Merge branch 'main' into fix/TURBO-5147-next-vulnerability

Author: anthonyshew

.github/workflows/test-js-packages.yml

@@ -70,7 +70,7 @@ jobs:
         # to run when turbo core changes. This job (`js_packages`) does not run on turborpeo core
         # changes, and we don't want to enable that beahvior for _all_ our JS packages.
         run: |
-          TURBO_API= turbo run check-types test build package-checks --filter="!turborepo-repository" --filter={./packages/*}...[${{ github.event.pull_request.base.sha || 'HEAD^1' }}] --color --env-mode=strict
+          TURBO_API= turbo run check-types test build package-checks --filter="!turborepo-repository" --filter="!@turbo/coverage-reporter" --filter={./packages/*}...[${{ github.event.pull_request.base.sha || 'HEAD^1' }}] --color --env-mode=strict
         env:
           NODE_VERSION: ${{ matrix.node-version }}
 

.github/workflows/turborepo-test.yml

@@ -26,6 +26,7 @@ jobs:
       with-svelte-example: ${{ steps.filter.outputs.with-svelte-example }}
       with-tailwind-example: ${{ steps.filter.outputs.with-tailwind-example }}
       rest: ${{ steps.filter.outputs.rest }}
+      rust: ${{ steps.filter.outputs.rust }}
       native-lib: ${{ steps.filter.outputs.native-lib }}
     steps:
       - name: Checkout
@@ -107,11 +108,25 @@ jobs:
             echo "No changes outside examples/ and docs/ directories"
           fi
 
+          # Detect if Rust/core code changed (requires Rust tests + integration tests)
+          # This excludes JS-only changes like packages/*, lockfile, etc.
+          RUST_PATTERNS="^(crates/|cli/|Cargo\.|rust-toolchain|\.cargo/|turborepo-tests/)"
+          RUST_CHANGES=$(echo "$CHANGED_FILES" | grep -E "$RUST_PATTERNS" || true)
+
+          if [ -n "$RUST_CHANGES" ]; then
+            echo "rust=true" >> $GITHUB_OUTPUT
+            echo "Rust/core changes detected:"
+            echo "$RUST_CHANGES"
+          else
+            echo "rust=false" >> $GITHUB_OUTPUT
+            echo "No Rust/core changes detected (JS-only change)"
+          fi
+
   generate-integration-test-matrix:
     name: Generate integration test matrix
     needs:
       - find-changes
-    if: ${{ needs.find-changes.outputs.rest == 'true' }}
+    if: ${{ needs.find-changes.outputs.rust == 'true' }}
     runs-on: ubuntu-latest
     timeout-minutes: 30
     outputs:
@@ -142,7 +157,7 @@ jobs:
       - generate-integration-test-matrix
     runs-on: ${{ matrix.os.runner }}
     timeout-minutes: 30
-    if: ${{ needs.find-changes.outputs.rest == 'true' && needs.generate-integration-test-matrix.result == 'success' }}
+    if: ${{ needs.find-changes.outputs.rust == 'true' && needs.generate-integration-test-matrix.result == 'success' }}
     env:
       SCCACHE_BUCKET: turborepo-sccache
       SCCACHE_REGION: us-east-2
@@ -221,7 +236,7 @@ jobs:
     name: "@turbo/types codegen check"
     needs:
       - find-changes
-    if: ${{ needs.find-changes.outputs.rest == 'true' }}
+    if: ${{ needs.find-changes.outputs.rust == 'true' }}
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
@@ -265,7 +280,7 @@ jobs:
     timeout-minutes: 30
     needs:
       - find-changes
-    if: ${{ needs.find-changes.outputs.rest == 'true' }}
+    if: ${{ needs.find-changes.outputs.rust == 'true' }}
     name: Rust testing on ${{ matrix.os.name }} (partition ${{ matrix.partition }}/2)
     env:
       SCCACHE_BUCKET: turborepo-sccache
@@ -334,7 +349,7 @@ jobs:
     timeout-minutes: 45
     needs:
       - find-changes
-    if: ${{ needs.find-changes.outputs.rest == 'true' }}
+    if: ${{ needs.find-changes.outputs.rust == 'true' }}
     name: Rust testing on ubuntu (partition ${{ matrix.partition }}/2)
     env:
       SCCACHE_BUCKET: turborepo-sccache
@@ -408,7 +423,7 @@ jobs:
     needs:
       - find-changes
       - rust_test_ubuntu
-    if: ${{ needs.find-changes.outputs.rest == 'true' }}
+    if: ${{ needs.find-changes.outputs.rust == 'true' }}
     env:
       COVERAGE_API_URL: ${{ secrets.COVERAGE_API_URL }}
     steps:

package.json

@@ -2,6 +2,11 @@
   "name": "turbo-monorepo",
   "version": "0.0.0",
   "private": true,
+  "pnpm": {
+    "overrides": {
+      "fast-xml-parser": ">=5.3.4"
+    }
+  },
   "scripts": {
     "build": "turbo run build",
     "build:turbo": "pnpm run --filter=cli build",
@@ -28,7 +33,7 @@
     "lint-staged": "13.1.0",
     "oxfmt": "^0.23.0",
     "oxlint": "^1.35.0",
-    "semver": "7.5.0",
+    "semver": "7.5.2",
     "typescript": "5.5.4"
   },
   "lint-staged": {

packages/create-turbo/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-turbo",
-  "version": "2.8.1",
+  "version": "2.8.2-canary.0",
   "description": "Create a new Turborepo",
   "homepage": "https://turborepo.dev",
   "license": "MIT",
@@ -43,7 +43,7 @@
     "@types/semver": "7.3.12",
     "jest": "29.7.0",
     "ts-jest": "29.2.5",
-    "tsup": "6.7.0",
+    "tsup": "8.5.1",
     "typescript": "5.5.4"
   },
   "files": [

packages/eslint-config-turbo/package.json

@@ -1,6 +1,6 @@
 {
   "name": "eslint-config-turbo",
-  "version": "2.8.1",
+  "version": "2.8.2-canary.0",
   "type": "commonjs",
   "description": "ESLint config for Turborepo",
   "license": "MIT",

packages/eslint-plugin-turbo/package.json

@@ -1,6 +1,6 @@
 {
   "name": "eslint-plugin-turbo",
-  "version": "2.8.1",
+  "version": "2.8.2-canary.0",
   "description": "ESLint plugin for Turborepo",
   "keywords": [
     "turbo",

packages/turbo-codemod/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@turbo/codemod",
-  "version": "2.8.1",
+  "version": "2.8.2-canary.0",
   "description": "Provides Codemod transformations to help upgrade your Turborepo codebase when a feature is deprecated.",
   "homepage": "https://turborepo.dev",
   "license": "MIT",
@@ -21,7 +21,6 @@
     "lint:prettier": "prettier -c . --cache --ignore-path=../../.prettierignore"
   },
   "dependencies": {
-    "axios": "0.27.2",
     "commander": "9.5.0",
     "diff": "5.1.0",
     "find-up": "4.1.0",
@@ -56,7 +55,7 @@
     "plop": "3.1.1",
     "semver": "7.5.0",
     "ts-jest": "29.2.5",
-    "tsup": "6.7.0",
+    "tsup": "8.5.1",
     "typescript": "5.5.4"
   },
   "files": [

packages/turbo-codemod/src/commands/migrate/steps/getLatestVersion.ts

@@ -1,4 +1,3 @@
-import axios from "axios";
 import type { MigrateCommandOptions } from "../types";
 
 const DEFAULT_REGISTRY = "https://registry.npmjs.org";
@@ -16,10 +15,11 @@ async function getPackageDetails({ packageName }: { packageName: string }) {
     process.env.npm_config_registry?.replace(/\/$/, "") || DEFAULT_REGISTRY;
 
   try {
-    const result = await axios.get<PackageDetailsResponse>(
-      `${registry}/${packageName}`
-    );
-    return result.data;
+    const response = await fetch(`${registry}/${packageName}`);
+    if (!response.ok) {
+      throw new Error(`HTTP ${response.status}`);
+    }
+    return (await response.json()) as PackageDetailsResponse;
   } catch (err) {
     throw new Error(`Unable to fetch the latest version of ${packageName}`);
   }

packages/turbo-gen/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@turbo/gen",
-  "version": "2.8.1",
+  "version": "2.8.2-canary.0",
   "description": "Extend a Turborepo",
   "type": "commonjs",
   "homepage": "https://turborepo.dev",

packages/turbo-ignore/package.json

@@ -1,6 +1,6 @@
 {
   "name": "turbo-ignore",
-  "version": "2.8.1",
+  "version": "2.8.2-canary.0",
   "description": "",
   "homepage": "https://turborepo.dev",
   "keywords": [],
@@ -38,7 +38,7 @@
     "commander": "11.0.0",
     "jest": "29.7.0",
     "ts-jest": "29.2.5",
-    "tsup": "5.12.9",
+    "tsup": "8.5.1",
     "typescript": "5.5.4"
   }
 }