Skip to content

fix: Upgrade ts-jest to 29.4.6 to fix brace-expansion ReDoS vulnerabilities#11623

Merged
anthonyshew merged 1 commit intomainfrom
anthonyshew/turbo-5172-brace-expansion
Feb 1, 2026
Merged

fix: Upgrade ts-jest to 29.4.6 to fix brace-expansion ReDoS vulnerabilities#11623
anthonyshew merged 1 commit intomainfrom
anthonyshew/turbo-5172-brace-expansion

Conversation

@anthonyshew
Copy link
Copy Markdown
Contributor

@anthonyshew anthonyshew commented Feb 1, 2026

Summary

  • Upgrades ts-jest from 29.2.5 to 29.4.6 across all 8 packages that use it
  • ts-jest 29.4.6 uses handlebars instead of ejs, eliminating the vulnerable dependency chain

Why

TURBO-5172 and TURBO-5173 flagged brace-expansion ReDoS vulnerabilities coming from:

  • create-turbo > ts-jest > ejs > jake > filelist > minimatch > brace-expansion

The vulnerable versions were:

  • brace-expansion v1 (needs >=1.1.12)
  • brace-expansion v2 (needs >=2.0.2)

ts-jest 29.4.6 removed its dependency on ejs (switched to handlebars), which completely breaks this chain.

Testing

  • All tests pass for create-turbo and all other affected packages
  • Build succeeds

@anthonyshew
fix: Upgrade ts-jest to 29.4.6 to fix brace-expansion ReDoS vulnerabi…
82a7558 
…lities

ts-jest 29.4.6 uses handlebars instead of ejs, which eliminates the
dependency chain: ts-jest -> ejs -> jake -> filelist -> minimatch ->
brace-expansion that was pulling in vulnerable versions of brace-expansion.

Fixes TURBO-5172 and TURBO-5173.
@anthonyshew anthonyshew requested a review from a team as a code owner February 1, 2026 21:38
@anthonyshew anthonyshew requested review from tknickman and removed request for a team February 1, 2026 21:38
@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented Feb 1, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
examples-basic-web Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 9:39pm
examples-designsystem-docs Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 9:39pm
examples-gatsby-web Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 9:39pm
examples-kitchensink-blog Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 9:39pm
examples-nonmonorepo Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 9:39pm
examples-svelte-web Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 9:39pm
examples-tailwind-web Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 9:39pm
examples-vite-web Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 9:39pm
turbo-site Ready Ready Preview, Comment, Open in v0 Feb 1, 2026 9:39pm
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
turborepo-test-coverage Skipped Skipped Open in v0 Feb 1, 2026 9:39pm

@turbo-orchestrator turbo-orchestrator Bot added pkg: create-turbo Issues related to npx create-turbo pkg: turbo-codemod pkg: turbo-eslint eslint-config-turbo and eslint-plugin-turbo pkg: turbo-gen pkg: turbo-ignore packages/turbo-ignore pkg: turbo-workspaces labels Feb 1, 2026
@anthonyshew anthonyshew merged commit 469f9dd into main Feb 1, 2026
47 checks passed
@anthonyshew anthonyshew deleted the anthonyshew/turbo-5172-brace-expansion branch February 1, 2026 23:00
@github-actions github-actions Bot mentioned this pull request Feb 1, 2026
Merged
anthonyshew pushed a commit that referenced this pull request Feb 1, 2026
@github-actions @turbobot-temp
release(turborepo): 2.8.2-canary.3 (#11625)
bb1daf6 
## Canary Release

Versioned docs: https://v2-8-2-canary-3.turborepo.dev

### Included Changes

- 469f9dd - fix: Upgrade ts-jest to 29.4.6 to fix brace-expansion ReDoS
vulnerabilities (#11623) (#11623)
- af6aef8 - fix: Upgrade inquirer to 8.2.7 to fix tmp vulnerability
(#11622) (#11622)
- 73e1a65 - fix: Consolidate canary releases into release workflow for
npm trusted publishing (#11624) (#11624)
- e192b8e - fix: Upgrade diff to fix DoS vulnerabilities (#11621)
(#11621)
- c79e54e - fix: Upgrade rehype packages to fix mdast-util-to-hast
vulnerability (#11616) (#11616)
- aceb210 - fix: Pass secrets explicitly in canary workflow (#11620)
(#11620)
- d6ca8cd - fix: Add explicit secrets declarations to release
workflow_call trigger (#11619) (#11619)
- a0c22ca - ci: Automated canary release pipeline (#11618) (#11618)

---
Release PR for turborepo v2.8.2-canary.3

Co-authored-by: Turbobot <turbobot@vercel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tknickman tknickman Awaiting requested review from tknickman tknickman is a code owner automatically assigned from vercel/turbo-oss

Assignees

No one assigned

Labels

pkg: create-turbo Issues related to npx create-turbo pkg: turbo-codemod pkg: turbo-eslint eslint-config-turbo and eslint-plugin-turbo pkg: turbo-gen pkg: turbo-ignore packages/turbo-ignore pkg: turbo-workspaces

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anthonyshew