fix: Upgrade tsdown in create-turbo to resolve valibot ReDoS vulnerability by anthonyshew · Pull Request #11702 · vercel/turborepo

anthonyshew · 2026-02-07T03:58:07Z

Summary

Upgrades tsdown from 0.9.3 to 0.20.3 in packages/create-turbo
This removes the transitive valibot dependency (tsdown → rolldown → valibot <1.2.0) which had a ReDoS vulnerability
tsdown is a devDependency used only for building, so the major version bump has no runtime impact

vercel · 2026-02-07T03:58:15Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
examples-basic-web	Ready	Preview, Comment, Open in v0	Feb 7, 2026 4:22am
examples-designsystem-docs	Ready	Preview, Comment, Open in v0	Feb 7, 2026 4:22am
examples-gatsby-web	Ready	Preview, Comment, Open in v0	Feb 7, 2026 4:22am
examples-kitchensink-blog	Ready	Preview, Comment, Open in v0	Feb 7, 2026 4:22am
examples-nonmonorepo	Ready	Preview, Comment, Open in v0	Feb 7, 2026 4:22am
examples-svelte-web	Ready	Preview, Comment, Open in v0	Feb 7, 2026 4:22am
examples-tailwind-web	Ready	Preview, Comment, Open in v0	Feb 7, 2026 4:22am
examples-vite-web	Ready	Preview, Comment, Open in v0	Feb 7, 2026 4:22am
turbo-site	Ready	Preview, Comment, Open in v0	Feb 7, 2026 4:22am
turborepo-test-coverage	Ready	Preview, Comment, Open in v0	Feb 7, 2026 4:22am

…ility

## Release v2.8.3-canary.8 Versioned docs: https://v2-8-3-canary-8.turborepo.dev ### Changes - fix: Upgrade eslint to v10 to resolve @eslint/plugin-kit ReDoS vulnerability (#11705) (`fd541f3a59`) - fix: Upgrade tsdown in create-turbo to resolve valibot ReDoS vulnerability (#11702) (`e5efb86265`) - fix: Upgrade fumadocs and shiki in docs to resolve mdast-util-to-hast vulnerability (#11704) (`c94e2c54ed`) - fix: Upgrade inquirer to remove lodash dependency (#11709) (`87970c1fa4`) - release(turborepo): 2.8.3-canary.7 (#11686) (`d189b9e9e2`) Co-authored-by: Turbobot <turbobot@vercel.com>

## Release v2.8.3-canary.9 Versioned docs: https://v2-8-3-canary-9.turborepo.dev ### Changes - fix: Replace ts-node with tsx to resolve diff DoS vulnerability (#11708) (`1a3ae1d2ae`) - fix: Upgrade jest to v30 to resolve brace-expansion ReDoS vulnerability (#11706) (`50fb1c52b9`) - release(turborepo): 2.8.3-canary.8 (#11712) (`f54205e6f6`) - fix: Upgrade eslint to v10 to resolve @eslint/plugin-kit ReDoS vulnerability (#11705) (`fd541f3a59`) - fix: Upgrade tsdown in create-turbo to resolve valibot ReDoS vulnerability (#11702) (`e5efb86265`) - fix: Upgrade fumadocs and shiki in docs to resolve mdast-util-to-hast vulnerability (#11704) (`c94e2c54ed`) Co-authored-by: Turbobot <turbobot@vercel.com>

anthonyshew requested a review from a team as a code owner February 7, 2026 03:58

anthonyshew requested review from tknickman and removed request for a team February 7, 2026 03:58

turbo-orchestrator Bot added the pkg: create-turbo Issues related to npx create-turbo label Feb 7, 2026

vercel Bot deployed to Preview – turborepo-test-coverage February 7, 2026 03:58 View deployment

anthonyshew force-pushed the fix/turbo-5234-valibot-v2 branch from 33b7f7e to 3dede47 Compare February 7, 2026 04:19

vercel Bot temporarily deployed to Preview – turborepo-test-coverage February 7, 2026 04:20 Inactive

fix: Upgrade tsdown in create-turbo to resolve valibot ReDoS vulnerab…

bf423ac

…ility

anthonyshew force-pushed the fix/turbo-5234-valibot-v2 branch from 3dede47 to bf423ac Compare February 7, 2026 04:21

vercel Bot deployed to Preview – turborepo-test-coverage February 7, 2026 04:21 View deployment

anthonyshew merged commit e5efb86 into main Feb 7, 2026
43 checks passed

anthonyshew deleted the fix/turbo-5234-valibot-v2 branch February 7, 2026 04:24

github-actions Bot mentioned this pull request Feb 7, 2026

release(turborepo): 2.8.3-canary.8 #11712

Merged

github-actions Bot mentioned this pull request Feb 7, 2026

release(turborepo): 2.8.3-canary.9 #11713

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: Upgrade tsdown in create-turbo to resolve valibot ReDoS vulnerability#11702

fix: Upgrade tsdown in create-turbo to resolve valibot ReDoS vulnerability#11702
anthonyshew merged 1 commit intomainfrom
fix/turbo-5234-valibot-v2

anthonyshew commented Feb 7, 2026

Uh oh!

vercel Bot commented Feb 7, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

anthonyshew commented Feb 7, 2026

Summary

Uh oh!

vercel Bot commented Feb 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

vercel Bot commented Feb 7, 2026 •

edited

Loading