chore(repo): bump turbo for security advisory

[jacekradko]

Bumps the root turbo dev dependency to ^2.9.14 to pick up the fix for the security advisory linked below, and refreshes the lockfile

Advisory: https://github.com/clerk/javascript/security/dependabot/866

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	May 21, 2026 7:58pm

[changeset-bot]

🦋 Changeset detected

Latest commit: 407ad80

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the turbo devDependency from version ^2.5.4 to ^2.9.14 in package.json. A new changeset entry is created at .changeset/turbo-security-bump.md to document this security-related version bump, following the project's change documentation workflow.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: bumping Turbo for a security advisory, which aligns with the changeset updates shown in the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description clearly explains the purpose of the changes: bumping the turbo dev dependency to fix a security advisory and refreshing the lockfile.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8616

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8616

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8616

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8616

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8616

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8616

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8616

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8616

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8616

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8616

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8616

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8616

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8616

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8616

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8616

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8616

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8616

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8616

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8616

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8616

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8616

commit: 407ad80