[Snyk] Upgrade @hotwired/turbo from 8.0.13 to 8.0.21

[HeapReaper]

Snyk has created this PR to upgrade @hotwired/turbo from 8.0.13 to 8.0.21.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 6 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Insufficient Session Expiration SNYK-JS-HOTWIREDTURBO-15046444	708	Proof of Concept

Release notes

Package name: @hotwired/turbo

• 8.0.21 - 2026-01-16
  

  What's Changed

  • Remove SubmitEvent polyfill by @ seanpdoyle in #909
  • Remove requestSubmit polyfill by @ seanpdoyle in #908
  • Bump multer from 1.4.2 to 2.0.2 by @ dependabot[bot] in #1451
  • Add [method] and [scroll] attributes for Refresh Stream by @ seanpdoyle in #1208
  • Functional Tests: Replace chai with Playwright Assertions by @ seanpdoyle in #1454
  • Fix regression with empty target attribute (#1444) by @ yujiteshima in #1455
  • Functional Tests: Rendering - Replace chai with Playwright by @ seanpdoyle in #1458
  • Rendering Functional Tests: Replace chai with Playwright by @ seanpdoyle in #1459
  • Frame Functional Tests: Replace chai with Playwright by @ seanpdoyle in #1461
  • Build: Remove circular dependency by @ seanpdoyle in #1453
  • Visit Functional Tests: Replace chai with Playwright by @ seanpdoyle in #1463
  • Fix UUID generation to include all hex digits by @ kaisersakhi in #1425
  • Fix #577: Send the Turbo-Frame header as referenced by data-turbo-frame attribute on form submission by @ inkstak in #579
  • Add support for data-turbo-frame="_parent" in nested frames by @ anthonyfranco in #1446
  • Use new format instead of legacy by @ loqimean in #1016
  • Remove duplicate siblings when using before/after actions by @ tpaulshippy in #1290
  • Update html[dir] attribute during navigation by @ alhajrahmoun in #1418
  • Loading Functional Tests: Replace assert with expect by @ seanpdoyle in #1466
  • Remove deprecated support for [data-turbo-cache="false"] by @ seanpdoyle in #1470
  • Remove deprecated Turbo.clearCache() function by @ seanpdoyle in #1471
  • Playwright Root: use expect instead of assert by @ seanpdoyle in #1467
  • Simplify same page anchor visits by @ domchristie in #1285
  • PrefetchCache: extract and re-use LRUCache from SnapshotCache by @ seanpdoyle in #1469
  • Playwright: replace assert with expect by @ seanpdoyle in #1465
  • Bump js-yaml from 4.1.0 to 4.1.1 by @ dependabot[bot] in #1468
  • Remove chai: Replace all calls with Playwright's expect by @ seanpdoyle in #1473
  • Tests: Flaky [autofocus] assertions by @ seanpdoyle in #1474
  • Prevent slow turbo frame requests from resetting cookies by @ domchristie in #1399
  • Fix noscript style evaluation during navigation (#1464) by @ yujiteshima in #1475
  • Mention the correct element "data-turbo-suppress-warning" is expected on by @ redross in #1424

  New Contributors

  • @ yujiteshima made their first contribution in #1455
  • @ kaisersakhi made their first contribution in #1425
  • @ inkstak made their first contribution in #579
  • @ anthonyfranco made their first contribution in #1446
  • @ loqimean made their first contribution in #1016
  • @ tpaulshippy made their first contribution in #1290
  • @ alhajrahmoun made their first contribution in #1418
  • @ redross made their first contribution in #1424

  Full Changelog: v8.0.20...v8.0.21

• 8.0.20 - 2025-10-28
  

  What's Changed

  • Fix: preserve removed turbo-frames with refresh=morph on page refreshes by @ jorgemanrubia in #1452

  Full Changelog: v8.0.19...v8.0.20

• 8.0.19 - 2025-10-28
  

  What's Changed

  • Better testing timeouts for less painful development by @ botandrose in #1317
  • Add 2 second timeouts to infinitely-looping assertions by @ botandrose in #1378
  • Reloading a morphing frame should trigger reloads on its child morphing frames recursively by @ botandrose in #1311
  • Revert fetch to call window.fetch directly again by @ chrisyuska in #1381
  • Bump koa from 2.15.4 to 2.16.1 by @ dependabot[bot] in #1398
  • Update playwright by @ silva96 in #1400
  • Respect prefers-reduced-motion by @ indykoning in #1409
  • Rename meta tag used to enable view transitions to turbo-view-transition by @ Intrepidd in #1380
  • Make sure full page reloads use the response URL after a redirect by @ m-vo in #1420
  • Improve prefetch/navigation performance by @ m-vo in #1421
  • Fix navigating to the turbo-root does not use Turbo Drive by @ m-vo in #1426
  • Don't ignore the browser's default for a[href] links by @ stefanvermaas in #1429
  • Expose morphing functions for consumer use by @ seanpdoyle in #1319
  • bump idiomorph version to 0.7.4 by @ htcarr3 in #1441

  New Contributors

  • @ chrisyuska made their first contribution in #1381
  • @ silva96 made their first contribution in #1400
  • @ indykoning made their first contribution in #1409
  • @ m-vo made their first contribution in #1420
  • @ stefanvermaas made their first contribution in #1429
  • @ htcarr3 made their first contribution in #1441

  Full Changelog: 8.0.13...v8.0.19

• 8.0.18 - 2025-09-26
  

  What's Changed

  • Better testing timeouts for less painful development by @ botandrose in #1317
  • Add 2 second timeouts to infinitely-looping assertions by @ botandrose in #1378
  • Reloading a morphing frame should trigger reloads on its child morphing frames recursively by @ botandrose in #1311
  • Revert fetch to call window.fetch directly again by @ chrisyuska in #1381
  • Bump koa from 2.15.4 to 2.16.1 by @ dependabot[bot] in #1398
  • Update playwright by @ silva96 in #1400
  • Respect prefers-reduced-motion by @ indykoning in #1409
  • Rename meta tag used to enable view transitions to turbo-view-transition by @ Intrepidd in #1380
  • Make sure full page reloads use the response URL after a redirect by @ m-vo in #1420
  • Improve prefetch/navigation performance by @ m-vo in #1421
  • Fix navigating to the turbo-root does not use Turbo Drive by @ m-vo in #1426
  • Don't ignore the browser's default for a[href] links by @ stefanvermaas in #1429
  • Expose morphing functions for consumer use by @ seanpdoyle in #1319

  New Contributors

  • @ chrisyuska made their first contribution in #1381
  • @ silva96 made their first contribution in #1400
  • @ indykoning made their first contribution in #1409
  • @ m-vo made their first contribution in #1420
  • @ stefanvermaas made their first contribution in #1429

  Full Changelog: 8.0.13...v8.0.18

• 8.0.17 - 2025-09-26
  

  v8.0.17

• 8.0.14 - 2025-09-26
  

  v8.0.14

• 8.0.13 - 2025-03-02
  

  Bump version

from @hotwired/turbo GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs