chore(deps): update dependency turbo to v2.9.14 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
turbo (source)	2.9.12 → 2.9.14

---

Turbo: Unexpected local code execution during Yarn Berry detection

CVE-2026-45772 / GHSA-3qcw-2rhx-2726

More information

Details

Impact

Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, which could cause Yarn to load and execute a project-controlled yarnPath from .yarnrc.yml. An attacker who controls repository contents could cause code execution when a user or CI system runs affected turbo, @turbo/codemod, or @turbo/workspace conversion commands.

Fix

Turbo now avoids executing project-local Yarn during package manager detection. Yarn versions and paths are inferred from metadata such as package.json, parsing the value of yarnPath in .yarnrc.yml rather than executing it, and yarn.lock, and unrecognized Yarn lockfile formats are rejected instead of falling back to executing yarn.

Workarounds

If you cannot upgrade immediately, do not run Turborepo commands in untrusted repositories. Review or remove .yarnrc.yml files that define yarnPath before running Turborepo, especially in CI or automated tooling that processes external projects.

Severity

• CVSS Score: 0.0 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/vercel/turborepo/security/advisories/GHSA-3qcw-2rhx-2726
• https://nvd.nist.gov/vuln/detail/CVE-2026-45772
• https://github.com/advisories/GHSA-3qcw-2rhx-2726

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Trubo: Login callback CSRF/session fixation

CVE-2026-45773 / GHSA-hcf7-66rw-9f5r

More information

Details

Impact

Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials.

This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected.

Fix

The login and SSO redirect flows now generate a random state value, include it in the browser authentication URL, and require the same value on the localhost callback before accepting a token. Callbacks with a missing or mismatched state are rejected.

Workarounds

If you cannot upgrade immediately, avoid browser-based self-hosted turbo login or SSO flows on machines that may load untrusted web content during authentication. Use a pre-provisioned token or environment-based authentication instead.

Severity

• CVSS Score: 5.1 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N

References

• https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r
• https://nvd.nist.gov/vuln/detail/CVE-2026-45773
• https://github.com/advisories/GHSA-hcf7-66rw-9f5r

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vercel/turborepo (turbo)

v2.9.14: Turborepo v2.9.14

Compare Source

[!NOTE]
This release contains important security fixes.

High:

• GHSA-5xc8-49mv-x4mm: Turborepo VSCode Extension command injection

Low:

• GHSA-hcf7-66rw-9f5r: Login callback CSRF/session fixation
• GHSA-3qcw-2rhx-2726: Unexpected local code execution during Yarn Berry detection

What's Changed

Changelog

• release(turborepo): 2.9.12 by @​github-actions[bot] in #​12774
• fix: Restore docs mobile menu by @​anthonyshew in #​12782
• ci: Use pull_request for PR title linting by @​anthonyshew in #​12787
• ci: Scope GitHub Actions caches by branch by @​anthonyshew in #​12788
• test: Validate lockfiles without dependency downloads by @​anthonyshew in #​12789
• Removed unneeded import form hash creation script in docs by @​dancrumb in #​12799
• fix: Validate auth callback state by @​anthonyshew in #​12802
• fix: Harden VS Code extension command execution by @​anthonyshew in #​12800
• fix: Avoid project-local Yarn during detection by @​anthonyshew in #​12801
• chore: Release 2.9.13 by @​anthonyshew in #​12803

New Contributors

• @​dancrumb made their first contribution in #​12799

Full Changelog: vercel/turborepo@v2.9.12...v2.9.14

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
searchneu	Ready	Preview, Comment	May 28, 2026 9:19pm
searchneu-docs	Ready	Preview, Comment	May 28, 2026 9:19pm