[Snyk] Upgrade turbo from 2.0.4 to 2.5.2

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade turbo from 2.0.4 to 2.5.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 123 versions ahead of your current version.

• The recommended version was released 24 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	169	Proof of Concept

Release notes

Package name: turbo

• 2.5.2 - 2025-04-25
  

  What's Changed

  Docs

  • docs(chore): add robots.txt by @ anthonyshew in #10371
  • docs(fix): better usability on feedback form by @ anthonyshew in #10382
  • ci(docs): add linter check by @ anthonyshew in #10376

  Changelog

  • fix(dry): do not perform runtime validations on dry runs by @ chris-olszewski in #10375
  • feat(dry): include with in dry run/summary output by @ chris-olszewski in #10373
  • fix(microfrontends): respect packageName field by @ chris-olszewski in #10383
  • fix: correctly read execution args from watch command by @ kade-robertson in #10381
  • fix: update turbo-types with concurrency option by @ kade-robertson in #10379

  Full Changelog: v2.5.1...v2.5.2

• 2.5.2-canary.0 - 2025-04-25
  

  What's Changed

  Docs

  • docs(chore): add robots.txt by @ anthonyshew in #10371
  • docs(fix): better usability on feedback form by @ anthonyshew in #10382
  • ci(docs): add linter check by @ anthonyshew in #10376

  Changelog

  • fix(dry): do not perform runtime validations on dry runs by @ chris-olszewski in #10375
  • feat(dry): include with in dry run/summary output by @ chris-olszewski in #10373
  • fix(microfrontends): respect packageName field by @ chris-olszewski in #10383
  • fix: correctly read execution args from watch command by @ kade-robertson in #10381
  • fix: update turbo-types with concurrency option by @ kade-robertson in #10379

  Full Changelog: v2.5.1...v2.5.2-canary.0

• 2.5.1 - 2025-04-23
  

  What's Changed

  Docs

  • docs: 2.5 release post by @ anthonyshew in #10262
  • docs: correct usage of wordmark by @ anthonyshew in #10286
  • docs: navbar improvements by @ anthonyshew in #10287
  • docs: redirect /repo/docs to /docs by @ anthonyshew in #10232
  • chore(docs): remove expired data and code from when Turbopack was in this repo by @ anthonyshew in #10291
  • fix(docs): fix SVG attribute casing to remove React warnings by @ ohprettyhak in #10297
  • fix(docs): update redirects rule to resolve access issue on getting-started index page by @ ohprettyhak in #10296
  • docs: fix line highlights in yaml files by @ anthonyshew in #10306
  • docs: fix openapi paths by @ anthonyshew in #10309
  • docs: update instructions on where to get TURBO_TEAM token by @ anthonyshew in #10305
  • docs: list pnpm as first package manager by @ anthonyshew in #10293
  • docs(fix): persist tabs state by @ anthonyshew in #10313
  • docs: move content directory by @ anthonyshew in #10315
  • docs: add Bun to package manager tabs by @ anthonyshew in #10321
  • feat(codemod): update $schema when versioned by @ anthonyshew in #10319
  • docs: improve accuracy for self-hosted OpenAPI spec by @ anthonyshew in #10318
  • docs: add response header to OpenAPI spec by @ anthonyshew in #10327
  • docs: use new community domain by @ anthonyshew in #10334
  • feat: allow specifying concurrency in config / environment by @ kade-robertson in #10236
  • docs: clean up search results by @ anthonyshew in #10336
  • feat(sidebar): improve folder link accessibility and UX by @ 0xmuon in #10349
  • chore: use Turbopack for documentation builds by @ mischnic in #10312
  • docs: move support policy by @ anthonyshew in #10356
  • docs: make redirect permanent by @ anthonyshew in #10357
  • docs: copy to markdown button by @ anthonyshew in #10355
  • docs(chore): remove classnames dependency by @ anthonyshew in #10339
  • docs: fix link-checker file discovery by @ anthonyshew in #10348
  • docs: migrate to turborepo.com by @ anthonyshew in #10368

  create-turbo

  • docs(chore): remove /repo references from a few places by @ anthonyshew in #10370

  @ turbo/codemod

  • fix(codemod): check for pipeline key before using it by @ anthonyshew in #10295

  eslint

  • fix: broken link by @ t3duk in #10351

  @ turbo/repository

  • chore: update to Rust 1.86.0 by @ ognevny in #10282
  • fix(@ turbo/repository): no longer require packageManager to detect npm by @ chris-olszewski in #10314
  • chore(@ turbo/repository): bump version to canary 15 by @ chris-olszewski in #10337

  Examples

  • chore(examples): upgrade Turborepo version by @ anthonyshew in #10281
  • fix(examples): fix build in fresh vue example project by @ chameleonmind in #10277
  • chore(deps-dev): bump the with-tailwind group in /examples/with-tailwind with 6 updates by @ dependabot in #10300
  • chore(deps-dev): bump the non-monorepo group in /examples/non-monorepo with 2 updates by @ dependabot in #10301
  • chore(deps-dev): bump the with-svelte group in /examples/with-svelte with 3 updates by @ dependabot in #10302
  • chore(deps-dev): bump the basic group in /examples/basic with 7 updates by @ dependabot in #10303
  • chore(deps): bump the kitchen-sink group in /examples/kitchen-sink with 9 updates by @ dependabot in #10304
  • chore(deps-dev): bump eslint-plugin-react from 7.37.4 to 7.37.5 in /examples/kitchen-sink by @ dependabot in #10307
  • chore(deps): bump next from 15.2.1 to 15.2.4 in /examples/basic by @ dependabot in #10308
  • chore(deps-dev): bump @ next/eslint-plugin-next from 15.2.2 to 15.2.4 in /examples/with-tailwind by @ dependabot in #10310
  • chore(deps-dev): bump @ eslint/eslintrc from 3.3.0 to 3.3.1 in /examples/with-svelte by @ dependabot in #10311
  • chore(deps): bump the with-tailwind group in /examples/with-tailwind with 2 updates by @ dependabot in #10329
  • chore(deps): bump the kitchen-sink group in /examples/kitchen-sink with 2 updates by @ dependabot in #10330
  • chore(deps): bump the basic group in /examples/basic with 2 updates by @ dependabot in #10331
  • chore(deps-dev): bump svelte from 5.25.3 to 5.26.3 in /examples/with-svelte in the with-svelte group by @ dependabot in #10332
  • chore(deps): bump the non-monorepo group in /examples/non-monorepo with 7 updates by @ dependabot in #10333
  • docs: replace incorrect generator links (#10344) by @ sovetski in #10345
  • chore(deps-dev): bump the kitchen-sink group in /examples/kitchen-sink with 6 updates by @ dependabot in #10354
  • chore(deps): bump the non-monorepo group in /examples/non-monorepo with 5 updates by @ dependabot in #10358
  • chore(deps-dev): bump the with-svelte group in /examples/with-svelte with 5 updates by @ dependabot in #10359
  • chore(deps-dev): bump the with-tailwind group in /examples/with-tailwind with 3 updates by @ dependabot in #10360
  • chore(deps-dev): bump the basic group in /examples/basic with 3 updates by @ dependabot in #10361
  • fix(examples): change docker command by @ anthonyshew in #10362
  • fix(examples): with-svelte classes by @ anthonyshew in #10363

  Changelog

  • chore(release): use default path by @ tknickman in #10285
  • feat(tui): more keybinds for scrolling by @ anthonyshew in #10248
  • fix(microfrontends): ensure that local proxy is loose by @ chris-olszewski in #10289
  • chore: ignore ci and chore PRs in release notes by @ anthonyshew in #10292
  • feat(tui): configurable scrollback length by @ anthonyshew in #10247
  • fix(watch): allow usage of turbo.jsonc by @ anthonyshew in #10340
  • chore: update turbo-orchestrator.yml by @ anthonyshew in #10342
  • feat(ls): add dependents to json output by @ chris-olszewski in #10367

  New Contributors

  • @ chameleonmind made their first contribution in #10277
  • @ ohprettyhak made their first contribution in #10297
  • @ kade-robertson made their first contribution in #10236
  • @ sovetski made their first contribution in #10345
  • @ 0xmuon made their first contribution in #10349
  • @ t3duk made their first contribution in #10351

  Full Changelog: v2.5.0...v2.5.1

• 2.5.1-canary.2 - 2025-04-23
  

  What's Changed

  Docs

  • feat(sidebar): improve folder link accessibility and UX by @ 0xmuon in #10349
  • chore: use Turbopack for documentation builds by @ mischnic in #10312
  • docs: move support policy by Summary by Sourcery

    Upgrade the project’s turbo dependency from v2.0.4 to v2.5.2 to adopt the recommended version and address a high-severity ReDoS vulnerability.

    Bug Fixes:

    • Address Regular Expression Denial of Service (ReDoS) vulnerability in cross-spawn via upgraded dependency.

    Chores:

    • Bump turbo from 2.0.4 to 2.5.2 in package.json.

[sourcery-ai]

Reviewer's Guide

This PR updates the turbo package from version 2.0.4 to 2.5.2 in package.json to address a high-severity ReDoS vulnerability and ensure dependencies remain current.

File-Level Changes

Change	Details	Files
Bump turbo dependency version	Replace turbo version string 2.0.4 → 2.5.2	package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.