turbo

2049a375 - fix: Validate turbo version from lockfile for all package managers (#11587)

fix: Validate turbo version from lockfile for all package managers (#11587) ## Summary Extends the semver validation fix from #11546 to all other package managers: - Berry (Yarn 2+) - Bun - pnpm - Yarn 1 The original fix only covered npm, but the same vulnerability existed in all other lockfile parsers. ## Changes Each lockfile's `turbo_version()` method now validates that the version string is valid semver before returning it. If the version is not valid semver (e.g., a file path, URL, or command injection attempt), `None` is returned instead. For pnpm, the validation extracts the base semver portion first since pnpm versions can include peer dependency suffixes like `1.4.6_peer_suffix` or `1.4.6(react@18.2.0)`. ## Testing Added `test_turbo_version_rejects_non_semver` tests to each lockfile module that verify malicious version strings are rejected: - `file:./malicious.tgz` - `https://evil.com/malicious.tgz` - `git+https://github.com/evil/repo.git` - `../../../etc/passwd` - `1.0.0 && curl evil.com` ## Credit We'd like to thank HackerOne reporter hellnia for responsibly disclosing.