RepoJournal
Vercel

@vercel

Next.js + the Vercel platform — frontend infrastructure for the web

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

WORKFLOW HARDENS AGAINST SUPPLY CHAIN ATTACKS, TURBOREPO PATCHES CSRF AND SHELL INJECTION

By RepoJournal · Filed · About Vercel

Vercel shipped critical security fixes across Workflow and Turborepo while shipping new CLI features and hardening the entire platform against repository-controlled execution.

The most urgent story: Turborepo 2.9.13 landed three security patches [1][2][3] that block CSRF attacks on self-hosted deployments, disable VS Code extension commands in untrusted workspaces, and prevent malicious `yarnPath` values from executing during detection. Separately, Workflow closed a supply chain vulnerability [4] that would have let fork PR submitters execute arbitrary shell on CI runners by hardening how community world matrix fields flow through reusable workflows. On the builder front, Vercel shipped DetectEntrypointFn [5], a normalized entrypoint detector that lets services auto-detect their runtime entry point across Python, Node, and Go without guessing. The CLI got a polish pass with a simplified `vc setup` flow [6] and dropped the feature gate on `vercel connect` [7], pushing it to all users as a beta command. Workflow also fixed a DX nightmare where Next.js proxies reading request bodies broke queue logging with detached ArrayBuffer errors [8], plus added rendered link validation to catch broken homepage navigation [9]. Chat SDK shipped queue-debounce concurrency [10] for burst message handling, a dedicated `chat/ai` subpath to keep optional dependencies out of bundles [11], and first-class Vue and Svelte web adapter support [12]. Next.js hardened Instant Insights to silence duplicate validation warnings when dev render errors already surface [13], fixed a bug where `new Date()` was mislabeled as `Date.now()` in the error overlay [14], and shipped the long-awaited middleware rewrite fix for Server Actions [15][16].

Action items

References

  1. [1] fix: Validate auth callback state ↗ vercel/turborepo
  2. [2] fix: Harden VS Code extension command execution ↗ vercel/turborepo
  3. [3] fix: Avoid project-local Yarn during detection ↗ vercel/turborepo
  4. [4] CI: drop setup-command input from reusable community-world workflows (#1828) vercel/workflow
  5. [5] Add normalized entrypoint detector for runtime builders ↗ vercel/vercel
  6. [6] [cli] refresh vc setup flow + aligned-label output ↗ vercel/vercel
  7. [7] [cli] connect: drop FF_CONNEX_ENABLED gate, mark beta in help (#16334) vercel/vercel
  8. [8] [codex] Fix detached ArrayBuffer proxy DX ↗ vercel/workflow
  9. [9] Validate homepage links in docs link lint ↗ vercel/workflow
  10. [10] feat(chat): add queue-debounce concurrency strategy (#495) vercel/chat
  11. [11] feat(chat): add `chat/ai` subpath for AI SDK utilities (#492) vercel/chat
  12. [12] feat(web-adapter): first class support for Vue and Svelte ↗ vercel/chat
  13. [13] Instant Insights: only report non-validatable if dev render is error free ↗ vercel/next.js
  14. [14] Fix `Date.now()` cause shadowing in sync IO error overlay ↗ vercel/next.js
  15. [15] Fix server action forwarding loop with middleware rewrites ↗ vercel/next.js
  16. [16] Fix server action forwarding loop with middleware rewrites (#93792) vercel/next.js

FAQ

What changed in Vercel on May 15, 2026?
Vercel shipped critical security fixes across Workflow and Turborepo while shipping new CLI features and hardening the entire platform against repository-controlled execution.
What should Vercel teams do about it?
Upgrade Turborepo to 2.9.13 immediately if you run self-hosted deployments • Review Workflow CI configs to confirm matrix fields no longer pass through reusable workflows • Test `vercel connect` command in CI/local environments - now available to all users
Which Vercel repositories shipped on May 15, 2026?
vercel/turborepo, vercel/workflow, vercel/vercel, vercel/chat, vercel/next.js

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.