chore(deps): Bump turbo from 2.8.20 to 2.9.0

[dependabot]

Bumps turbo from 2.8.20 to 2.9.0.

Release notes

Sourced from turbo's releases.

Turborepo v2.9.0

What's Changed

Docs

• docs: Release post for 2.8 by @​anthonyshew in vercel/turborepo#11559
• docs: Update oxc.mdx to include cache false by @​bestickley in vercel/turborepo#11571
• docs: Fix curl markdown Accept header syntax in 2.8 release blog by @​marko-hologram in vercel/turborepo#11580
• docs: Fix worktree command in blog post by @​anthonyshew in vercel/turborepo#11583
• docs: Rename command → subcommand by @​anthonyshew in vercel/turborepo#11584
• feat: Add requestType tracking for header-negotiated markdown by @​molebox in vercel/turborepo#11585
• fix: Upgrade next to fix HTTP deserialization DoS by @​anthonyshew in vercel/turborepo#11597
• fix: Upgrade mermaid to fix lodash-es vulnerability by @​anthonyshew in vercel/turborepo#11611
• fix: Upgrade recharts to fix lodash vulnerability by @​anthonyshew in vercel/turborepo#11606
• chore: Move applications to apps/ directory by @​anthonyshew in vercel/turborepo#11613
• fix: Upgrade rehype packages to fix mdast-util-to-hast vulnerability by @​anthonyshew in vercel/turborepo#11616
• chore: Migrate to Ultracite by @​haydenbleasel in vercel/turborepo#11948
• fix: Strip JSX components from heading anchors and TOC entries by @​anthonyshew in vercel/turborepo#12404

create-turbo

• fix: Upgrade tsup to fix rollup and glob vulnerabilities by @​anthonyshew in vercel/turborepo#11601
• fix: Upgrade inquirer to 8.2.7 to fix tmp vulnerability by @​anthonyshew in vercel/turborepo#11622
• fix: Upgrade ts-jest to 29.4.6 to fix brace-expansion ReDoS vulnerabilities by @​anthonyshew in vercel/turborepo#11623
• feat: Migrate from tsup to tsdown by @​anthonyshew in vercel/turborepo#11649
• fix: Upgrade semver to fix ReDoS vulnerability by @​anthonyshew in vercel/turborepo#11683
• fix: Upgrade inquirer to remove lodash dependency by @​anthonyshew in vercel/turborepo#11709
• fix: Upgrade tsdown in create-turbo to resolve valibot ReDoS vulnerability by @​anthonyshew in vercel/turborepo#11702
• fix: Upgrade jest to v30 to resolve brace-expansion ReDoS vulnerability by @​anthonyshew in vercel/turborepo#11706
• fix: Recover version numbering to 2.8.9-canary.0 by @​anthonyshew in vercel/turborepo#11853
• fix: Sanitize git command inputs in create-turbo by @​anthonyshew in vercel/turborepo#11876
• chore: Remove pnpm-eslint .vscode transform from create-turbo by @​anthonyshew in vercel/turborepo#12186
• fix: Improve create-turbo connectivity check and offline error messages by @​anthonyshew in vercel/turborepo#12257
• feat: Add affectedUsingTaskInputs future flag for task-level --affected detection by @​anthonyshew in vercel/turborepo#12247
• fix: Replace dns.lookup with https.get for create-turbo online check by @​anthonyshew in vercel/turborepo#12277
• fix: Remove redundant online check from create-turbo by @​anthonyshew in vercel/turborepo#12281
• fix: Sort uninstalled package managers to bottom of create-turbo selection by @​anthonyshew in vercel/turborepo#12353

turbo-ignore

• fix: Resolve pnpm audit vulnerabilities via dependency bumps by @​anthonyshew in vercel/turborepo#12220
• feat: Deprecate turbo-ignore in favor of turbo query affected by @​anthonyshew in vercel/turborepo#12382
• fix: Tailored turbo-ignore deprecation notice for Vercel users by @​anthonyshew in vercel/turborepo#12385

@​turbo/codemod

• fix: Upgrade axios to fix SSRF vulnerability by @​anthonyshew in vercel/turborepo#11599
• fix: Replace axios with native fetch in turbo-codemod by @​anthonyshew in vercel/turborepo#11600
• fix: Upgrade diff to fix DoS vulnerabilities by @​anthonyshew in vercel/turborepo#11621
• fix: Upgrade tsdown to fix valibot and diff vulnerabilities by @​anthonyshew in vercel/turborepo#11766
• fix: Upgrade semver to fix ReDoS vulnerability by @​anthonyshew in vercel/turborepo#11765
• fix: Enhance path validation in assertSafeGitArgument by @​odaysec in vercel/turborepo#11788
• fix: Guard against missing pipeline key in clean-globs codemod by @​anthonyshew in vercel/turborepo#12235
• fix: Stop add-package-names codemod from silently renaming existing packages by @​anthonyshew in vercel/turborepo#12332
• fix: Handle Yarn 2+ in @​turbo/codemod install commands by @​anthonyshew in vercel/turborepo#12477

eslint

... (truncated)

Commits

• af019b1 publish 2.9.0 to registry
• 841fe79 release(turborepo): 2.8.22-canary.8 (#12492)
• 664fd88 fix: Reduce inotify watch count via gitignore-aware directory walking on Linu...
• c03cc5f release(turborepo): 2.8.22-canary.7 (#12491)
• f39b370 fix: Follow symlinks during workspace package discovery (#12489)
• 5e9ba83 release(turborepo): 2.8.22-canary.6 (#12490)
• d07bee8 fix: Replace pre-existing symlinks with directories during cache restore (#12...
• 3155a35 release(turborepo): 2.8.22-canary.5 (#12486)
• b7c0001 fix: Skip writing unchanged files during slow-path cache restore (#12484)
• a6eabc6 release(turborepo): 2.8.22-canary.4 (#12483)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)