Skip to content

fix: Upgrade h2 to fix CONTINUATION Flood#11658

Merged
anthonyshew merged 6 commits intomainfrom
h2-upgrade
Feb 3, 2026
Merged

fix: Upgrade h2 to fix CONTINUATION Flood#11658
anthonyshew merged 6 commits intomainfrom
h2-upgrade

Conversation

@anthonyshew
Copy link
Copy Markdown
Contributor

@anthonyshew anthonyshew commented Feb 2, 2026
edited
Loading

Summary

  • Upgrades h2 to 0.3.27 and 0.4.13
  • Fixes RUSTSEC-2024-0332 (Degradation of service with CONTINUATION Flood)

This is a transitive dependency through hyper/tonic.

CLOSES TURBO-5181

@anthonyshew anthonyshew requested a review from a team as a code owner February 2, 2026 20:58
@anthonyshew anthonyshew requested review from tknickman and removed request for a team February 2, 2026 20:58
@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented Feb 2, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
examples-basic-web Ready Ready Preview, Comment, Open in v0 Feb 3, 2026 2:55pm
examples-designsystem-docs Ready Ready Preview, Comment, Open in v0 Feb 3, 2026 2:55pm
examples-gatsby-web Ready Ready Preview, Comment, Open in v0 Feb 3, 2026 2:55pm
examples-kitchensink-blog Ready Ready Preview, Comment, Open in v0 Feb 3, 2026 2:55pm
examples-nonmonorepo Ready Ready Preview, Comment, Open in v0 Feb 3, 2026 2:55pm
examples-svelte-web Ready Ready Preview, Comment, Open in v0 Feb 3, 2026 2:55pm
examples-tailwind-web Ready Ready Preview, Comment, Open in v0 Feb 3, 2026 2:55pm
examples-vite-web Ready Ready Preview, Comment, Open in v0 Feb 3, 2026 2:55pm
turbo-site Ready Ready Preview, Comment, Open in v0 Feb 3, 2026 2:55pm
turborepo-test-coverage Ready Ready Preview, Comment, Open in v0 Feb 3, 2026 2:55pm

@codspeed-hq
Copy link
Copy Markdown

codspeed-hq Bot commented Feb 3, 2026
edited
Loading

CodSpeed Performance Report

Congrats! CodSpeed is installed 🎉

🆕 4 new benchmarks were detected.

You will start to see performance impacts in the reports once the benchmarks are run from your default branch.

Detected benchmarks

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Feb 3, 2026
edited
Loading

Coverage Report

Metric Coverage
Lines 75.90%
Functions 46.75%
Branches 0.00%

View full report

@anthonyshew
fix: Upgrade tonic to 0.12 to fix h2 CONTINUATION Flood vulnerability
722f516 
Upgrade tonic from 0.11 to 0.12.3 which uses hyper 1.x and h2 0.4.x,
eliminating the vulnerable h2 0.3.x dependency (CVE-2024-27316).

Changes:
- tonic 0.11.0 -> 0.12.3
- tonic-build 0.8.4 -> 0.12.3
- prost 0.12.3 -> 0.13
- Add hyper-util for TokioIo wrapper (hyper 1.x compatibility)
- Add http-body for generic Body trait
- Update connector to wrap streams with TokioIo
- Update default_timeout_layer to use generic Body trait
- Fix prost::DecodeError -> prost::UnknownEnumValue (prost 0.13 change)
- Fix build.rs compile() -> compile_protos() deprecation
@anthonyshew
WIP a1968
d60628c
anthonyshew
anthonyshew commented Feb 3, 2026
View reviewed changes
Comment thread crates/turborepo-daemon/src/connector.rs Outdated
@anthonyshew anthonyshew merged commit 2539cb3 into main Feb 3, 2026
253 of 257 checks passed
@anthonyshew anthonyshew deleted the h2-upgrade branch February 3, 2026 16:17
@github-actions github-actions Bot mentioned this pull request Feb 3, 2026
Merged
github-actions Bot added a commit that referenced this pull request Feb 3, 2026
@github-actions @turbobot-temp
release(turborepo): 2.8.3-canary.2 (#11674)
0755462 
## Release v2.8.3-canary.2

Versioned docs: https://v2-8-3-canary-2.turborepo.dev

### Changes

- fix: Upgrade crossbeam-channel to 0.5.15 (#11657) (`4b6d1b1768`)
- fix: Upgrade h2 to fix CONTINUATION Flood (#11658) (`2539cb3169`)
- release(turborepo): 2.8.3-canary.1 (#11671) (`8b6c606080`)

Co-authored-by: Turbobot <turbobot@vercel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tknickman tknickman Awaiting requested review from tknickman tknickman is a code owner automatically assigned from vercel/turbo-oss

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anthonyshew