anthonyshew requested a review from a team as a code owner April 13, 2026 12:54
@anthonyshew anthonyshew requested review from tknickman and removed request for a team April 13, 2026 12:54
@vercel

vercel Bot commented Apr 13, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
examples-basic-web Ready Ready Preview, Comment, Open in v0 Apr 13, 2026 1:34pm
examples-designsystem-docs Ready Ready Preview, Comment, Open in v0 Apr 13, 2026 1:34pm
examples-gatsby-web Ready Ready Preview, Comment, Open in v0 Apr 13, 2026 1:34pm
examples-kitchensink-blog Ready Ready Preview, Comment, Open in v0 Apr 13, 2026 1:34pm
examples-nonmonorepo Ready Ready Preview, Comment, Open in v0 Apr 13, 2026 1:34pm
examples-svelte-web Ready Ready Preview, Comment, Open in v0 Apr 13, 2026 1:34pm
examples-tailwind-web Ready Ready Preview, Comment, Open in v0 Apr 13, 2026 1:34pm
examples-vite-web Ready Ready Preview, Comment, Open in v0 Apr 13, 2026 1:34pm
turbo-site Ready Ready Preview, Comment, Open in v0 Apr 13, 2026 1:34pm

@ghost ghost added the pkg: turbo-gen label Apr 13, 2026
@anthonyshew anthonyshew changed the title Weekly security audits chore: Upgrade dependencies to resolve their known vulnerabilities Apr 13, 2026
@ghost ghost added the pkg: turbo-eslint eslint-config-turbo and eslint-plugin-turbo label Apr 13, 2026
@anthonyshew anthonyshew enabled auto-merge (squash) April 13, 2026 13:39
@anthonyshew anthonyshew merged commit dd34170 into main Apr 13, 2026
65 of 66 checks passed
@anthonyshew anthonyshew deleted the shew/weekly-security-audits-96a8 branch April 13, 2026 13:41
@github-actions github-actions Bot mentioned this pull request Apr 13, 2026
Merged
github-actions Bot added a commit that referenced this pull request Apr 13, 2026
@github-actions @turbobot-temp
release(turborepo): 2.9.7-canary.3 (#12606)
f674256 
## Release v2.9.7-canary.3

Versioned docs: https://v2-9-7-canary-3.turborepo.dev

### Changes

- release(turborepo): 2.9.7-canary.2 (#12603) (`41ff958`)
- chore: Upgrade dependencies to resolve their known vulnerabilities
(#12604) (`dd34170`)
- ci: Remove cargo and pnpm audit workflows (#12605) (`dbf2aeb`)

Co-authored-by: Turbobot <turbobot@vercel.com>
@github-actions github-actions Bot mentioned this pull request May 1, 2026
Merged
github-actions Bot added a commit that referenced this pull request May 1, 2026
@github-actions
release(turborepo): 2.9.7 (#12679)
92f91fa 
## Release v2.9.7

> [!CAUTION]
> Versioned docs aliasing FAILED. [View
logs](https://github.com/vercel/turborepo/actions/runs/25199467832)

### Changes

- feat(sandbox): Bump @vercel/sandbox from v1 to beta (#12595)
(`dba017a`)
- release(turborepo): 2.9.6 (#12597) (`50d7bcf`)
- fix: Align Markdown docs routing with docs/md endpoints (#12596)
(`ca04adc`)
- fix: Support two-dot git ranges in filter selectors (#12599)
(`04f9f41`)
- chore: Update examples to Turbo 2.9.6 (#12600) (`1a48897`)
- release(turborepo): 2.9.7-canary.1 (#12602) (`cc99739`)
- release(turborepo): 2.9.7-canary.2 (#12603) (`41ff958`)
- chore: Upgrade dependencies to resolve their known vulnerabilities
(#12604) (`dd34170`)
- ci: Remove cargo and pnpm audit workflows (#12605) (`dbf2aeb`)
- release(turborepo): 2.9.7-canary.3 (#12606) (`f674256`)
- fix: Preserve graceful shutdown output (#12607) (`0b5bb21`)
- release(turborepo): 2.9.7-canary.4 (#12608) (`d727147`)
- test: Add stdin EOF startup regression coverage (#12609) (`eba8246`)
- release(turborepo): 2.9.7-canary.5 (#12611) (`61f3f02`)
- fix: Ignore SIGINT in shim after spawning local `turbo` (#12612)
(`d28c4ea`)
- release(turborepo): 2.9.7-canary.6 (#12613) (`e8015da`)
- fix: Support pnpm v11 multi-document lockfiles (#12616) (`d0d5d3a`)
- release(turborepo): 2.9.7-canary.7 (#12617) (`598121f`)
- fix: Preserve graceful shutdown exit code (#12620) (`4a3f274`)
- release(turborepo): 2.9.7-canary.8 (#12621) (`8b481bb`)
- fix: Keep Node wrapper alive during graceful shutdown (#12622)
(`a081b02`)
- release(turborepo): 2.9.7-canary.9 (#12623) (`7550044`)
- fix: Preserve PTY graceful shutdown semantics (#12624) (`f4ba2d0`)
- feat: Move Vercel auth to standard OAuth/device flows (#12526)
(`0f37c24`)
- release(turborepo): 2.9.7-canary.10 (#12625) (`f7c5d3e`)
- release(turborepo): 2.9.7-canary.11 (#12626) (`046efea`)
- examples: Add Ultracite example (#12615) (`3188a56`)
- fix: Preserve legacy Vercel auth compatibility (#12629) (`2d20d3b`)
- release(turborepo): 2.9.7-canary.12 (#12630) (`90d1430`)
- fix: Recover Vercel auth tokens across login flows (#12631)
(`0d83a51`)
- release(turborepo): 2.9.7-canary.13 (#12632) (`d7618e6`)
- docs: Fix TURBO_PLATFORM_ENV_DISABLED value in docs (true, not false)
(#12633) (`99f27c4`)
- ci: Temporarily disable cron releases (#12637) (`9f385a1`)
- chore: Update flags SDK (#12646) (`a7ee687`)
- ci: Disable AWS-backed sccache (#12663) (`5983eb5`)
- fix: Prevent prune from overmatching gitignore entries (#12662)
(`5478288`)
- ci: Harden release API commits (#12664) (`45842be`)
- ci: Fix release API commit paths (#12665) (`6d6d70d`)
- release(turborepo): 2.9.7-canary.14 (#12666) (`70e9353`)
- chore: Add `tbx` sandbox helper (#12668) (`c6f0d53`)
- fix: Allow npm registry in tbx sandboxes (#12669) (`57a4716`)
- fix: Install turbo globally in tbx base (#12670) (`78134f8`)
- docs: Clarify package hash file inputs (#12671) (`fdfed03`)
- fix: Allow tbx sandboxes to use stale bases (#12672) (`ce65df5`)
- fix: Install dotfiles during `tbx base refresh` (#12673) (`7a3023d`)
- fix: Improve tbx sandbox startup (#12674) (`aab6e38`)
- fix: Improve tbx sandbox startup defaults (#12675) (`409b6d8`)
- fix: Support pnpm 11 flat patch lockfiles (#12676) (`976bdce`)
- docs: Fix link to passthrough variables source code (#12643)
(`7c64d46`)
- release(turborepo): 2.9.7-canary.15 (#12677) (`bca27f0`)
- fix: Avoid rerunning non-cacheable watch dependencies (#12678)
(`9477571`)

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tknickman tknickman Awaiting requested review from tknickman tknickman is a code owner automatically assigned from vercel/turbo-oss

Assignees

No one assigned

Labels

pkg: turbo-eslint eslint-config-turbo and eslint-plugin-turbo pkg: turbo-gen

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anthonyshew @cursoragent