turbo 2.8.4

Turborepo v2.8.4

on Node.js NPM

What's Changed

create-turbo

• fix: Upgrade semver to fix ReDoS vulnerability by @anthonyshew in #11683
• fix: Upgrade inquirer to remove lodash dependency by @anthonyshew in #11709
• fix: Upgrade tsdown in create-turbo to resolve valibot ReDoS vulnerability by @anthonyshew in #11702
• fix: Upgrade jest to v30 to resolve brace-expansion ReDoS vulnerability by @anthonyshew in #11706

eslint

• fix: Upgrade Next.js to 16.1.5 to fix DoS vulnerabilities by @anthonyshew in #11681
• fix: Upgrade eslint to v10 to resolve @eslint/plugin-kit ReDoS vulnerability by @anthonyshew in #11705

Examples

• examples: Update NODE_VERSION to 24.13.1 in Dockerfile by @i5d6 in #11679

Changelog

• fix: Upgrade tar to 7.5.7 to address security vulnerabilities by @anthonyshew in #11680
• fix: Upgrade ts-json-schema-generator to fix glob command injection vulnerability by @anthonyshew in #11684
• fix: Upgrade fumadocs and shiki in docs to resolve mdast-util-to-hast vulnerability by @anthonyshew in #11704
• fix: Replace ts-node with tsx to resolve diff DoS vulnerability by @anthonyshew in #11708
• fix: Upgrade bytes to >=1.11.1 to fix RUSTSEC-2026-0007 by @anthonyshew in #11715
• chore: Update ratatui dependencies (paste blocked upstream) by @anthonyshew in #11717
• Revert "chore: Update ratatui dependencies (paste blocked upstream)" by @anthonyshew in #11722
• fix: Upgrade ratatui to 0.30.0 to drop unmaintained paste crate by @anthonyshew in #11723
• chore: Upgrade reqwest toward addressing RUSTSEC-2025-0134 by @anthonyshew in #11718
• fix(docs): Fix code syntax highlighting by using correct Shiki CSS variable names by @anthonyshew in #11726
• fix: Upgrade async-io to 2.x to drop unmaintained instant crate by @anthonyshew in #11719
• fix: Migrate from unmaintained serde_yaml to serde_yml by @anthonyshew in #11720
• fix: Upgrade test-case and merge to drop unmaintained proc-macro-error by @anthonyshew in #11721
• fix: Upgrade indicatif to 0.18.3 to drop unmaintained number_prefix by @anthonyshew in #11716
• refactor: Centralize configuration resolution funnel by @anthonyshew in #11727
• fix: Upgrade rustls chain to resolve RUSTSEC-2025-0134 by @anthonyshew in #11739
• fix: Upgrade test-case to resolve transitive proc-macro-error by @anthonyshew in #11737
• fix: Upgrade pest/pest_derive to resolve yanked version by @anthonyshew in #11734
• fix: Upgrade git2 to fix RUSTSEC-2026-0008 by @anthonyshew in #11729
• fix: Upgrade pprof to fix RUSTSEC-2024-0408 by @anthonyshew in #11730
• fix: Upgrade portable-pty to resolve RUSTSEC-2017-0008 by @anthonyshew in #11732
• fix: Upgrade oxc_resolver to resolve yanked papaya dependency by @anthonyshew in #11733
• fix: Upgrade futures/futures-util to resolve yanked futures-util 0.3.30 by @anthonyshew in #11735
• fix: Replace unic-segment with unicode-segmentation in globwatch by @anthonyshew in #11736
• fix: Replace serde_yml with serde_yaml_ng to fix RUSTSEC-2025-0067/0068 by @anthonyshew in #11755
• fix: Replace oxc_resolver with unrs_resolver to fix yanked papaya dependency by @anthonyshew in #11754
• fix: Upgrade node-plop to 0.32.3 by @anthonyshew in #11756
• docs: Capitalizaiton in update github-actions.mdx by @anthonyshew in #11762

Full Changelog: v2.8.3...v2.8.4