Bump turbo from 2.5.6 to 2.5.8

[dependabot]

Bumps turbo from 2.5.6 to 2.5.8.

Release notes

Sourced from turbo's releases.

Turborepo v2.5.8

What's Changed

create-turbo

• fix: revert #10847 by @​anthonyshew in vercel/turborepo#10882

Changelog

• chore: add Cursor slash command by @​anthonyshew in vercel/turborepo#10881

Full Changelog: vercel/turborepo@v2.5.7...v2.5.8

Turborepo v2.5.8-canary.0

What's Changed

create-turbo

• fix: revert #10847 by @​anthonyshew in vercel/turborepo#10882

Changelog

• chore: add Cursor slash command by @​anthonyshew in vercel/turborepo#10881

Full Changelog: vercel/turborepo@v2.5.7...v2.5.8-canary.0

Turborepo v2.5.7

What's Changed

Docs

• docs: add TURBO_CONCURRENCY to options overview page by @​anthonyshew in vercel/turborepo#10772
• fix(docs): fix broken anchor links to --graph option by @​anthonyshew in vercel/turborepo#10773
• docs: clarify TURBO_TEAM secret usage by @​vikhyathdevadiga in vercel/turborepo#10795
• docs: add Buildkite example to CI Vendors documentation by @​AndrewDiMola in vercel/turborepo#10721
• docs: rework llms.txt and add .md responses by @​anthonyshew in vercel/turborepo#10811
• docs: add name field mention to migration page by @​anthonyshew in vercel/turborepo#10823
• docs: update configuration reference to use correct turbo.json title by @​xcfio in vercel/turborepo#10843
• docs: correct description of how ^ works by @​anthonyshew in vercel/turborepo#10865

create-turbo

• feat(create-turbo): --no-git flag by @​anthonyshew in vercel/turborepo#10720
• chore(create-turbo): fix lint by @​chris-olszewski in vercel/turborepo#10807
• fix(security): update dependencies to resolve warning for node-plop by @​anthonyshew in vercel/turborepo#10847

eslint

• docs: adjust typo on instructions for eslint-config-turbo legacy config by @​evsasse in vercel/turborepo#10717

@​turbo/repository

• chore: reformat code with 2024 edition by @​ognevny in vercel/turborepo#10775

Examples

• chore(deps-dev): bump the with-svelte group in /examples/with-svelte with 6 updates by @​dependabot[bot] in vercel/turborepo#10752
• chore(deps-dev): bump turbo from 2.5.5 to 2.5.6 in /examples/with-shell-commands by @​dependabot[bot] in vercel/turborepo#10781
• chore(deps-dev): bump @​sveltejs/kit from 2.27.3 to 2.31.1 in /examples/with-svelte in the with-svelte group by @​dependabot[bot] in vercel/turborepo#10780
• chore(deps-dev): bump @​next/eslint-plugin-next from 15.4.2 to 15.4.6 in /examples/with-tailwind by @​dependabot[bot] in vercel/turborepo#10779

... (truncated)

Commits

• 98fe819 publish 2.5.8 to registry
• 132cf58 release(turborepo): 2.5.8-canary.0 (#10883)
• adfdbb1 fix: revert #10847 (#10882)
• 157e277 chore: add Cursor slash command (#10881)
• 0a5070a release(turborepo): 2.5.7 (#10878)
• 1b512ec fix: sanitize logging prefix for GitLab groups (#10850)
• f5ff573 ci: update deprecated turbo setting (#10857)
• 9b85af0 fix: output valid turbo.json for prune with Boundaries definition (#10866)
• 2c6f798 docs: correct description of how ^ works (#10865)
• 7ea16e8 fix: add WINDIR to default passthroughs (#10868)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
❌ COPYPASTE	jscpd	yes		5	no	3.29s
✅ EDITORCONFIG	editorconfig-checker	2		0	0	0.27s
✅ JSON	jsonlint	2		0	0	0.44s
✅ JSON	npm-package-json-lint	yes		no	no	0.4s
✅ JSON	prettier	2	0	0	0	0.46s
✅ JSON	v8r	2		0	0	5.93s
✅ REPOSITORY	gitleaks	yes		no	no	3.1s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	25.79s
✅ REPOSITORY	secretlint	yes		no	no	0.52s
✅ REPOSITORY	syft	yes		no	no	1.58s
❌ REPOSITORY	trivy	yes		1	no	6.7s
✅ REPOSITORY	trivy-sbom	yes		no	no	3.85s
✅ REPOSITORY	trufflehog	yes		no	no	2.32s
✅ SPELL	cspell	3		0	0	3.6s
❌ SPELL	lychee	2		2	0	2.51s

Detailed Issues

❌ COPYPASTE / jscpd - 5 errors

Clone found (typescript):
 - packages/create-awesome-node-app/src/list.ts [76:16 - 87:2] (11 lines, 82 tokens)
   packages/create-awesome-node-app/src/list.ts [21:24 - 32:10]

Clone found (typescript):
 - packages/create-node-app-core/loaders.ts [143:21 - 155:6] (12 lines, 80 tokens)
   packages/create-node-app-core/loaders.ts [80:19 - 92:32]

Clone found (typescript):
 - packages/create-node-app-core/loaders.ts [186:9 - 201:19] (15 lines, 115 tokens)
   packages/create-node-app-core/loaders.ts [161:9 - 176:17]

Clone found (markdown):
 - packages/create-awesome-node-app/CHANGELOG.md [21:1 - 33:8] (12 lines, 327 tokens)
   packages/create-node-app-core/CHANGELOG.md [13:1 - 29:4]

Clone found (url):
 - README.md [218:1 - 232:70] (14 lines, 88 tokens)
   packages/create-awesome-node-app/README.md [286:1 - 300:70]

┌────────────┬────────────────┬─────────────┬──────────────┬──────────────┬──────────────────┬───────────────────┐
│ Format     │ Files analyzed │ Total lines │ Total tokens │ Clones found │ Duplicated lines │ Duplicated tokens │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ typescript │ 16             │ 2835        │ 22977        │ 3            │ 38 (1.34%)       │ 277 (1.21%)       │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ json       │ 23             │ 558         │ 3477         │ 0            │ 0 (0%)           │ 0 (0%)            │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ markdown   │ 12             │ 1229        │ 7706         │ 1            │ 12 (0.98%)       │ 327 (4.24%)       │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ javascript │ 5              │ 81          │ 458          │ 0            │ 0 (0%)           │ 0 (0%)            │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ url        │ 2              │ 32          │ 200          │ 1            │ 14 (43.75%)      │ 88 (44%)          │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ yaml       │ 1              │ 22          │ 45           │ 0            │ 0 (0%)           │ 0 (0%)            │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ Total:     │ 59             │ 4757        │ 34863        │ 5            │ 64 (1.35%)       │ 692 (1.98%)       │
└────────────┴────────────────┴─────────────┴──────────────┴──────────────┴──────────────────┴───────────────────┘
Found 5 clones.
HTML report saved to megalinter-reports/copy-paste/html/
ERROR: jscpd found too many duplicates (1.35%) over threshold (0%)
Error: ERROR: jscpd found too many duplicates (1.35%) over threshold (0%)
    at ThresholdReporter.report (/node-deps/node_modules/@jscpd/finder/dist/index.js:612:13)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:110:18
    at Array.forEach (<anonymous>)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:109:22
    at async /node-deps/node_modules/jscpd/dist/jscpd.js:351:5

❌ SPELL / lychee - 2 errors

[404] https://opencollective.com/unts/projects/eslint-import-resolver-ts | Network error: Not Found
[403] https://www.patreon.com/feross | Network error: Forbidden
📝 Summary
---------------------
🔍 Total..........626
✅ Successful.....624
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........0
❓ Unknown..........0
🚫 Errors...........2

Errors in package-lock.json
[404] https://opencollective.com/unts/projects/eslint-import-resolver-ts | Network error: Not Found
[403] https://www.patreon.com/feross | Network error: Forbidden

❌ REPOSITORY / trivy - 1 error

2025-09-29T04:20:02Z	INFO	[vulndb] Need to update DB
2025-09-29T04:20:02Z	INFO	[vulndb] Downloading vulnerability DB...
2025-09-29T04:20:02Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
27.31 MiB / 71.49 MiB [----------------------->_____________________________________] 38.21% ? p/s ?68.64 MiB / 71.49 MiB [---------------------------------------------------------->__] 96.02% ? p/s ?71.49 MiB / 71.49 MiB [----------------------------------------------------------->] 100.00% ? p/s ?71.49 MiB / 71.49 MiB [---------------------------------------------->] 100.00% 73.58 MiB p/s ETA 0s71.49 MiB / 71.49 MiB [---------------------------------------------->] 100.00% 73.58 MiB p/s ETA 0s71.49 MiB / 71.49 MiB [---------------------------------------------->] 100.00% 73.58 MiB p/s ETA 0s71.49 MiB / 71.49 MiB [---------------------------------------------->] 100.00% 68.84 MiB p/s ETA 0s71.49 MiB / 71.49 MiB [---------------------------------------------->] 100.00% 68.84 MiB p/s ETA 0s71.49 MiB / 71.49 MiB [---------------------------------------------->] 100.00% 68.84 MiB p/s ETA 0s71.49 MiB / 71.49 MiB [---------------------------------------------->] 100.00% 64.40 MiB p/s ETA 0s71.49 MiB / 71.49 MiB [---------------------------------------------->] 100.00% 64.40 MiB p/s ETA 0s71.49 MiB / 71.49 MiB [---------------------------------------------->] 100.00% 64.40 MiB p/s ETA 0s71.49 MiB / 71.49 MiB [-------------------------------------------------] 100.00% 31.85 MiB p/s 2.4s2025-09-29T04:20:06Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-09-29T04:20:06Z	INFO	[vuln] Vulnerability scanning is enabled
2025-09-29T04:20:06Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-09-29T04:20:06Z	INFO	[misconfig] Need to update the checks bundle
2025-09-29T04:20:06Z	INFO	[misconfig] Downloading the checks bundle...
165.20 KiB / 165.20 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-09-29T04:20:08Z	INFO	[npm] To collect the license information of packages, "npm install" needs to be performed beforehand	dir="node_modules"
2025-09-29T04:20:08Z	INFO	[npm] To collect the license information of packages, "npm install" needs to be performed beforehand	dir="tools/danger/node_modules"
2025-09-29T04:20:08Z	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2025-09-29T04:20:08Z	INFO	Number of language-specific files	num=2
2025-09-29T04:20:08Z	INFO	[npm] Detecting vulnerabilities...
2025-09-29T04:20:08Z	INFO	Detected config files	num=2

Report Summary

┌───────────────────────────────┬────────────┬─────────────────┬───────────────────┐
│            Target             │    Type    │ Vulnerabilities │ Misconfigurations │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ package-lock.json             │    npm     │        0        │         -         │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ .devcontainer/Dockerfile      │ dockerfile │        -        │         2         │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ .devcontainer/base.Dockerfile │ dockerfile │        -        │         2         │
└───────────────────────────────┴────────────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


.devcontainer/Dockerfile (dockerfile)
=====================================
Tests: 27 (SUCCESSES: 25, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────


AVD-DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds026
────────────────────────────────────────



.devcontainer/base.Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 25, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────


AVD-DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds026
────────────────────────────────────────

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff