Change8

v2.8.4

📦 turborepoView on GitHub →
🐛 30 fixes🔧 46 symbols

Summary

This release primarily focuses on patching numerous security vulnerabilities across dependencies in create-turbo, eslint, and core components by performing extensive dependency upgrades. Key changes include replacing vulnerable or unmaintained crates like `serde_yaml` and `oxc_resolver`.

Migration Steps

  1. If you were relying on `serde_yaml`, you may need to update configuration loading logic due to migration to `serde_yml` and subsequently to `serde_yaml_ng`.
  2. If you were relying on `oxc_resolver`, you may need to update configuration loading logic due to migration to `unrs_resolver`.
  3. If you were relying on `unic-segment`, you may need to update logic in `globwatch` consumers due to replacement with `unicode-segmentation`.

🐛 Bug Fixes

  • Upgraded semver in create-turbo to fix ReDoS vulnerability.
  • Upgraded inquirer in create-turbo to remove lodash dependency.
  • Upgraded tsdown in create-turbo to resolve valibot ReDoS vulnerability.
  • Upgraded jest to v30 in create-turbo to resolve brace-expansion ReDoS vulnerability.
  • Upgraded Next.js to 16.1.5 in eslint to fix DoS vulnerabilities.
  • Upgraded eslint to v10 in eslint to resolve @eslint/plugin-kit ReDoS vulnerability.
  • Upgraded tar to 7.5.7 to address security vulnerabilities.
  • Upgraded ts-json-schema-generator to fix glob command injection vulnerability.
  • Upgraded fumadocs and shiki in docs to resolve mdast-util-to-hast vulnerability.
  • Replaced ts-node with tsx to resolve diff DoS vulnerability.
  • Upgraded bytes to >=1.11.1 to fix RUSTSEC-2026-0007.
  • Upgraded ratatui to 0.30.0 to drop unmaintained paste crate.
  • Upgraded reqwest toward addressing RUSTSEC-2025-0134.
  • Fixed code syntax highlighting in docs by using correct Shiki CSS variable names.
  • Upgraded async-io to 2.x to drop unmaintained instant crate.
  • Migrated from unmaintained serde_yaml to serde_yml.
  • Upgraded test-case and merge to drop unmaintained proc-macro-error.
  • Upgraded indicatif to 0.18.3 to drop unmaintained number_prefix.
  • Upgraded rustls chain to resolve RUSTSEC-2025-0134.
  • Upgraded test-case to resolve transitive proc-macro-error.
  • Upgraded pest/pest_derive to resolve yanked version.
  • Upgraded git2 to fix RUSTSEC-2026-0008.
  • Upgraded pprof to fix RUSTSEC-2024-0408.
  • Upgraded portable-pty to resolve RUSTSEC-2017-0008.
  • Upgraded oxc_resolver to resolve yanked papaya dependency.
  • Upgraded futures/futures-util to resolve yanked futures-util 0.3.30.
  • Replaced unic-segment with unicode-segmentation in globwatch.
  • Replaced `serde_yml` with `serde_yaml_ng` to fix RUSTSEC-2025-0067/0068.
  • Replaced `oxc_resolver` with `unrs_resolver` to fix yanked `papaya` dependency.
  • Upgraded node-plop to 0.32.3.

Affected Symbols

semverinquirerlodashtsdownvalibotjestbrace-expansionNext.jseslint@eslint/plugin-kittarts-json-schema-generatorfumadocsshikimdast-util-to-hastts-nodetsxbytesratatuipastereqwestasync-ioinstantserde_yamlserde_ymltest-casemergeproc-macro-errorindicatifnumber_prefixrustls chainpestpest_derivegit2pprofportable-ptyoxc_resolverpapayafuturesfutures-utilunic-segmentunicode-segmentationglobwatchserde_yaml_ngunrs_resolvernode-plop