v2.8.2

📅 Feb 3, 2026📦 turborepoView on GitHub →

✨ 1 features🐛 20 fixes🔧 19 symbols

Summary

This release primarily addresses numerous security vulnerabilities by upgrading dependencies across documentation, create-turbo, codemods, eslint, and core packages. It also includes a feature migration from tsup to tsdown in create-turbo.

Migration Steps

If you rely on the build tooling in create-turbo, note the migration from tsup to tsdown.

✨ New Features

Migrated build toolchain in create-turbo from tsup to tsdown.

🐛 Bug Fixes

Fixed HTTP deserialization DoS vulnerability by upgrading next.
Fixed lodash-es vulnerability by upgrading mermaid in documentation.
Fixed lodash vulnerability by upgrading recharts in documentation.
Fixed mdast-util-to-hast vulnerability by upgrading rehype packages.
Fixed rollup and glob vulnerabilities by upgrading tsup in create-turbo.
Fixed tmp vulnerability by upgrading inquirer to 8.2.7 in create-turbo.
Fixed brace-expansion ReDoS vulnerabilities by upgrading ts-jest to 29.4.6 in create-turbo.
Fixed SSRF vulnerability by upgrading axios in @turbo/codemod.
Replaced axios with native fetch in turbo-codemod.
Fixed DoS vulnerabilities by upgrading diff in @turbo/codemod.
Fixed stack overflow vulnerability by upgrading eslint devDependency.
Fixed arbitrary request vulnerability by upgrading esbuild.
Fixed escaping for link titles in Examples/LinksService.
Fixed RangeError DoS by upgrading fast-xml-parser.
Fixed ReDoS vulnerability by upgrading semver.
Fixed security vulnerabilities by upgrading tar.
Fixed @octokit vulnerabilities by upgrading @actions/github.
Fixed undici vulnerability by upgrading @vercel/blob and @actions packages.
Fixed CVE-2025-64718 by upgrading js-yaml.
Removed smooth scrolling from docs.

Affected Symbols

next mermaid recharts rehype packages tsup inquirer ts-jest axios fetch diff eslint esbuild fast-xml-parser semver tar @actions/github @vercel/blob @actions packages js-yaml