v2.9.14

High:

• GHSA-5xc8-49mv-x4mm: Turborepo VSCode Extension command injection

Low:

• GHSA-hcf7-66rw-9f5r: Login callback CSRF/session fixation
• GHSA-3qcw-2rhx-2726: Unexpected local code execution during Yarn Berry detection

<!-- Release notes generated using configuration in .github/release.yml at v2.9.14 -->

What's Changed

Changelog

• release(turborepo): 2.9.12 by @github-actions[bot] in https://github.com/vercel/turborepo/pull/12774
• fix: Restore docs mobile menu by @anthonyshew in https://github.com/vercel/turborepo/pull/12782
• ci: Use pull_request for PR title linting by @anthonyshew in https://github.com/vercel/turborepo/pull/12787
• ci: Scope GitHub Actions caches by branch by @anthonyshew in https://github.com/vercel/turborepo/pull/12788
• test: Validate lockfiles without dependency downloads by @anthonyshew in https://github.com/vercel/turborepo/pull/12789
• Removed unneeded import form hash creation script in docs by @dancrumb in https://github.com/vercel/turborepo/pull/12799
• fix: Validate auth callback state by @anthonyshew in https://github.com/vercel/turborepo/pull/12802
• fix: Harden VS Code extension command execution by @anthonyshew in https://github.com/vercel/turborepo/pull/12800
• fix: Avoid project-local Yarn during detection by @anthonyshew in https://github.com/vercel/turborepo/pull/12801
• chore: Release 2.9.13 by @anthonyshew in https://github.com/vercel/turborepo/pull/12803

New Contributors

• @dancrumb made their first contribution in https://github.com/vercel/turborepo/pull/12799

Full Changelog: https://github.com/vercel/turborepo/compare/v2.9.12...v2.9.14