v2.9.10
📦 turborepoView on GitHub →
🐛 19 fixes🔧 3 symbols
Summary
This release focuses heavily on security hardening, fixing numerous bugs related to proxy validation, telemetry, token handling, and internal IPC endpoints. It also includes improvements to dependency resolution and environment variable respecting.
🐛 Bug Fixes
- Respect SCM environment variables in `turbo query affected`.
- Avoid some raw telemetry usage in `create-turbo` examples.
- Escape HTML payloads for the graph visualization.
- Prevent OpenTelemetry (OTEL) token injection to spoofed origins.
- Retry HTTP status failures during operations.
- Validate microfrontend proxy Host header.
- Redact task hash environment debug logs.
- Filter microfrontend proxy environments.
- Preserve FSEvents mount points for device-relative paths.
- Validate proxy Host headers.
- Resolve TypeScript `.js` extension imports to `.ts` files within module boundaries.
- Use a random temporary path for repository downloads.
- Reject OTel endpoints that contain userinfo.
- Authenticate local devtools WebSocket connections.
- Handle errors during clipboard execution.
- Restrict Vercel token reuse to trusted API origins.
- Keep workspace configuration discovery confined to the root directory.
- Harden daemon Inter-Process Communication (IPC) endpoints.
- Enforce cache filesystem boundaries.