Sourced from turbo's releases.

Turborepo v2.9.15

What's Changed

Changelog

• release(turborepo): 2.9.14 by @​github-actions[bot] in vercel/turborepo#12805
• fix: Prune package.json workspaces by @​anthonyshew in vercel/turborepo#12808
• fix: Wait for process trees before task completion by @​anthonyshew in vercel/turborepo#12809
• release(turborepo): 2.9.15-canary.1 by @​github-actions[bot] in vercel/turborepo#12810
• ci: Sign macOS release binaries by @​anthonyshew in vercel/turborepo#12811
• release(turborepo): 2.9.15-canary.2 by @​github-actions[bot] in vercel/turborepo#12812
• fix: Prevent cache archive symlink reads by @​anthonyshew in vercel/turborepo#12813
• release(turborepo): 2.9.15-canary.3 by @​github-actions[bot] in vercel/turborepo#12814
• fix: Avoid path-racy chmod during directory restore by @​anthonyshew in vercel/turborepo#12815
• fix: Prevent cache restore symlink race writes by @​anthonyshew in vercel/turborepo#12817
• chore: Deny Rust panic extraction by default by @​anthonyshew in vercel/turborepo#12818
• fix: Make structured log symlink defense race-safe by @​anthonyshew in vercel/turborepo#12821
• fix: Preserve Bun alias child packages by @​anthonyshew in vercel/turborepo#12822
• fix: Avoid UTF-8 panics at boundaries by @​anthonyshew in vercel/turborepo#12823
• fix: Preserve non-UTF-8 Git path boundaries by @​anthonyshew in vercel/turborepo#12826
• fix: Create daemon dirs with private permissions by @​anthonyshew in vercel/turborepo#12827
• fix: Return Berry lockfile errors instead of panicking by @​anthonyshew in vercel/turborepo#12828
• fix: Isolate Corepack state in integration tests by @​anthonyshew in vercel/turborepo#12831
• ci: Use larger Windows runners for Rust tests by @​anthonyshew in vercel/turborepo#12832
• docs: Add with-vite-module-federation example by @​gioboa in vercel/turborepo#12794
• test: Run Rust tests without partitioning by @​anthonyshew in vercel/turborepo#12833
• chore: Remove TaskHashTracker-based expect() calls by @​anthonyshew in vercel/turborepo#12836
• chore: Deduplicate hash canonicalization by @​anthonyshew in vercel/turborepo#12837
• fix: Prevent Windows process drain hangs by @​anthonyshew in vercel/turborepo#12838
• fix: Refactor execsync to execfilesync for Shell command built from environment values by @​bjormgyg in vercel/turborepo#12829
• test: Bound vt100 random quickcheck by @​anthonyshew in vercel/turborepo#12839
• fix: Validate daemon discovery responses by @​anthonyshew in vercel/turborepo#12840
• fix: Store PackageGraph root invariants by @​anthonyshew in vercel/turborepo#12841
• chore: Avoid engine graph node expects by @​anthonyshew in vercel/turborepo#12842
• test: Make Rust tests parallel-safe by @​anthonyshew in vercel/turborepo#12843
• fix: Avoid graph utility node lookup panics by @​anthonyshew in vercel/turborepo#12844
• fix: Avoid graph walker expect() calls by @​anthonyshew in vercel/turborepo#12845
• fix: Remove fs panic extraction lints by @​anthonyshew in vercel/turborepo#12846
• fix: Remove fixed map panic extraction calls by @​anthonyshew in vercel/turborepo#12847
• fix: Remove devtools WebSocket panics by @​anthonyshew in vercel/turborepo#12850
• fix: Remove json rewrite panic lint allow by @​anthonyshew in vercel/turborepo#12848
• fix: Remove turborepo-types panic lint allows by @​anthonyshew in vercel/turborepo#12849
• chore: Remove turborepo-hash build expect by @​anthonyshew in vercel/turborepo#12851
• fix: Remove napi panic lint allows by @​anthonyshew in vercel/turborepo#12852
• fix: Avoid globwatch expect calls by @​anthonyshew in vercel/turborepo#12853
• fix: Remove LSP expect callsites by @​anthonyshew in vercel/turborepo#12854
• fix: Remove scope panic lint allows by @​anthonyshew in vercel/turborepo#12855
• fix: Remove task hash panic lints by @​anthonyshew in vercel/turborepo#12856
• fix: Remove frameworks panic lint allows by @​anthonyshew in vercel/turborepo#12857
• fix: Remove microfrontends proxy expect lint allow by @​anthonyshew in vercel/turborepo#12859

... (truncated)

• 3e78ad2 publish 2.9.15 to registry
• 076ff97 fix: Harden OTEL endpoint validation (#12954)
• f96ccc4 fix: Respect root gitignore during prune (#12953)
• ebebf41 chore: Switch Geist font imports to npm geist package (#12952)
• 5fa3039 chore(turbo-codemod): remove duplicate "in" in transforms path comment (#12948)
• 8fc94f3 docs: Correct attribute presence claims in turborepo-otel (#12932)
• 06e81ea release(turborepo): 2.9.15-canary.8 (#12945)
• c7ad6f2 feat: Add heap allocation profiling (#12943)
• 31123f4 fix: Preserve pnpm injected peer package entries (#12940)
• 6ed6fb0 fix: Use build-scale OTel duration buckets (#12939)
• Additional commits viewable in compare view

Sourced from @​opentelemetry/api-logs's releases.

experimental/v0.218.0

0.218.0

:rocket: Features

• feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
• feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

:house: Internal

• refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions #6691 @​david-luna
• refactor(sdk-logs): use Logger.enabled() within Logger.emit() implementation #6680 @​david-luna

experimental/v0.217.0

0.217.0

:rocket: Features

• feat(otlp-transformer): replace protobufjs trace serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): auto-generate TypeScript types from OTel declarative config JSON schema (stable v1.0.0) using json-schema-to-typescript and ajv #6533 @​MikeGoldsmith
• feat(configuration, sdk-node): startNodeSDK() code path now uses log_level configuration to setup a DiagConsoleLogger #6668 @​trentm
  • Note that allowed values for log_level in a configuration YAML file are not the same set as for OTEL_LOG_LEVEL. Use log_level: trace to see all logs (equivalent of OTEL_LOG_LEVEL=ALL). Use log_level: fatal to effectively disable the SDK's internal diagnostic logger (equivalent of OTEL_LOG_LEVEL=NONE).
  • If log_level is not specified, a diagnostic console logger at "info" level will be setup.
  • An invalid YAML config file will now result in a noop OTel SDK.

:bug: Bug Fixes

• fix(configuration): do not validate OTEL_CONFIG_FILE value before using it for file config #6643 @​trentm
• fix(configuration): improve how 'additionalProperties' in JSON schema is translated to TS types #6650 @​trentm
• fix(configuration): remove stripMinItems and preprocessNullArrays from validation/parsing #6657 @​trentm
• fix(configuration): improve handling of enums in generated types #6659 @​trentm
• fix(configuration): improve the technique for removing '| null' on types the JSON Schema #6662 @​trentm
• fix(sampler-jaeger-remote): add missing axios dep #6656 @​trentm
• fix(exporter-prometheus): handle malformed URLs in Prometheus exporter request handler #6674 @​homanp

experimental/v0.216.0

0.216.0

:rocket: Features

• feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @​ravitheja4531-cell
• feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @​maryliag

:bug: Bug Fixes

• fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
• fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira

... (truncated)

• 06ad0ea chore: prepare next release (#6703)
• 38ca257 feat(otlp-transformer): replace protobufjs metrics serialization with custom ...
• 013c600 chore: prepare next release (#6699)
• b7a0c63 feat(semantic-conventions): update semantic conventions to v1.41.1 (#6695)
• 774143b chore(renovate): add minimumReleaseAge to config (#6697)
• e0dafe0 fix(otlp-exporter-base): remove brackets from IPv6 hostname in HTTP transport...
• f804c93 chore(deps): update github/codeql-action digest to 68bde55 (#6682)
• 95e48e7 refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions (...
• 907b627 feat(sdk-node): allow startNodeSDK() without an arg (#6688)
• 0d15261 docs: Add SIG meeting info and welcoming language (#6689)
• Additional commits viewable in compare view

Sourced from @​opentelemetry/instrumentation's releases.

experimental/v0.218.0

0.218.0

:rocket: Features

• feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
• feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

:house: Internal

• refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions #6691 @​david-luna
• refactor(sdk-logs): use Logger.enabled() within Logger.emit() implementation #6680 @​david-luna

experimental/v0.217.0

0.217.0

:rocket: Features

• feat(otlp-transformer): replace protobufjs trace serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): auto-generate TypeScript types from OTel declarative config JSON schema (stable v1.0.0) using json-schema-to-typescript and ajv #6533 @​MikeGoldsmith
• feat(configuration, sdk-node): startNodeSDK() code path now uses log_level configuration to setup a DiagConsoleLogger #6668 @​trentm
  • Note that allowed values for log_level in a configuration YAML file are not the same set as for OTEL_LOG_LEVEL. Use log_level: trace to see all logs (equivalent of OTEL_LOG_LEVEL=ALL). Use log_level: fatal to effectively disable the SDK's internal diagnostic logger (equivalent of OTEL_LOG_LEVEL=NONE).
  • If log_level is not specified, a diagnostic console logger at "info" level will be setup.
  • An invalid YAML config file will now result in a noop OTel SDK.

:bug: Bug Fixes

• fix(configuration): do not validate OTEL_CONFIG_FILE value before using it for file config #6643 @​trentm
• fix(configuration): improve how 'additionalProperties' in JSON schema is translated to TS types #6650 @​trentm
• fix(configuration): remove stripMinItems and preprocessNullArrays from validation/parsing #6657 @​trentm
• fix(configuration): improve handling of enums in generated types #6659 @​trentm
• fix(configuration): improve the technique for removing '| null' on types the JSON Schema #6662 @​trentm
• fix(sampler-jaeger-remote): add missing axios dep #6656 @​trentm
• fix(exporter-prometheus): handle malformed URLs in Prometheus exporter request handler #6674 @​homanp

experimental/v0.216.0

0.216.0

:rocket: Features

• feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @​ravitheja4531-cell
• feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @​maryliag

:bug: Bug Fixes

• fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
• fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira

... (truncated)

• 06ad0ea chore: prepare next release (#6703)
• 38ca257 feat(otlp-transformer): replace protobufjs metrics serialization with custom ...
• 013c600 chore: prepare next release (#6699)
• b7a0c63 feat(semantic-conventions): update semantic conventions to v1.41.1 (#6695)
• 774143b chore(renovate): add minimumReleaseAge to config (#6697)
• e0dafe0 fix(otlp-exporter-base): remove brackets from IPv6 hostname in HTTP transport...
• f804c93 chore(deps): update github/codeql-action digest to 68bde55 (#6682)
• 95e48e7 refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions (...
• 907b627 feat(sdk-node): allow startNodeSDK() without an arg (#6688)
• 0d15261 docs: Add SIG meeting info and welcoming language (#6689)
• Additional commits viewable in compare view

Sourced from @​opentelemetry/sdk-logs's releases.

experimental/v0.218.0

0.218.0

:rocket: Features

• feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
• feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

:house: Internal

• refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions #6691 @​david-luna
• refactor(sdk-logs): use Logger.enabled() within Logger.emit() implementation #6680 @​david-luna

experimental/v0.217.0

0.217.0

:rocket: Features

• feat(otlp-transformer): replace protobufjs trace serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): auto-generate TypeScript types from OTel declarative config JSON schema (stable v1.0.0) using json-schema-to-typescript and ajv #6533 @​MikeGoldsmith
• feat(configuration, sdk-node): startNodeSDK() code path now uses log_level configuration to setup a DiagConsoleLogger #6668 @​trentm
  • Note that allowed values for log_level in a configuration YAML file are not the same set as for OTEL_LOG_LEVEL. Use log_level: trace to see all logs (equivalent of OTEL_LOG_LEVEL=ALL). Use log_level: fatal to effectively disable the SDK's internal diagnostic logger (equivalent of OTEL_LOG_LEVEL=NONE).
  • If log_level is not specified, a diagnostic console logger at "info" level will be setup.
  • An invalid YAML config file will now result in a noop OTel SDK.

:bug: Bug Fixes

• fix(configuration): do not validate OTEL_CONFIG_FILE value before using it for file config #6643 @​trentm
• fix(configuration): improve how 'additionalProperties' in JSON schema is translated to TS types #6650 @​trentm
• fix(configuration): remove stripMinItems and preprocessNullArrays from validation/parsing #6657 @​trentm
• fix(configuration): improve handling of enums in generated types #6659 @​trentm
• fix(configuration): improve the technique for removing '| null' on types the JSON Schema #6662 @​trentm
• fix(sampler-jaeger-remote): add missing axios dep #6656 @​trentm
• fix(exporter-prometheus): handle malformed URLs in Prometheus exporter request handler #6674 @​homanp

experimental/v0.216.0

0.216.0

:rocket: Features

• feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @​ravitheja4531-cell
• feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @​maryliag

:bug: Bug Fixes

• fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
• fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira

... (truncated)

• 06ad0ea chore: prepare next release (#6703)
• 38ca257 feat(otlp-transformer): replace protobufjs metrics serialization with custom ...
• 013c600 chore: prepare next release (#6699)
• b7a0c63 feat(semantic-conventions): update semantic conventions to v1.41.1 (#6695)
• 774143b chore(renovate): add minimumReleaseAge to config (#6697)
• e0dafe0 fix(otlp-exporter-base): remove brackets from IPv6 hostname in HTTP transport...
• f804c93 chore(deps): update github/codeql-action digest to 68bde55 (#6682)
• 95e48e7 refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions (...
• 907b627 feat(sdk-node): allow startNodeSDK() without an arg (#6688)
• 0d15261 docs: Add SIG meeting info and welcoming language (#6689)
• Additional commits viewable in compare view

Sourced from next-intl's releases.

v4.12.0

4.12.0 (2026-05-13)

Features

• Improvements for useExtracted (#2316) (bff2f96) – by @​amannn

⚠️ A small config change is required for useExtracted users to upgrade, please see amannn/next-intl#2316 for details.

v4.11.2

4.11.2 (2026-05-11)

Bug Fixes

• Revert x-forwarded-host redirect domain change (#2322) (eb3a6a4) – by @​amannn

v4.11.1

4.11.1 (2026-05-08)

Bug Fixes

• Avoid watchers for detached telemetry process (#2319) (ff77a3d) – by @​amannn

v4.11.0

4.11.0 (2026-04-28)

Features

• Add displayName to useFormatter (#2285) (3666aa8) – by @​roderickhsiao

v4.10.1

This was reverted in https://github.com/amannn/next-intl/releases/tag/v4.11.2

---

4.10.1 (2026-04-28)

Bug Fixes

• Set redirect domain if x-forwarded-host header exists (#2281) (70d35db) – by @​FourwingsY

⚠️ If you're using a setup behind a reverse proxy and your proxy sets x-forwarded-port, make sure the value is correct (typically 443).

v4.10.0

4.10.0 (2026-04-28)

Features

• Add per-domain localePrefix override support (#2273) (3e9febf) – by @​frankmatheron

Sourced from next-intl's changelog.

4.12.0 (2026-05-13)

Features

• Improvements for useExtracted (#2316) (bff2f96) – by @​amannn

4.11.2 (2026-05-11)

Bug Fixes

• Revert x-forwarded-host redirect domain change (#2322) (eb3a6a4) – by @​amannn

4.11.1 (2026-05-08)

Bug Fixes

• Avoid watchers for detached telemetry process (#2319) (ff77a3d) – by @​amannn

4.11.0 (2026-04-28)

Features

• Add displayName to useFormatter (#2285) (3666aa8) – by @​roderickhsiao

4.10.1 (2026-04-28)

Bug Fixes

• Set redirect domain if x-forwarded-host header exists (#2281) (70d35db) – by @​FourwingsY

4.10.0 (2026-04-28)

Features

• Add per-domain localePrefix override support (#2273) (3e9febf) – by @​frankmatheron

• d7bf7af v4.12.0
• bff2f96 feat: Improvements for useExtracted (#2316)
• 940dfbf v4.11.2
• eb3a6a4 fix: Revert x-forwarded-host redirect domain change (#2322)
• a6a8f8f v4.11.1
• ff77a3d fix: Avoid watchers for detached telemetry process (#2319)
• 02989b6 test: Refactor extractor tests to e2e (#2312)
• e68a591 v4.11.0
• 3666aa8 feat: Add displayName to useFormatter (#2285)
• 11d9ce8 v4.10.1
• Additional commits viewable in compare view

Sourced from @​next/eslint-plugin-next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

• ee6e79b v16.2.6
• 766148f v16.2.5
• See full diff in compare view

This version was pushed to npm by GitHub Actions, a new releaser for @​next/eslint-plugin-next since your current version.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions