Skip to main content

turborepo

Guides users in configuring and optimizing Turborepo for JavaScript/TypeScript monorepos, enhancing build efficiency and task management.

Install this skill

or
38/100

Security score

The turborepo skill was audited on Jun 15, 2026 and we found 30 security issues across 2 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

low line 156

Access to .env file

SourceSKILL.md
156├─ .env changes not causing rebuilds → .env not in `inputs`
low line 346

Access to .env file

SourceSKILL.md
346"globalDependencies": ["**/.env.*local"]
low line 351

Access to .env file

SourceSKILL.md
351"globalDependencies": [".env"],
low line 354

Access to .env file

SourceSKILL.md
354"inputs": ["$TURBO_DEFAULT$", ".env*"],
low line 368

Access to .env file

SourceSKILL.md
368"inputs": [".env"]
low line 373

Access to .env file

SourceSKILL.md
373"inputs": ["$TURBO_DEFAULT$", "!$TURBO_ROOT$/.env"]
low line 389

Access to .env file

SourceSKILL.md
389"inputs": ["$TURBO_DEFAULT$", ".env*"]
low line 393

Access to .env file

SourceSKILL.md
393"inputs": ["$TURBO_DEFAULT$", ".env*"]
low line 397

Access to .env file

SourceSKILL.md
397"inputs": ["$TURBO_DEFAULT$", ".env*"],
low line 407

Access to .env file

SourceSKILL.md
407"globalDependencies": [".env*"],
medium line 621

Access to .env file

SourceSKILL.md
621### `.env` Files Not in Inputs
medium line 623

Access to .env file

SourceSKILL.md
623Turbo does NOT load `.env` files - your framework does. But Turbo needs to know about changes:
low line 626

Access to .env file

SourceSKILL.md
626// WRONG: .env changes don't invalidate cache
low line 635

Access to .env file

SourceSKILL.md
635// CORRECT: .env file changes invalidate cache
low line 640

Access to .env file

SourceSKILL.md
640"inputs": ["$TURBO_DEFAULT$", ".env", ".env.*"]
medium line 646

Access to .env file

SourceSKILL.md
646### Root `.env` File in Monorepo
medium line 648

Access to .env file

SourceSKILL.md
648A `.env` file at the repo root is an anti-pattern — even for small monorepos or starter templates. It creates implicit coupling between packages and makes it unclear which packages depend on which var
low line 651

Access to .env file

SourceSKILL.md
651// WRONG - root .env affects all packages implicitly
low line 653

Access to .env file

SourceSKILL.md
653├── .env # Which packages use this?
low line 659

Access to .env file

SourceSKILL.md
659// CORRECT - .env files in packages that need them
low line 663

Access to .env file

SourceSKILL.md
663│ │ └── .env # Clear: web needs DATABASE_URL
low line 665

Access to .env file

SourceSKILL.md
665│ └── .env # Clear: api needs API_KEY
medium line 669

Access to .env file

SourceSKILL.md
669**Problems with root `.env`:**
medium line 673

Access to .env file

SourceSKILL.md
673- Cache invalidation is coarse-grained (root .env change invalidates everything)
low line 845

Access to .env file

SourceSKILL.md
845"globalDependencies": [".env"],
medium line 856

Access to .env file

SourceSKILL.md
856With `futureFlags.globalConfiguration`, the same config moves global settings under `global` — and `.env` becomes a per-task input instead of a global hash input:
low line 863

Access to .env file

SourceSKILL.md
863"inputs": [".env"]
medium line 900

Access to .env file

SourceSKILL.md
900| [environment/gotchas.md](./references/environment/gotchas.md) | .env files, CI issues |
low line 743

External URL reference

SourceSKILL.md
743"$schema": "https://v2-9-17-canary-2.turborepo.dev/schema.json",
low line 951

External URL reference

SourceSKILL.md
951- Live: https://turborepo.dev/docs
Scanned on Jun 15, 2026
View Security Dashboard
Installation guide →
GitHub Stars 61
Rate this skill
Categorydevelopment
UpdatedJune 15, 2026
openclawbackenddevopsfrontend-developerbackend-developerfullstack-developerdevops-sreproduct-managerdevelopmentproduct
kriegcloud/beep-effect