From ea615a951f65f6b729c18f43c3cec845aaecf00b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 20 May 2026 12:31:20 +0200
Subject: [PATCH 1/3] chore(deps-dev): bump postcss from 8.5.14 to 8.5.15
 (#7883)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps [postcss](https://github.com/postcss/postcss) from 8.5.14 to
8.5.15.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/postcss/postcss/releases">postcss's
releases</a>.</em></p>
<blockquote>
<h2>8.5.15</h2>
<ul>
<li>Fixed declaration parsing performance (by <a
href="https://github.com/homanp"><code>@​homanp</code></a>).</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/postcss/postcss/blob/main/CHANGELOG.md">postcss's
changelog</a>.</em></p>
<blockquote>
<h2>8.5.15</h2>
<ul>
<li>Fixed declaration parsing performance (by <a
href="https://github.com/homanp"><code>@​homanp</code></a>).</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/postcss/postcss/commit/eae46db765d752cf8f40c4fa2b0b85030079c43d"><code>eae46db</code></a>
Release 8.5.15 version</li>
<li><a
href="https://github.com/postcss/postcss/commit/79508ffa59e42c02056aca61b88bc393c8b516c4"><code>79508ff</code></a>
Update CI actions</li>
<li><a
href="https://github.com/postcss/postcss/commit/b128e2131288a411c6e28071d0929542c49e74eb"><code>b128e21</code></a>
Speed up declaration parsing by avoiding creating new array on each
token</li>
<li><a
href="https://github.com/postcss/postcss/commit/9825dca02c33cf610e2a842be767468b67fbecf9"><code>9825dca</code></a>
Fix code format</li>
<li><a
href="https://github.com/postcss/postcss/commit/55789c865281e2be194fa5b4e41dd046be3a2307"><code>55789c8</code></a>
Update dependencies</li>
<li><a
href="https://github.com/postcss/postcss/commit/84fbbe9009cb3cc3bbb4cc3a9b65d468f4844d95"><code>84fbbe9</code></a>
Install older pnpm action for old Node.js</li>
<li><a
href="https://github.com/postcss/postcss/commit/9f860bd78ec1dbc4f0ae72d693f03f956baa38cb"><code>9f860bd</code></a>
Revert pnpm action for old Node.js</li>
<li><a
href="https://github.com/postcss/postcss/commit/08771986d47359545f502e009763e223b66bfcf6"><code>0877198</code></a>
Update CI actions</li>
<li><a
href="https://github.com/postcss/postcss/commit/b2d1a335cea818f8b27e5cfb90147648afe3e582"><code>b2d1a33</code></a>
Fix linter warnings</li>
<li><a
href="https://github.com/postcss/postcss/commit/0700dac92283bc259977dff2743ca74a00f58267"><code>0700dac</code></a>
Merge pull request <a
href="https://redirect.github.com/postcss/postcss/issues/2088">#2088</a>
from rootvector2/add-oss-fuzz-harness</li>
<li>Additional commits viewable in <a
href="https://github.com/postcss/postcss/compare/8.5.14...8.5.15">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jack <jack@monkeytype.com>
---
 frontend/package.json |  2 +-
 pnpm-lock.yaml        | 24 ++++++++++++------------
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/frontend/package.json b/frontend/package.json
index 453e2f4bd7d9..af0bd480ddef 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -111,7 +111,7 @@
     "normalize.css": "8.0.1",
     "oxlint": "1.64.0",
     "oxlint-tsgolint": "0.22.1",
-    "postcss": "8.5.14",
+    "postcss": "8.5.15",
     "sass": "1.70.0",
     "solid-devtools": "0.34.5",
     "solid-js": "1.9.10",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index f7139b8cccf6..e5c8531a34de 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -64,7 +64,7 @@ importers:
         version: 40.0.0(stylelint@17.6.0(typescript@6.0.2))
       stylelint-config-standard-scss:
         specifier: 17.0.0
-        version: 17.0.0(postcss@8.5.14)(stylelint@17.6.0(typescript@6.0.2))
+        version: 17.0.0(postcss@8.5.15)(stylelint@17.6.0(typescript@6.0.2))
       turbo:
         specifier: 2.7.5
         version: 2.7.5
@@ -9509,8 +9509,8 @@ packages:
     peerDependencies:
       postcss: 8.5.8
 
-  postcss@8.5.14:
-    resolution: {integrity: sha512-SoSL4+OSEtR99LHFZQiJLkT59C5B1amGO1NzTwj7TT1qCUgUO6hxOvzkOYxD+vMrXBM3XJIKzokoERdqQq/Zmg==}
+  postcss@8.5.15:
+    resolution: {integrity: sha512-FfR8sjd4em2T6fb3I2MwAJU7HWVMr9zba+enmQeeWFfCbm+UOC/0X4DS8XtpUTMwWMGbjKYP7xjfNekzyGmB3A==}
     engines: {node: ^10 || ^12 || >=14}
 
   postcss@8.5.8:
@@ -21495,9 +21495,9 @@ snapshots:
     dependencies:
       postcss: 8.5.8
 
-  postcss-scss@4.0.9(postcss@8.5.14):
+  postcss-scss@4.0.9(postcss@8.5.15):
     dependencies:
-      postcss: 8.5.14
+      postcss: 8.5.15
 
   postcss-selector-parser@7.1.1:
     dependencies:
@@ -21513,7 +21513,7 @@ snapshots:
       postcss: 8.5.8
       quote-unquote: 1.0.0
 
-  postcss@8.5.14:
+  postcss@8.5.15:
     dependencies:
       nanoid: 3.3.12
       picocolors: 1.1.1
@@ -22860,26 +22860,26 @@ snapshots:
     optionalDependencies:
       react-dom: 18.3.1(react@18.3.1)
 
-  stylelint-config-recommended-scss@17.0.0(postcss@8.5.14)(stylelint@17.6.0(typescript@6.0.2)):
+  stylelint-config-recommended-scss@17.0.0(postcss@8.5.15)(stylelint@17.6.0(typescript@6.0.2)):
     dependencies:
-      postcss-scss: 4.0.9(postcss@8.5.14)
+      postcss-scss: 4.0.9(postcss@8.5.15)
       stylelint: 17.6.0(typescript@6.0.2)
       stylelint-config-recommended: 18.0.0(stylelint@17.6.0(typescript@6.0.2))
       stylelint-scss: 7.0.0(stylelint@17.6.0(typescript@6.0.2))
     optionalDependencies:
-      postcss: 8.5.14
+      postcss: 8.5.15
 
   stylelint-config-recommended@18.0.0(stylelint@17.6.0(typescript@6.0.2)):
     dependencies:
       stylelint: 17.6.0(typescript@6.0.2)
 
-  stylelint-config-standard-scss@17.0.0(postcss@8.5.14)(stylelint@17.6.0(typescript@6.0.2)):
+  stylelint-config-standard-scss@17.0.0(postcss@8.5.15)(stylelint@17.6.0(typescript@6.0.2)):
     dependencies:
       stylelint: 17.6.0(typescript@6.0.2)
-      stylelint-config-recommended-scss: 17.0.0(postcss@8.5.14)(stylelint@17.6.0(typescript@6.0.2))
+      stylelint-config-recommended-scss: 17.0.0(postcss@8.5.15)(stylelint@17.6.0(typescript@6.0.2))
       stylelint-config-standard: 40.0.0(stylelint@17.6.0(typescript@6.0.2))
     optionalDependencies:
-      postcss: 8.5.14
+      postcss: 8.5.15
 
   stylelint-config-standard@40.0.0(stylelint@17.6.0(typescript@6.0.2)):
     dependencies:

From b397d8f8c2aebf314e6fee07a40f60a2a0faefc9 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 20 May 2026 12:34:23 +0200
Subject: [PATCH 2/3] chore(deps): bump protobufjs from 7.3.2 to 7.5.8 (#7979)

Bumps [protobufjs](https://github.com/protobufjs/protobuf.js) from 7.3.2
to 7.5.8.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/protobufjs/protobuf.js/releases">protobufjs's
releases</a>.</em></p>
<blockquote>
<h2>protobufjs: v7.5.8</h2>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.7...protobufjs-v7.5.8">7.5.8</a>
(2026-05-12)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>Backport parser hardening to 7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2245">#2245</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/54b593ffd960f7fe4b0c448a12542c3de0a0cf26">54b593f</a>)</li>
</ul>
<h2>protobufjs: v7.5.7</h2>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.6...protobufjs-v7.5.7">7.5.7</a>
(2026-05-09)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>Restore first-match namespace lookup (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2236">#2236</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/cc7d59559d4e8c533a35218310c67f4a5dda54f5">cc7d595</a>)</li>
</ul>
<h2>protobufjs: v7.5.6</h2>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.5...protobufjs-v7.5.6">7.5.6</a>
(2026-04-27)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>Backport input hardening and CLI fixes to 7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2173">#2173</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/75392ea1b78bdc4faba027b5db44ad7c50e9c454">75392ea</a>)</li>
</ul>
<h2>v7.5.5</h2>
<p>This release backports two reported security issues to 7.x
branch.</p>
<ul>
<li>fix: do not allow setting <code>__proto__</code> in Message
constructor (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2126">#2126</a>)</li>
<li>fix: filter invalid characters from the type name (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2127">#2127</a>)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.4...protobufjs-v7.5.5">https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.4...protobufjs-v7.5.5</a></p>
<h2>protobufjs: v7.5.4</h2>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.3...protobufjs-v7.5.4">7.5.4</a>
(2025-08-15)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>invalid syntax in descriptor.proto (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2092">#2092</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/5a3769a465fead089a533ad55c21d069299df760">5a3769a</a>)</li>
</ul>
<h2>protobufjs: v7.5.3</h2>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.2...protobufjs-v7.5.3">7.5.3</a>
(2025-05-28)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>descriptor extensions handling post-editions (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2075">#2075</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/6e255d4ad6982cc857f26e1731c2cedcf5796f68">6e255d4</a>)</li>
</ul>
<h2>protobufjs: v7.5.2</h2>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.1...protobufjs-v7.5.2">7.5.2</a>
(2025-05-14)</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/protobufjs/protobuf.js/blob/protobufjs-v7.5.8/CHANGELOG.md">protobufjs's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.7...protobufjs-v7.5.8">7.5.8</a>
(2026-05-12)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>Backport parser hardening to 7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2245">#2245</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/54b593ffd960f7fe4b0c448a12542c3de0a0cf26">54b593f</a>)</li>
</ul>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.6...protobufjs-v7.5.7">7.5.7</a>
(2026-05-09)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>Restore first-match namespace lookup (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2236">#2236</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/cc7d59559d4e8c533a35218310c67f4a5dda54f5">cc7d595</a>)</li>
</ul>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.5...protobufjs-v7.5.6">7.5.6</a>
(2026-04-27)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>Backport input hardening and CLI fixes to 7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2173">#2173</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/75392ea1b78bdc4faba027b5db44ad7c50e9c454">75392ea</a>)</li>
</ul>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.3...protobufjs-v7.5.4">7.5.4</a>
(2025-08-15)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>invalid syntax in descriptor.proto (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2092">#2092</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/5a3769a465fead089a533ad55c21d069299df760">5a3769a</a>)</li>
</ul>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.2...protobufjs-v7.5.3">7.5.3</a>
(2025-05-28)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>descriptor extensions handling post-editions (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2075">#2075</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/6e255d4ad6982cc857f26e1731c2cedcf5796f68">6e255d4</a>)</li>
</ul>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.1...protobufjs-v7.5.2">7.5.2</a>
(2025-05-14)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>ensure that types are always resolved (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2068">#2068</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/4b51cb2b8450b77f9f5de1c562e7fae93b19d040">4b51cb2</a>)</li>
</ul>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.0...protobufjs-v7.5.1">7.5.1</a>
(2025-05-08)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>optimize regressions from editions implementations (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2066">#2066</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/6406d4c18afae309fc7b5f4a24d9674d85da180b">6406d4c</a>)</li>
<li>reserved field inside group blocks fail parsing (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2058">#2058</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/56782bff0c4b5132806eb1a6bc4d08f930c4aaad">56782bf</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/d7035f9b7f06210ea343cab1f2f1cc18ee5cc1d6"><code>d7035f9</code></a>
chore: release protobufjs-v7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2248">#2248</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/54b593ffd960f7fe4b0c448a12542c3de0a0cf26"><code>54b593f</code></a>
fix: Backport parser hardening to 7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2245">#2245</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/e88fcea1635f79c414e8a070e164d38ea99e104a"><code>e88fcea</code></a>
chore: release protobufjs-v7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2239">#2239</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/cc7d59559d4e8c533a35218310c67f4a5dda54f5"><code>cc7d595</code></a>
fix: Restore first-match namespace lookup (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2236">#2236</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/3abc9b54d67a7102785c6dfd8bf6610f545d445b"><code>3abc9b5</code></a>
chore: release protobufjs-v7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2190">#2190</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/a0bf2dfdd8a75aa62ce5a1ff47a52b9b8f1ea793"><code>a0bf2df</code></a>
fix: Update CLI peer dependency (7.x) (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2189">#2189</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/2189e5beeca6a70e4c104dfdb9fb8200bc5f81fe"><code>2189e5b</code></a>
chore: release protobufjs-v7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2174">#2174</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/75392ea1b78bdc4faba027b5db44ad7c50e9c454"><code>75392ea</code></a>
fix: Backport input hardening and CLI fixes to 7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2173">#2173</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/8af8d7c0e9800879625f7d0d4a7fb51beb4410cd"><code>8af8d7c</code></a>
chore(ci): Fix 7.x release please configuration (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2169">#2169</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/e92ca42244ad67203b48d836290062dae037ead6"><code>e92ca42</code></a>
chore(ci): Enable release-please for 7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2166">#2166</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.3.2...protobufjs-v7.5.8">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new
releaser for protobufjs since your current version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=protobufjs&package-manager=npm_and_yarn&previous-version=7.3.2&new-version=7.5.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/monkeytypegame/monkeytype/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jack <jack@monkeytype.com>
---
 pnpm-lock.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index e5c8531a34de..1efff7646729 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -13342,7 +13342,7 @@ snapshots:
 
   '@eslint/eslintrc@3.3.3':
     dependencies:
-      ajv: 6.15.0
+      ajv: 6.12.6
       debug: 4.4.3
       espree: 10.4.0
       globals: 14.0.0

From 83b30b51620116148e2b86b24c8f6165d059b4be Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 20 May 2026 12:47:09 +0200
Subject: [PATCH 3/3] chore(deps-dev): bump turbo from 2.7.5 to 2.9.14 (#7981)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps [turbo](https://github.com/vercel/turborepo) from 2.7.5 to 2.9.14.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vercel/turborepo/releases">turbo's
releases</a>.</em></p>
<blockquote>
<h2>Turborepo v2.9.14</h2>
<blockquote>
<p>[!NOTE]
This release contains important security fixes.</p>
</blockquote>
<h3>High:</h3>
<ul>
<li><a
href="https://github.com/vercel/turborepo/security/advisories/GHSA-5xc8-49mv-x4mm">GHSA-5xc8-49mv-x4mm:
Turborepo VSCode Extension command injection</a></li>
</ul>
<h3>Low:</h3>
<ul>
<li><a
href="https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r">GHSA-hcf7-66rw-9f5r:
Login callback CSRF/session fixation</a></li>
<li><a
href="https://github.com/vercel/turborepo/security/advisories/GHSA-3qcw-2rhx-2726">GHSA-3qcw-2rhx-2726:
Unexpected local code execution during Yarn Berry detection</a></li>
</ul>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<h3>Changelog</h3>
<ul>
<li>release(turborepo): 2.9.12 by <a
href="https://github.com/github-actions"><code>@​github-actions</code></a>[bot]
in <a
href="https://redirect.github.com/vercel/turborepo/pull/12774">vercel/turborepo#12774</a></li>
<li>fix: Restore docs mobile menu by <a
href="https://github.com/anthonyshew"><code>@​anthonyshew</code></a> in
<a
href="https://redirect.github.com/vercel/turborepo/pull/12782">vercel/turborepo#12782</a></li>
<li>ci: Use <code>pull_request</code> for PR title linting by <a
href="https://github.com/anthonyshew"><code>@​anthonyshew</code></a> in
<a
href="https://redirect.github.com/vercel/turborepo/pull/12787">vercel/turborepo#12787</a></li>
<li>ci: Scope GitHub Actions caches by branch by <a
href="https://github.com/anthonyshew"><code>@​anthonyshew</code></a> in
<a
href="https://redirect.github.com/vercel/turborepo/pull/12788">vercel/turborepo#12788</a></li>
<li>test: Validate lockfiles without dependency downloads by <a
href="https://github.com/anthonyshew"><code>@​anthonyshew</code></a> in
<a
href="https://redirect.github.com/vercel/turborepo/pull/12789">vercel/turborepo#12789</a></li>
<li>Removed unneeded import form hash creation script in docs by <a
href="https://github.com/dancrumb"><code>@​dancrumb</code></a> in <a
href="https://redirect.github.com/vercel/turborepo/pull/12799">vercel/turborepo#12799</a></li>
<li>fix: Validate auth callback state by <a
href="https://github.com/anthonyshew"><code>@​anthonyshew</code></a> in
<a
href="https://redirect.github.com/vercel/turborepo/pull/12802">vercel/turborepo#12802</a></li>
<li>fix: Harden VS Code extension command execution by <a
href="https://github.com/anthonyshew"><code>@​anthonyshew</code></a> in
<a
href="https://redirect.github.com/vercel/turborepo/pull/12800">vercel/turborepo#12800</a></li>
<li>fix: Avoid project-local Yarn during detection by <a
href="https://github.com/anthonyshew"><code>@​anthonyshew</code></a> in
<a
href="https://redirect.github.com/vercel/turborepo/pull/12801">vercel/turborepo#12801</a></li>
<li>chore: Release 2.9.13 by <a
href="https://github.com/anthonyshew"><code>@​anthonyshew</code></a> in
<a
href="https://redirect.github.com/vercel/turborepo/pull/12803">vercel/turborepo#12803</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/dancrumb"><code>@​dancrumb</code></a>
made their first contribution in <a
href="https://redirect.github.com/vercel/turborepo/pull/12799">vercel/turborepo#12799</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/vercel/turborepo/compare/v2.9.12...v2.9.14">https://github.com/vercel/turborepo/compare/v2.9.12...v2.9.14</a></p>
<h2>Turborepo v2.9.13-canary.1</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<h3>Changelog</h3>
<ul>
<li>release(turborepo): 2.9.11-canary.7 by <a
href="https://github.com/github-actions"><code>@​github-actions</code></a>[bot]
in <a
href="https://redirect.github.com/vercel/turborepo/pull/12768">vercel/turborepo#12768</a></li>
<li>fix: Allow <code>$TURBO_EXTENDS$</code> in LSP diagnostics by <a
href="https://github.com/anthonyshew"><code>@​anthonyshew</code></a> in
<a
href="https://redirect.github.com/vercel/turborepo/pull/12770">vercel/turborepo#12770</a></li>
<li>release(turborepo): 2.9.11 by <a
href="https://github.com/github-actions"><code>@​github-actions</code></a>[bot]
in <a
href="https://redirect.github.com/vercel/turborepo/pull/12771">vercel/turborepo#12771</a></li>
<li>fix: Allow transit nodes in LSP diagnostics by <a
href="https://github.com/anthonyshew"><code>@​anthonyshew</code></a> in
<a
href="https://redirect.github.com/vercel/turborepo/pull/12773">vercel/turborepo#12773</a></li>
<li>release(turborepo): 2.9.12 by <a
href="https://github.com/github-actions"><code>@​github-actions</code></a>[bot]
in <a
href="https://redirect.github.com/vercel/turborepo/pull/12774">vercel/turborepo#12774</a></li>
<li>fix: Restore docs mobile menu by <a
href="https://github.com/anthonyshew"><code>@​anthonyshew</code></a> in
<a
href="https://redirect.github.com/vercel/turborepo/pull/12782">vercel/turborepo#12782</a></li>
<li>ci: Use <code>pull_request</code> for PR title linting by <a
href="https://github.com/anthonyshew"><code>@​anthonyshew</code></a> in
<a
href="https://redirect.github.com/vercel/turborepo/pull/12787">vercel/turborepo#12787</a></li>
<li>ci: Scope GitHub Actions caches by branch by <a
href="https://github.com/anthonyshew"><code>@​anthonyshew</code></a> in
<a
href="https://redirect.github.com/vercel/turborepo/pull/12788">vercel/turborepo#12788</a></li>
<li>test: Validate lockfiles without dependency downloads by <a
href="https://github.com/anthonyshew"><code>@​anthonyshew</code></a> in
<a
href="https://redirect.github.com/vercel/turborepo/pull/12789">vercel/turborepo#12789</a></li>
<li>Removed unneeded import form hash creation script in docs by <a
href="https://github.com/dancrumb"><code>@​dancrumb</code></a> in <a
href="https://redirect.github.com/vercel/turborepo/pull/12799">vercel/turborepo#12799</a></li>
<li>fix: Validate auth callback state by <a
href="https://github.com/anthonyshew"><code>@​anthonyshew</code></a> in
<a
href="https://redirect.github.com/vercel/turborepo/pull/12802">vercel/turborepo#12802</a></li>
<li>fix: Harden VS Code extension command execution by <a
href="https://github.com/anthonyshew"><code>@​anthonyshew</code></a> in
<a
href="https://redirect.github.com/vercel/turborepo/pull/12800">vercel/turborepo#12800</a></li>
<li>fix: Avoid project-local Yarn during detection by <a
href="https://github.com/anthonyshew"><code>@​anthonyshew</code></a> in
<a
href="https://redirect.github.com/vercel/turborepo/pull/12801">vercel/turborepo#12801</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/vercel/turborepo/commit/fc62fe0d9c347d1d24f0ed8946284856593ddb93"><code>fc62fe0</code></a>
publish 2.9.14 to registry</li>
<li><a
href="https://github.com/vercel/turborepo/commit/fb8c9aec0f9e83f95783659a5ce9c4478cf62cb9"><code>fb8c9ae</code></a>
chore: Release 2.9.13 (<a
href="https://redirect.github.com/vercel/turborepo/issues/12803">#12803</a>)</li>
<li><a
href="https://github.com/vercel/turborepo/commit/e8e629da4e1fb75231089e91b19be9d327a3e649"><code>e8e629d</code></a>
fix: Avoid project-local Yarn during detection (<a
href="https://redirect.github.com/vercel/turborepo/issues/12801">#12801</a>)</li>
<li><a
href="https://github.com/vercel/turborepo/commit/91c90cbf12f524c5c29b713d6472dd5fcdecb309"><code>91c90cb</code></a>
fix: Harden VS Code extension command execution (<a
href="https://redirect.github.com/vercel/turborepo/issues/12800">#12800</a>)</li>
<li><a
href="https://github.com/vercel/turborepo/commit/84f450894e87da1eed864d51f6f637f26980d560"><code>84f4508</code></a>
fix: Validate auth callback state (<a
href="https://redirect.github.com/vercel/turborepo/issues/12802">#12802</a>)</li>
<li><a
href="https://github.com/vercel/turborepo/commit/1779ad7901384f106236a6e196059e4929745514"><code>1779ad7</code></a>
Removed unneeded import form hash creation script in docs (<a
href="https://redirect.github.com/vercel/turborepo/issues/12799">#12799</a>)</li>
<li><a
href="https://github.com/vercel/turborepo/commit/71f8c90a807ffb9b9876ea8a04f523f473bf5c8d"><code>71f8c90</code></a>
test: Validate lockfiles without dependency downloads (<a
href="https://redirect.github.com/vercel/turborepo/issues/12789">#12789</a>)</li>
<li><a
href="https://github.com/vercel/turborepo/commit/5fcb96024d503127bb0ed760ebe159b7716c52b3"><code>5fcb960</code></a>
ci: Scope GitHub Actions caches by branch (<a
href="https://redirect.github.com/vercel/turborepo/issues/12788">#12788</a>)</li>
<li><a
href="https://github.com/vercel/turborepo/commit/4cf9fabc9a6f6c99fe4e2f2da9f35be631be062a"><code>4cf9fab</code></a>
ci: Use <code>pull_request</code> for PR title linting (<a
href="https://redirect.github.com/vercel/turborepo/issues/12787">#12787</a>)</li>
<li><a
href="https://github.com/vercel/turborepo/commit/859c629bc401f239ac7980a132746ca90478e17c"><code>859c629</code></a>
fix: Restore docs mobile menu (<a
href="https://redirect.github.com/vercel/turborepo/issues/12782">#12782</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/vercel/turborepo/compare/v2.7.5...v2.9.14">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=turbo&package-manager=npm_and_yarn&previous-version=2.7.5&new-version=2.9.14)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/monkeytypegame/monkeytype/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jack <jack@monkeytype.com>
---
 package.json   |   2 +-
 pnpm-lock.yaml | 126 ++++++++++++++++++++++++-------------------------
 2 files changed, 64 insertions(+), 64 deletions(-)

diff --git a/package.json b/package.json
index 2d29994e8943..469eb443f28f 100644
--- a/package.json
+++ b/package.json
@@ -78,7 +78,7 @@
     "stylelint": "17.6.0",
     "stylelint-config-standard": "40.0.0",
     "stylelint-config-standard-scss": "17.0.0",
-    "turbo": "2.7.5",
+    "turbo": "2.9.14",
     "vitest": "4.1.0",
     "yaml": "2.8.3"
   },
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 1efff7646729..0a5f58859109 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -66,8 +66,8 @@ importers:
         specifier: 17.0.0
         version: 17.0.0(postcss@8.5.15)(stylelint@17.6.0(typescript@6.0.2))
       turbo:
-        specifier: 2.7.5
-        version: 2.7.5
+        specifier: 2.9.14
+        version: 2.9.14
       vitest:
         specifier: 4.1.0
         version: 4.1.0(@types/node@24.9.1)(happy-dom@20.8.9)(jsdom@27.4.0)(vite@8.0.5(@emnapi/core@1.9.0)(@emnapi/runtime@1.9.0)(@types/node@24.9.1)(esbuild@0.27.7)(jiti@2.6.1)(sass@1.98.0)(terser@5.47.1)(tsx@4.21.0)(yaml@2.8.3))
@@ -4641,6 +4641,36 @@ packages:
       '@ts-rest/core': ~3.52.0
       zod: ^3.22.3
 
+  '@turbo/darwin-64@2.9.14':
+    resolution: {integrity: sha512-t7QiPflaEyBE4oayeZtSmu4mEfjgIrcNlNNl1z1dmIVPqEdtA7+CfTf8d7KXsOGPh6aNgWjKxyvQg9uGfDQF+A==}
+    cpu: [x64]
+    os: [darwin]
+
+  '@turbo/darwin-arm64@2.9.14':
+    resolution: {integrity: sha512-d23147mC9BsCPA9mJ0h/ubcpbRgcJBXbcG3+Vq7YLhjz3IXuvQsJ1UXH8f4MD76ZjJ4m/E4aRdJV+MW88CDfbw==}
+    cpu: [arm64]
+    os: [darwin]
+
+  '@turbo/linux-64@2.9.14':
+    resolution: {integrity: sha512-P3ZKB5tuUDdDQWuAsACGUR1qv9W7BNWxdxqVJ0kZNuNNPRaVYTPPikLcp79+GiEcW3npsR+KyP38lnQiBc5aSA==}
+    cpu: [x64]
+    os: [linux]
+
+  '@turbo/linux-arm64@2.9.14':
+    resolution: {integrity: sha512-ZRTlzcUMrrPv9ZuDzRF9n60Ym13bKeG9jDB8WjxyLhWNzV+AJQN+zdpIk3NJYf2zQsGUm1mNar2P0elRzLw25g==}
+    cpu: [arm64]
+    os: [linux]
+
+  '@turbo/windows-64@2.9.14':
+    resolution: {integrity: sha512-exanwN6sIduZwykYeiTQj8kCmOhazP5WOz3bvXMcYtjhL6Z3iRWLewKrXCBq0bqwSP3iBMb/AerRCnHI4lx46A==}
+    cpu: [x64]
+    os: [win32]
+
+  '@turbo/windows-arm64@2.9.14':
+    resolution: {integrity: sha512-fVdCsnmYoKICsycbWuuGp6Jvi51/3G/UluFWuAUCvR8PIW5IJkAk5BM9UF8PSm0Q2IphWHFZjYEgjHsh3B9y/g==}
+    cpu: [arm64]
+    os: [win32]
+
   '@tybys/wasm-util@0.10.1':
     resolution: {integrity: sha512-9tTaPJLSiejZKx+Bmog4uSubteqTvFrVrURwkmHixBo0G4seD0zUxp98E1DzUBJxLQ3NPwXrGKDiVjwx/DpPsg==}
 
@@ -6526,8 +6556,8 @@ packages:
   electron-to-chromium@1.5.267:
     resolution: {integrity: sha512-0Drusm6MVRXSOJpGbaSVgcQsuB4hEkMpHXaVstcPmhu5LIedxs1xNK/nIxmQIU/RPC0+1/o0AVZfBTkTNJOdUw==}
 
-  electron-to-chromium@1.5.359:
-    resolution: {integrity: sha512-8lPELWuYZIWk7NDvCNthtmMw/7Q5Wu25NpM4djFMHBmk8DubPAtL4YTOp7ou0e7HyJtwkVlWv8XMLURnrtgJQw==}
+  electron-to-chromium@1.5.360:
+    resolution: {integrity: sha512-GkcBt6YYAw9SxFWn+xVar4cLVGlXVuswwtRLBozi2zp0GjXs4ZnOrqV4zbXzg35n7w81hCkyJNYicgXlVHAmBA==}
 
   emoji-regex@8.0.0:
     resolution: {integrity: sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==}
@@ -11000,38 +11030,8 @@ packages:
     resolution: {integrity: sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==}
     engines: {node: '>=0.6.11 <=0.7.0 || >=0.7.3'}
 
-  turbo-darwin-64@2.7.5:
-    resolution: {integrity: sha512-nN3wfLLj4OES/7awYyyM7fkU8U8sAFxsXau2bYJwAWi6T09jd87DgHD8N31zXaJ7LcpyppHWPRI2Ov9MuZEwnQ==}
-    cpu: [x64]
-    os: [darwin]
-
-  turbo-darwin-arm64@2.7.5:
-    resolution: {integrity: sha512-wCoDHMiTf3FgLAbZHDDx/unNNonSGhsF5AbbYODbxnpYyoKDpEYacUEPjZD895vDhNvYCH0Nnk24YsP4n/cD6g==}
-    cpu: [arm64]
-    os: [darwin]
-
-  turbo-linux-64@2.7.5:
-    resolution: {integrity: sha512-KKPvhOmJMmzWj/yjeO4LywkQ85vOJyhru7AZk/+c4B6OUh/odQ++SiIJBSbTG2lm1CuV5gV5vXZnf/2AMlu3Zg==}
-    cpu: [x64]
-    os: [linux]
-
-  turbo-linux-arm64@2.7.5:
-    resolution: {integrity: sha512-8PIva4L6BQhiPikUTds9lSFSHXVDAsEvV6QUlgwPsXrtXVQMVi6Sv9p+IxtlWQFvGkdYJUgX9GnK2rC030Xcmw==}
-    cpu: [arm64]
-    os: [linux]
-
-  turbo-windows-64@2.7.5:
-    resolution: {integrity: sha512-rupskv/mkIUgQXzX/wUiK00mKMorQcK8yzhGFha/D5lm05FEnLx8dsip6rWzMcVpvh+4GUMA56PgtnOgpel2AA==}
-    cpu: [x64]
-    os: [win32]
-
-  turbo-windows-arm64@2.7.5:
-    resolution: {integrity: sha512-G377Gxn6P42RnCzfMyDvsqQV7j69kVHKlhz9J4RhtJOB5+DyY4yYh/w0oTIxZQ4JRMmhjwLu3w9zncMoQ6nNDw==}
-    cpu: [arm64]
-    os: [win32]
-
-  turbo@2.7.5:
-    resolution: {integrity: sha512-7Imdmg37joOloTnj+DPrab9hIaQcDdJ5RwSzcauo/wMOSAgO+A/I/8b3hsGGs6PWQz70m/jkPgdqWsfNKtwwDQ==}
+  turbo@2.9.14:
+    resolution: {integrity: sha512-BQqXRr4UoWI3UPFrtznCLykYHxwxWh53iCB57x092jPMjIlW1wnm3N895g5irpiXmnxUhREBB0n6+y8BHhs4nw==}
     hasBin: true
 
   tweetnacl@0.14.5:
@@ -15705,6 +15705,24 @@ snapshots:
       openapi3-ts: 2.0.2
       zod: 3.23.8
 
+  '@turbo/darwin-64@2.9.14':
+    optional: true
+
+  '@turbo/darwin-arm64@2.9.14':
+    optional: true
+
+  '@turbo/linux-64@2.9.14':
+    optional: true
+
+  '@turbo/linux-arm64@2.9.14':
+    optional: true
+
+  '@turbo/windows-64@2.9.14':
+    optional: true
+
+  '@turbo/windows-arm64@2.9.14':
+    optional: true
+
   '@tybys/wasm-util@0.10.1':
     dependencies:
       tslib: 2.8.1
@@ -16903,7 +16921,7 @@ snapshots:
     dependencies:
       baseline-browser-mapping: 2.10.31
       caniuse-lite: 1.0.30001793
-      electron-to-chromium: 1.5.359
+      electron-to-chromium: 1.5.360
       node-releases: 2.0.44
       update-browserslist-db: 1.2.3(browserslist@4.28.2)
 
@@ -17894,7 +17912,7 @@ snapshots:
 
   electron-to-chromium@1.5.267: {}
 
-  electron-to-chromium@1.5.359: {}
+  electron-to-chromium@1.5.360: {}
 
   emoji-regex@8.0.0: {}
 
@@ -23389,32 +23407,14 @@ snapshots:
 
   tunnel@0.0.6: {}
 
-  turbo-darwin-64@2.7.5:
-    optional: true
-
-  turbo-darwin-arm64@2.7.5:
-    optional: true
-
-  turbo-linux-64@2.7.5:
-    optional: true
-
-  turbo-linux-arm64@2.7.5:
-    optional: true
-
-  turbo-windows-64@2.7.5:
-    optional: true
-
-  turbo-windows-arm64@2.7.5:
-    optional: true
-
-  turbo@2.7.5:
+  turbo@2.9.14:
     optionalDependencies:
-      turbo-darwin-64: 2.7.5
-      turbo-darwin-arm64: 2.7.5
-      turbo-linux-64: 2.7.5
-      turbo-linux-arm64: 2.7.5
-      turbo-windows-64: 2.7.5
-      turbo-windows-arm64: 2.7.5
+      '@turbo/darwin-64': 2.9.14
+      '@turbo/darwin-arm64': 2.9.14
+      '@turbo/linux-64': 2.9.14
+      '@turbo/linux-arm64': 2.9.14
+      '@turbo/windows-64': 2.9.14
+      '@turbo/windows-arm64': 2.9.14
 
   tweetnacl@0.14.5: {}