chore(deps): bump the npm_and_yarn group across 5 directories with 3 updates by dependabot[bot] · Pull Request #1871 · Crossmint/crossmint-sdk

dependabot · 2026-05-29T19:48:53Z

Bumps the npm_and_yarn group with 3 updates in the / directory: turbo, next and uuid.
Bumps the npm_and_yarn group with 1 update in the /apps/auth/nextjs-ssr directory: next.
Bumps the npm_and_yarn group with 1 update in the /apps/payments/nextjs directory: next.
Bumps the npm_and_yarn group with 1 update in the /apps/wallets/quickstart-devkit directory: next.
Bumps the npm_and_yarn group with 1 update in the /packages/client/base directory: uuid.

Updates turbo from 2.2.3 to 2.9.14

Release notes

Sourced from turbo's releases.

Turborepo v2.9.14

[!NOTE] This release contains important security fixes.

High:

GHSA-5xc8-49mv-x4mm: Turborepo VSCode Extension command injection

Low:

GHSA-hcf7-66rw-9f5r: Login callback CSRF/session fixation

GHSA-3qcw-2rhx-2726: Unexpected local code execution during Yarn Berry detection

What's Changed

Changelog

release(turborepo): 2.9.12 by @github-actions[bot] in vercel/turborepo#12774

fix: Restore docs mobile menu by @anthonyshew in vercel/turborepo#12782

ci: Use pull_request for PR title linting by @anthonyshew in vercel/turborepo#12787

ci: Scope GitHub Actions caches by branch by @anthonyshew in vercel/turborepo#12788

test: Validate lockfiles without dependency downloads by @anthonyshew in vercel/turborepo#12789

Removed unneeded import form hash creation script in docs by @dancrumb in vercel/turborepo#12799

fix: Validate auth callback state by @anthonyshew in vercel/turborepo#12802

fix: Harden VS Code extension command execution by @anthonyshew in vercel/turborepo#12800

fix: Avoid project-local Yarn during detection by @anthonyshew in vercel/turborepo#12801

chore: Release 2.9.13 by @anthonyshew in vercel/turborepo#12803

New Contributors

@dancrumb made their first contribution in vercel/turborepo#12799

Full Changelog: vercel/turborepo@v2.9.12...v2.9.14

Turborepo v2.9.13-canary.1

What's Changed

Changelog

release(turborepo): 2.9.11-canary.7 by @github-actions[bot] in vercel/turborepo#12768

fix: Allow $TURBO_EXTENDS$ in LSP diagnostics by @anthonyshew in vercel/turborepo#12770

release(turborepo): 2.9.11 by @github-actions[bot] in vercel/turborepo#12771

fix: Allow transit nodes in LSP diagnostics by @anthonyshew in vercel/turborepo#12773

release(turborepo): 2.9.12 by @github-actions[bot] in vercel/turborepo#12774

fix: Restore docs mobile menu by @anthonyshew in vercel/turborepo#12782

ci: Use pull_request for PR title linting by @anthonyshew in vercel/turborepo#12787

ci: Scope GitHub Actions caches by branch by @anthonyshew in vercel/turborepo#12788

test: Validate lockfiles without dependency downloads by @anthonyshew in vercel/turborepo#12789

Removed unneeded import form hash creation script in docs by @dancrumb in vercel/turborepo#12799

fix: Validate auth callback state by @anthonyshew in vercel/turborepo#12802

fix: Harden VS Code extension command execution by @anthonyshew in vercel/turborepo#12800

fix: Avoid project-local Yarn during detection by @anthonyshew in vercel/turborepo#12801

... (truncated)

Commits

fc62fe0 publish 2.9.14 to registry
fb8c9ae chore: Release 2.9.13 (#12803)
e8e629d fix: Avoid project-local Yarn during detection (#12801)
91c90cb fix: Harden VS Code extension command execution (#12800)
84f4508 fix: Validate auth callback state (#12802)
1779ad7 Removed unneeded import form hash creation script in docs (#12799)
71f8c90 test: Validate lockfiles without dependency downloads (#12789)
5fcb960 ci: Scope GitHub Actions caches by branch (#12788)
4cf9fab ci: Use pull_request for PR title linting (#12787)
859c629 fix: Restore docs mobile menu (#12782)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for turbo since your current version.

Updates next from 15.5.15 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces

GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input

GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting

GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.16

This release contains security fixes for the following advisories:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces

GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input

GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting

GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Commits

9ff92ce v15.5.18
00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
62c97ab v15.5.17
423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
fa78739 Turbopack: Fix middleware matcher suffix (#93590)
36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
36589b5 [backport][test] Pin package manager to patch versions (#93596)
ad6fd4e v15.5.16
79d7dff Ignore malformed CSP nonce headers (#103)
c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates uuid from 9.0.1 to 14.0.0

Release notes

Sourced from uuid's releases.

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

expect crypto to be global everywhere (requires node@20+) (#935)

drop node@18 support (#934)

Features

drop node@18 support (#934) (dc4ddb8)

Bug Fixes

expect crypto to be global everywhere (requires node@20+) (#935) (f2c235f)

Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)

v13.0.2

13.0.2 (2026-05-04)

Bug Fixes

rerelease to fix provenance. (49ccb35)

v13.0.1

13.0.1 (2026-04-27)

Bug Fixes

backport fix for GHSA-w5hq-g745-h8pq (9d27ddf)

v13.0.0

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

make browser exports the default (#901)

Bug Fixes

make browser exports the default (#901) (bce9d72)

v12.0.1

12.0.1 (2026-04-29)

... (truncated)

Changelog

Sourced from uuid's changelog.

14.0.0 (2026-04-19)

Security

Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

crypto is now expected to be globally defined (requires node@20+) (#935)

drop node@18 support (#934)

upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

make browser exports the default (#901)

Bug Fixes

make browser exports the default (#901) (bce9d72)

12.0.0 (2025-09-05)

⚠ BREAKING CHANGES

update to typescript@5.2 (#887)

remove CommonJS support (#886)

drop node@16 support (#883)

Features

add node@24 to ci matrix (#879) (42b6178)

drop node@16 support (#883) (0f38cf1)

remove CommonJS support (#886) (ae786e2)

update to typescript@5.2 (#887) (c7ee405)

Bug Fixes

improve v4() performance (#894) (5fd974c)

restore node: prefix (#889) (e1f42a3)

11.1.0 (2025-02-19)

... (truncated)

Commits

7c1ea08 chore(main): release 14.0.0 (#926)
3d2c5b0 Merge commit from fork
f2c235f fix!: expect crypto to be global everywhere (requires node@20+) (#935)
529ef08 chore: upgrade TypeScript and fixup types (#927)
086fd79 chore: update dependencies (#933)
dc4ddb8 feat!: drop node@18 support (#934)
0f1f9c9 chore: switch to Biome for parsing and linting (#932)
e2879e6 chore: use maintained version of npm-run-all (#930)
ffa3138 fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)
0423d49 docs: remove obsolete v1 option notes (#915)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates next from 15.5.15 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces

GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input

GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting

GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.16

This release contains security fixes for the following advisories:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces

GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input

GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting

GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Commits

9ff92ce v15.5.18
00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
62c97ab v15.5.17
423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
fa78739 Turbopack: Fix middleware matcher suffix (#93590)
36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
36589b5 [backport][test] Pin package manager to patch versions (#93596)
ad6fd4e v15.5.16
79d7dff Ignore malformed CSP nonce headers (#103)
c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates turbo from 2.2.3 to 2.9.14

Release notes

Sourced from turbo's releases.

Turborepo v2.9.14

[!NOTE] This release contains important security fixes.

High:

GHSA-5xc8-49mv-x4mm: Turborepo VSCode Extension command injection

Low:

GHSA-hcf7-66rw-9f5r: Login callback CSRF/session fixation

GHSA-3qcw-2rhx-2726: Unexpected local code execution during Yarn Berry detection

What's Changed

Changelog

release(turborepo): 2.9.12 by @github-actions[bot] in vercel/turborepo#12774

fix: Restore docs mobile menu by @anthonyshew in vercel/turborepo#12782

ci: Use pull_request for PR title linting by @anthonyshew in vercel/turborepo#12787

ci: Scope GitHub Actions caches by branch by @anthonyshew in vercel/turborepo#12788

test: Validate lockfiles without dependency downloads by @anthonyshew in vercel/turborepo#12789

Removed unneeded import form hash creation script in docs by @dancrumb in vercel/turborepo#12799

fix: Validate auth callback state by @anthonyshew in vercel/turborepo#12802

fix: Harden VS Code extension command execution by @anthonyshew in vercel/turborepo#12800

fix: Avoid project-local Yarn during detection by @anthonyshew in vercel/turborepo#12801

chore: Release 2.9.13 by @anthonyshew in vercel/turborepo#12803

New Contributors

@dancrumb made their first contribution in vercel/turborepo#12799

Full Changelog: vercel/turborepo@v2.9.12...v2.9.14

Turborepo v2.9.13-canary.1

What's Changed

Changelog

release(turborepo): 2.9.11-canary.7 by @github-actions[bot] in vercel/turborepo#12768

fix: Allow $TURBO_EXTENDS$ in LSP diagnostics by @anthonyshew in vercel/turborepo#12770

release(turborepo): 2.9.11 by @github-actions[bot] in vercel/turborepo#12771

fix: Allow transit nodes in LSP diagnostics by @anthonyshew in vercel/turborepo#12773

release(turborepo): 2.9.12 by @github-actions[bot] in vercel/turborepo#12774

fix: Restore docs mobile menu by @anthonyshew in vercel/turborepo#12782

ci: Use pull_request for PR title linting by @anthonyshew in vercel/turborepo#12787

ci: Scope GitHub Actions caches by branch by @anthonyshew in vercel/turborepo#12788

test: Validate lockfiles without dependency downloads by @anthonyshew in vercel/turborepo#12789

Removed unneeded import form hash creation script in docs by @dancrumb in vercel/turborepo#12799

fix: Validate auth callback state by @anthonyshew in vercel/turborepo#12802

fix: Harden VS Code extension command execution by @anthonyshew in vercel/turborepo#12800

fix: Avoid project-local Yarn during detection by @anthonyshew in vercel/turborepo#12801

... (truncated)

Commits

fc62fe0 publish 2.9.14 to registry
fb8c9ae chore: Release 2.9.13 (#12803)
e8e629d fix: Avoid project-local Yarn during detection (#12801)
91c90cb fix: Harden VS Code extension command execution (#12800)
84f4508 fix: Validate auth callback state (#12802)
1779ad7 Removed unneeded import form hash creation script in docs (#12799)
71f8c90 test: Validate lockfiles without dependency downloads (#12789)
5fcb960 ci: Scope GitHub Actions caches by branch (#12788)
4cf9fab ci: Use pull_request for PR title linting (#12787)
859c629 fix: Restore docs mobile menu (#12782)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for turbo since your current version.

Updates uuid from 9.0.1 to 14.0.0

Release notes

Sourced from uuid's releases.

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

expect crypto to be global everywhere (requires node@20+) (#935)

drop node@18 support (#934)

Features

drop node@18 support (#934) (dc4ddb8)

Bug Fixes

expect crypto to be global everywhere (requires node@20+) (#935) (f2c235f)

Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)

v13.0.2

13.0.2 (2026-05-04)

Bug Fixes

rerelease to fix provenance. (49ccb35)

v13.0.1

13.0.1 (2026-04-27)

Bug Fixes

backport fix for GHSA-w5hq-g745-h8pq (9d27ddf)

v13.0.0

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

make browser exports the default (#901)

Bug Fixes

make browser exports the default (#901) (bce9d72)

v12.0.1

12.0.1 (2026-04-29)

... (truncated)

Changelog

Sourced from uuid's changelog.

14.0.0 (2026-04-19)

Security

Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

crypto is now expected to be globally defined (requires node@20+) (#935)

drop node@18 support (#934)

upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

make browser exports the default (#901)

Bug Fixes

make browser exports the default (#901) (bce9d72)

12.0.0 (2025-09-05)

⚠ BREAKING CHANGES

update to typescript@5.2 (#887)

remove CommonJS support (#886)

drop node@16 support (#883)

Features

add node@24 to ci matrix (#879) (42b6178)

drop node@16 support (#883) (0f38cf1)

remove CommonJS support (#886) (ae786e2)

update to typescript@5.2 (#887) (c7ee405)

Bug Fixes

improve v4() performance (#894) (5fd974c)

restore node: prefix (#889) (e1f42a3)

11.1.0 (2025-02-19)

... (truncated)

Commits

7c1ea08 chore(main): release 14.0.0 (#926)
3d2c5b0 Merge commit from fork
f2c235f fix!: expect crypto to be global everywhere (requires node@20+) (#935)
529ef08 chore: upgrade TypeScript and fixup types (#927)
086fd79 chore: update dependencies (#933)
dc4ddb8 feat!: drop node@18 support (#934)
0f1f9c9 chore: switch to Biome for parsing and linting (#932)
e2879e6 chore: use maintained version of npm-run-all (#930)
ffa3138 fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)
0423d49 docs: remove obsolete v1 option notes (#915)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates next from 15.5.15 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces

GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input

GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting

GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.16

This release contains security fixes for the following advisories:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces

GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input

GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting

GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Commits

9ff92ce v15.5.18
00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
62c97ab v15.5.17
423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
fa78739 Turbopack: Fix middleware matcher suffix (#93590)
36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
36589b5 [backport][test] Pin package manager to patch versions (#93596)
ad6fd4e v15.5.16
79d7dff Ignore malformed CSP nonce headers (#103)
c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates turbo from 2.2.3 to 2.9.14

Release notes

Sourced from turbo's releases.

Turborepo v2.9.14

[!NOTE] This release contains important security fixes.

High:

GHSA-5xc8-49mv-x4mm: Turborepo VSCode Extension command injection

Low:

GHSA-hcf7-66rw-9f5r: Login callback CSRF/session fixation

GHSA-3qcw-2rhx-2726: Unexpected local code execution during Yarn Berry detection

What's Changed

Changelog

release(turborepo): 2.9.12 by @github-actions[bot] in vercel/turborepo#12774

fix: Restore docs mobile menu by @anthonyshew in vercel/turborepo#12782

ci: Use pull_request for PR title linting by @anthonyshew in vercel/turborepo#12787

ci: Scope GitHub Actions caches by branch by @anthonyshew in vercel/turborepo#12788

test: Validate lockfiles without dependency downloads by @anthonyshew in vercel/turborepo#12789

Removed unneeded import form hash creation script in docs by @dancrumb in vercel/turborepo#12799

fix: Validate auth callback state by @anthonyshew in vercel/turborepo#12802

fix: Harden VS Code extension command execution by @anthonyshew in vercel/turborepo#12800

fix: Avoid project-local Yarn during detection by @anthonyshew in vercel/turborepo#12801

chore: Release 2.9.13 by @anthonyshew in vercel/turborepo#12803

New Contributors

@dancrumb made their first contribution in vercel/turborepo#12799

Full Changelog: vercel/turborepo@v2.9.12...v2.9.14

Turborepo v2.9.13-canary.1

What's Changed

Changelog

release(turborepo): 2.9.11-canary.7 by @github-actions[bot] in vercel/turborepo#12768

fi...
Description has been truncated

changeset-bot · 2026-05-29T19:49:02Z

⚠️ No Changeset found

Latest commit: 0a193a0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

greptile-apps · 2026-05-29T19:52:35Z

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
pnpm-lock.yaml:98-101
**Lock file specifier out of sync with package.json for `apps/wallets/react`**

The `pnpm-lock.yaml` records `specifier: 15.5.15` for `apps/wallets/react`, but the corresponding `package.json` specifies `"next": "^15.5.18"`. These must agree, so running `pnpm install --frozen-lockfile` (common in CI) will fail with a lockfile-mismatch error. More importantly, any install that does succeed from this lock file will resolve `15.5.15` — the version *before* the high-severity security patches (middleware/proxy bypasses, DoS, SSRF) that `15.5.16`–`15.5.18` were specifically released to fix.

### Issue 2 of 2
packages/client/base/package.json:33
**Stale `@types/uuid` dev dependency after major version upgrade**

`uuid` was bumped from `9.0.1` to `14.0.0`, but `@types/uuid` is still pinned at `9.0.4`. Starting from `uuid` v10+, the package ships its own TypeScript declarations, making `@types/uuid` unnecessary. Keeping the v9 type definitions alongside the v14 package can produce duplicate or conflicting type declarations, which may cause `tsc` errors in consuming packages.

_{Reviews (1): Last reviewed commit: "chore(deps): bump the npm_and_yarn group..." | Re-trigger Greptile}

github-actions · 2026-05-29T19:55:40Z

🔥 Smoke Test Results

✅ Status: Passed

Statistics

Total Tests: 0
Passed: 0 ✅
Failed: 0
Skipped: 0
Duration: 3.01 min

✅ All smoke tests passed!

All critical flows are working correctly.

This is a non-blocking smoke test. Full regression tests run separately.

greptile-apps · 2026-06-01T14:18:19Z

Prompt To Fix All With AI

Fix the following 3 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 3
pnpm-lock.yaml:452-455
**Lockfile specifier mismatch for multiple packages**

The `specifier` field in `pnpm-lock.yaml` must match the exact constraint in `package.json`. After this PR, multiple packages have stale specifiers:

- `apps/auth/nextjs-ssr`: lockfile still says `specifier: 15.5.15`, but `package.json` was bumped to `"15.5.18"`
- `apps/payments/nextjs`: same mismatch
- `apps/wallets/quickstart-devkit`: same mismatch
- `apps/wallets/react`: lockfile says `specifier: 15.5.15`, but `package.json` now says `"^15.5.18"`

Any CI step using `pnpm install --frozen-lockfile` (or `pnpm ci`) will fail with an "outdated lockfile" error because the specifiers no longer match the manifests. The lockfile needs to be regenerated with `pnpm install` after these `package.json` changes.

### Issue 2 of 3
apps/wallets/react/package.json:16
**Next.js downgraded from v16 to v15 in this workspace**

The `pnpm-lock.yaml` shows that `apps/wallets/react` was previously resolving `next@16.2.3` (from specifier `^16.2.3`). This PR changes the constraint to `^15.5.18`, which is a major version downgrade. If any Next.js 16 APIs or features are used in this app, they would break silently at runtime. Please confirm this is intentional and that the app has been tested against Next.js 15.

### Issue 3 of 3
packages/client/base/package.json:27
**Large `uuid` major version jump with several breaking changes**

This bumps `uuid` from `9.0.1` to `14.0.0`, spanning five major releases. Key breaking changes across the skipped versions:

- **v12**: CommonJS support was removed — the package is now ESM-only. Any consumer using `require('uuid')` or a bundler configured for CJS will break.
- **v13**: Browser exports became the default, which changes module resolution for Node.js consumers unless they explicitly use the `node` condition.
- **v14**: Node.js ≥20 is now required; `crypto` must be globally available. If the project or its consumers run on Node 18, `uuid` will throw at runtime.

No direct `import ... from 'uuid'` was found in `packages/client/base/src`, so the impact may be limited — but please verify whether any downstream consumer of this package imports `uuid` via CommonJS or runs on Node 18.

_{Reviews (2): Last reviewed commit: "chore(deps): bump the npm_and_yarn group..." | Re-trigger Greptile}

greptile-apps · 2026-06-01T14:18:24Z

        specifier: ^14.6.1
        version: 14.6.1
      next:
-        specifier: ^16.2.3
-        version: 16.2.3(@babel/core@7.28.5)(@playwright/test@1.54.2)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@1.0.0)(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+        specifier: 15.5.15


Lockfile specifier mismatch for multiple packages

The specifier field in pnpm-lock.yaml must match the exact constraint in package.json. After this PR, multiple packages have stale specifiers:

apps/auth/nextjs-ssr: lockfile still says specifier: 15.5.15, but package.json was bumped to "15.5.18"

apps/payments/nextjs: same mismatch

apps/wallets/quickstart-devkit: same mismatch

apps/wallets/react: lockfile says specifier: 15.5.15, but package.json now says "^15.5.18"

Any CI step using pnpm install --frozen-lockfile (or pnpm ci) will fail with an "outdated lockfile" error because the specifiers no longer match the manifests. The lockfile needs to be regenerated with pnpm install after these package.json changes.

Prompt To Fix With AI

This is a comment left during a code review. Path: pnpm-lock.yaml Line: 452-455 Comment: **Lockfile specifier mismatch for multiple packages** The `specifier` field in `pnpm-lock.yaml` must match the exact constraint in `package.json`. After this PR, multiple packages have stale specifiers: - `apps/auth/nextjs-ssr`: lockfile still says `specifier: 15.5.15`, but `package.json` was bumped to `"15.5.18"` - `apps/payments/nextjs`: same mismatch - `apps/wallets/quickstart-devkit`: same mismatch - `apps/wallets/react`: lockfile says `specifier: 15.5.15`, but `package.json` now says `"^15.5.18"` Any CI step using `pnpm install --frozen-lockfile` (or `pnpm ci`) will fail with an "outdated lockfile" error because the specifiers no longer match the manifests. The lockfile needs to be regenerated with `pnpm install` after these `package.json` changes. How can I resolve this? If you propose a fix, please make it concise.

greptile-apps · 2026-06-01T14:18:25Z

        "@solana/web3.js": "1.98.1",
        "@stellar/stellar-sdk": "^14.6.1",
-        "next": "^16.2.3",
+        "next": "^15.5.18",


Next.js downgraded from v16 to v15 in this workspace

The pnpm-lock.yaml shows that apps/wallets/react was previously resolving next@16.2.3 (from specifier ^16.2.3). This PR changes the constraint to ^15.5.18, which is a major version downgrade. If any Next.js 16 APIs or features are used in this app, they would break silently at runtime. Please confirm this is intentional and that the app has been tested against Next.js 15.

Prompt To Fix With AI

This is a comment left during a code review. Path: apps/wallets/react/package.json Line: 16 Comment: **Next.js downgraded from v16 to v15 in this workspace** The `pnpm-lock.yaml` shows that `apps/wallets/react` was previously resolving `next@16.2.3` (from specifier `^16.2.3`). This PR changes the constraint to `^15.5.18`, which is a major version downgrade. If any Next.js 16 APIs or features are used in this app, they would break silently at runtime. Please confirm this is intentional and that the app has been tested against Next.js 15. How can I resolve this? If you propose a fix, please make it concise.

greptile-apps · 2026-06-01T14:18:26Z

        "@datadog/browser-logs": "6.24.1",
        "exponential-backoff": "3.1.1",
-        "uuid": "9.0.1",
+        "uuid": "14.0.0",


Large uuid major version jump with several breaking changes

This bumps uuid from 9.0.1 to 14.0.0, spanning five major releases. Key breaking changes across the skipped versions:

v12: CommonJS support was removed — the package is now ESM-only. Any consumer using require('uuid') or a bundler configured for CJS will break.

v13: Browser exports became the default, which changes module resolution for Node.js consumers unless they explicitly use the node condition.

v14: Node.js ≥20 is now required; crypto must be globally available. If the project or its consumers run on Node 18, uuid will throw at runtime.

No direct import ... from 'uuid' was found in packages/client/base/src, so the impact may be limited — but please verify whether any downstream consumer of this package imports uuid via CommonJS or runs on Node 18.

Prompt To Fix With AI

This is a comment left during a code review. Path: packages/client/base/package.json Line: 27 Comment: **Large `uuid` major version jump with several breaking changes** This bumps `uuid` from `9.0.1` to `14.0.0`, spanning five major releases. Key breaking changes across the skipped versions: - **v12**: CommonJS support was removed — the package is now ESM-only. Any consumer using `require('uuid')` or a bundler configured for CJS will break. - **v13**: Browser exports became the default, which changes module resolution for Node.js consumers unless they explicitly use the `node` condition. - **v14**: Node.js ≥20 is now required; `crypto` must be globally available. If the project or its consumers run on Node 18, `uuid` will throw at runtime. No direct `import ... from 'uuid'` was found in `packages/client/base/src`, so the impact may be limited — but please verify whether any downstream consumer of this package imports `uuid` via CommonJS or runs on Node 18. How can I resolve this? If you propose a fix, please make it concise.

dependabot · 2026-06-01T19:59:14Z

Superseded by #1875.

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 29, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-8c89b0c7e3 branch from 209f5eb to 0a193a0 Compare June 1, 2026 14:13

greptile-apps Bot reviewed Jun 1, 2026

View reviewed changes

dependabot Bot closed this Jun 1, 2026

dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-8c89b0c7e3 branch June 1, 2026 19:59

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 5 directories with 3 updates#1871

chore(deps): bump the npm_and_yarn group across 5 directories with 3 updates#1871
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-8c89b0c7e3

dependabot Bot commented on behalf of github May 29, 2026 •

edited

Loading

Uh oh!

changeset-bot Bot commented May 29, 2026 •

edited

Loading

Uh oh!

greptile-apps Bot commented May 29, 2026

Uh oh!

github-actions Bot commented May 29, 2026 •

edited

Loading

Uh oh!

greptile-apps Bot commented Jun 1, 2026

Uh oh!

greptile-apps Bot Jun 1, 2026

Uh oh!

greptile-apps Bot Jun 1, 2026

Uh oh!

greptile-apps Bot Jun 1, 2026

Uh oh!

dependabot Bot commented on behalf of github Jun 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Turborepo v2.9.14

High:

Low:

What's Changed

Changelog

New Contributors

Turborepo v2.9.13-canary.1

What's Changed

Changelog

v15.5.18

v15.5.16

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

Features

Bug Fixes

v13.0.2

13.0.2 (2026-05-04)

Bug Fixes

v13.0.1

13.0.1 (2026-04-27)

Bug Fixes

v13.0.0

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

Bug Fixes

v12.0.1

12.0.1 (2026-04-29)

14.0.0 (2026-04-19)

Security

⚠ BREAKING CHANGES

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

Bug Fixes

12.0.0 (2025-09-05)

⚠ BREAKING CHANGES

Features

Bug Fixes

11.1.0 (2025-02-19)

v15.5.18

v15.5.16

Turborepo v2.9.14

High:

Low:

What's Changed

Changelog

New Contributors

Turborepo v2.9.13-canary.1

What's Changed

Changelog

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

Features

Bug Fixes

v13.0.2

13.0.2 (2026-05-04)

Bug Fixes

v13.0.1

13.0.1 (2026-04-27)

Bug Fixes

v13.0.0

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

Bug Fixes

v12.0.1

12.0.1 (2026-04-29)

14.0.0 (2026-04-19)

Security

⚠ BREAKING CHANGES

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

Bug Fixes

12.0.0 (2025-09-05)

⚠ BREAKING CHANGES

Features

Bug Fixes

dependabot Bot commented on behalf of github May 29, 2026 •

edited

Loading

changeset-bot Bot commented May 29, 2026 •

edited

Loading

github-actions Bot commented May 29, 2026 •

edited

Loading