chore(deps): update dependency turbo to v2.9.14 [SECURITY]

[losol-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
turbo (source)	2.9.12 → 2.9.14

---

Turbo: Unexpected local code execution during Yarn Berry detection

CVE-2026-45772 / GHSA-3qcw-2rhx-2726

More information

Details

Impact

Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, which could cause Yarn to load and execute a project-controlled yarnPath from .yarnrc.yml. An attacker who controls repository contents could cause code execution when a user or CI system runs affected turbo, @turbo/codemod, or @turbo/workspace conversion commands.

Fix

Turbo now avoids executing project-local Yarn during package manager detection. Yarn versions and paths are inferred from metadata such as package.json, parsing the value of yarnPath in .yarnrc.yml rather than executing it, and yarn.lock, and unrecognized Yarn lockfile formats are rejected instead of falling back to executing yarn.

Workarounds

If you cannot upgrade immediately, do not run Turborepo commands in untrusted repositories. Review or remove .yarnrc.yml files that define yarnPath before running Turborepo, especially in CI or automated tooling that processes external projects.

Severity

• CVSS Score: 0.0 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/vercel/turborepo/security/advisories/GHSA-3qcw-2rhx-2726
• https://nvd.nist.gov/vuln/detail/CVE-2026-45772
• https://github.com/advisories/GHSA-3qcw-2rhx-2726

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Trubo: Login callback CSRF/session fixation

CVE-2026-45773 / GHSA-hcf7-66rw-9f5r

More information

Details

Impact

Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials.

This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected.

Fix

The login and SSO redirect flows now generate a random state value, include it in the browser authentication URL, and require the same value on the localhost callback before accepting a token. Callbacks with a missing or mismatched state are rejected.

Workarounds

If you cannot upgrade immediately, avoid browser-based self-hosted turbo login or SSO flows on machines that may load untrusted web content during authentication. Use a pre-provisioned token or environment-based authentication instead.

Severity

• CVSS Score: 5.1 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N

References

• https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r
• https://nvd.nist.gov/vuln/detail/CVE-2026-45773
• https://github.com/advisories/GHSA-hcf7-66rw-9f5r

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vercel/turborepo (turbo)

v2.9.14: Turborepo v2.9.14

Compare Source

[!NOTE]
This release contains important security fixes.

High:

• GHSA-5xc8-49mv-x4mm: Turborepo VSCode Extension command injection

Low:

• GHSA-hcf7-66rw-9f5r: Login callback CSRF/session fixation
• GHSA-3qcw-2rhx-2726: Unexpected local code execution during Yarn Berry detection

What's Changed

Changelog

• release(turborepo): 2.9.12 by @​github-actions[bot] in #​12774
• fix: Restore docs mobile menu by @​anthonyshew in #​12782
• ci: Use pull_request for PR title linting by @​anthonyshew in #​12787
• ci: Scope GitHub Actions caches by branch by @​anthonyshew in #​12788
• test: Validate lockfiles without dependency downloads by @​anthonyshew in #​12789
• Removed unneeded import form hash creation script in docs by @​dancrumb in #​12799
• fix: Validate auth callback state by @​anthonyshew in #​12802
• fix: Harden VS Code extension command execution by @​anthonyshew in #​12800
• fix: Avoid project-local Yarn during detection by @​anthonyshew in #​12801
• chore: Release 2.9.13 by @​anthonyshew in #​12803

New Contributors

• @​dancrumb made their first contribution in #​12799

Full Changelog: vercel/turborepo@v2.9.12...v2.9.14

---

Configuration

📅 Schedule: (in timezone Europe/Oslo)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[losol-renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 40 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
[WARN] The metadata of @types/react is missing the "time" field; skipping the minimumReleaseAge check for this package.
[WARN] The metadata of @types/node is missing the "time" field; skipping the minimumReleaseAge check for this package.
Progress: resolved 39, reused 0, downloaded 3, added 0
Progress: resolved 50, reused 0, downloaded 4, added 0
[WARN] The metadata of lucide-react is missing the "time" field; skipping the minimumReleaseAge check for this package.
Progress: resolved 86, reused 0, downloaded 4, added 0
[WARN] The metadata of tailwindcss-react-aria-components is missing the "time" field; skipping the minimumReleaseAge check for this package.
Progress: resolved 91, reused 0, downloaded 4, added 0
[WARN] The metadata of vite is missing the "time" field; skipping the minimumReleaseAge check for this package.
Progress: resolved 114, reused 0, downloaded 5, added 0
[WARN] The metadata of tailwindcss is missing the "time" field; skipping the minimumReleaseAge check for this package.
Progress: resolved 124, reused 0, downloaded 6, added 0
/tmp/renovate/repos/github/losol/eventuras/apps/web:
[ERR_PNPM_MISSING_TIME] The metadata of next is missing the "time" field

This error happened while installing a direct dependency of /tmp/renovate/repos/github/losol/eventuras/apps/web

If you cannot fix this registry issue, then set "resolution-mode" to "highest".

[github-actions]

No changeset found. Consider running pnpm changeset or pnpm changeset:suggest locally.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud