chore(security): upgrade turbo to patch CVE-2026-45773 / CVE-2026-45772#1
chore(security): upgrade turbo to patch CVE-2026-45773 / CVE-2026-45772#1Kan-A-Pesh wants to merge 1 commit into
Conversation
Upgrade turbo 2.6.3 → 2.9.14 to fix CVE-2026-45773 and CVE-2026-45772 (session fixation CSRF + local code execution vulnerabilities). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
There was a problem hiding this comment.
No issues found across 2 files
Confidence score: 5/5
- Automated review surfaced no issues in the provided summaries.
- No files require special attention.
Auto-approved: This PR bumps the dev dependency turbo from 2.6.3 to 2.9.14 to fix two moderate CVEs, involves only a version change in package.json and the corresponding lockfile update, and carries no changes to business logic, configuration, or runtime code, making it a safe, low‑impact upgrade.
Re-trigger cubic
Summary
Security dependency upgrade to remediate moderate-severity vulnerabilities in
turbo.Changes
MINOR upgrade
turbo2.6.3(resolved2.8.12)2.9.14turbo 2.6.3 → 2.9.14 (MINOR)
The 2.9.x series introduces no breaking changes to pipeline configuration or task graph resolution. Upgrade is safe for the existing
turbo.jsonconfig in this repo.CVE / GHSA fixed
turbo: CVE-2026-45773, CVE-2026-45772Commands run
check-types result:
0 successful, 0 total— no typecheck tasks are wired in turbo.json; no failures introduced.Risks / breaking changes
2.xseries. No turbo.json pipeline changes required.next@16.1.6(resolved in lockfile) is outside the scope of this PR — not listed in the remediation matrix for this repo.🤖 Generated with Claude Code