Skip to content

chore(deps): upgrade turbo to 2.9.14 to fix CSRF vulnerabilit#1731

Merged
ArtieReus merged 3 commits into
mainfrom
artie-upgrade-turbo-because-vulnerability
Jun 1, 2026
Merged

chore(deps): upgrade turbo to 2.9.14 to fix CSRF vulnerabilit#1731
ArtieReus merged 3 commits into
mainfrom
artie-upgrade-turbo-because-vulnerability

Conversation

@ArtieReus
Copy link
Copy Markdown
Collaborator

@ArtieReus ArtieReus commented May 29, 2026
edited
Loading

Summary

Upgrades turbo from 2.5.6 to 2.9.14 to fix a CSRF vulnerability in Turborepo's login callback flow (Dependabot alert #212).

Security Impact: Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. A malicious web page could send a request to the local callback server with
an attacker-controlled token during authentication.

Changes Made

  • Upgraded turbo from 2.5.6 to 2.9.14 (security fix for CSRF vulnerability)
  • Upgraded pnpm from 10.32.1 to 10.34.1 (lockfile handling improvements)

Related Issues

Screenshots (if applicable)

N/A - dependency upgrade only

Testing Instructions

  1. pnpm i
  2. pnpm build
  3. pnpm lint
  4. pnpm typecheck
  5. pnpm test

Checklist

  • I have performed a self-review of my code.
  • I have commented my code, particularly in hard-to-understand areas.
  • I have added tests that prove my fix is effective or that my feature works.
  • New and existing unit tests pass locally with my changes.
  • I have made corresponding changes to the documentation (if applicable).
  • My changes generate no new warnings or errors.
  • I have created a changeset for my changes.

PR Manifesto

Review the PR Manifesto for best practises.

@ArtieReus
chore(deps): upgrade turbo to 2.9.14 to fix CSRF vulnerabilit
0d26ba5 
Signed-off-by: Arturo Reuschenbach Puncernau <reuschenbach@gmail.com>
Copilot AI review requested due to automatic review settings May 29, 2026 13:14
@ArtieReus ArtieReus requested a review from a team as a code owner May 29, 2026 13:14
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 29, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: cf10170

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Copilot AI reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the monorepo’s build tooling dependencies to address a reported Turborepo CSRF vulnerability by upgrading turbo, and also bumps the pinned pnpm version used via packageManager.

Changes:

  • Upgraded turbo from 2.5.6 to 2.9.14.
  • Updated the root packageManager pin from pnpm@10.32.1 to pnpm@10.34.1.
  • Refreshed pnpm-lock.yaml to reflect the new Turborepo package layout (@turbo/* optional binaries).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Bumps turbo and the pinned pnpm version via packageManager.
pnpm-lock.yaml Updates the lockfile to match turbo@2.9.14 resolution and its platform-specific optional deps.
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

Comment thread package.json
@ArtieReus
chore(ci): upgrades pnpm in workflows
af38daa 
Signed-off-by: Arturo Reuschenbach Puncernau <reuschenbach@gmail.com>
@ArtieReus ArtieReus self-assigned this May 29, 2026
@ArtieReus ArtieReus added the greenhouse-pr-build Set this label to create a preview image which will automatically set the `greenhouse-pr-preview` label May 29, 2026
@github-actions github-actions Bot added the greenhouse-pr-preview THIS LABEL IS SET AUTOMATICALLY. label May 29, 2026
@ArtieReus ArtieReus mentioned this pull request May 29, 2026
Merged
7 tasks
@github-actions github-actions Bot added greenhouse-pr-preview THIS LABEL IS SET AUTOMATICALLY. and removed greenhouse-pr-preview THIS LABEL IS SET AUTOMATICALLY. labels May 29, 2026
@ArtieReus ArtieReus merged commit 10b1896 into main Jun 1, 2026
23 checks passed
@ArtieReus ArtieReus deleted the artie-upgrade-turbo-because-vulnerability branch June 1, 2026 08:09
@github-actions github-actions Bot removed the greenhouse-pr-preview THIS LABEL IS SET AUTOMATICALLY. label Jun 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@taymoor89 taymoor89 taymoor89 approved these changes

@guoda-puidokaite guoda-puidokaite guoda-puidokaite approved these changes

@TilmanHaupt TilmanHaupt TilmanHaupt approved these changes

Assignees

@ArtieReus ArtieReus

Labels

greenhouse-pr-build Set this label to create a preview image which will automatically set the `greenhouse-pr-preview`

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ArtieReus @taymoor89 @guoda-puidokaite @TilmanHaupt