chore(deps): update dependency aube to v1.5.1 (#463)

This PR contains the following updates:

| Package | Update | Change | Pending |
|---|---|---|---|
| [aube](https://redirect.github.com/endevco/aube) | minor | `1.4` →
`v1.5.1` | `v1.9.1` (+6) |

---

### Release Notes

<details>
<summary>endevco/aube (aube)</summary>

###
[`v1.5.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.1):
: POSIX colon tarball filenames

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.5.0...v1.5.1)

A small patch release fixing tarball installs that contain `:` in entry
filenames on POSIX platforms (e.g. `redos-detector@6.1.4`'s
`dist/__mocks__/package-json:version.d.ts`).

#### Fixed

- **POSIX colon tarball filenames** — the store tarball validator and
the linker's `validate_index_key` previously rejected `:` on every
platform to defend against Windows drive-prefix and NTFS
alternate-data-stream ambiguity. That guard was too broad for POSIX,
where colon is a valid filename character, and caused installs of
packages like `redos-detector@6.1.4` to fail. Both guards are now
platform-gated: `:` is still rejected on Windows, but accepted on Linux
and macOS.
([#&#8203;386](https://redirect.github.com/endevco/aube/pull/386) by
[@&#8203;jdx](https://redirect.github.com/jdx))

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.5.0...v1.5.1>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.5.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.0):
: Dependency graph queries and patch/lockfile fixes

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.4.0...v1.5.0)

This release adds `aube query` for selector-based dependency graph
inspection, fixes patch application against CRLF tarball files, repairs
npm-aliased catalog dependencies in pnpm-generated lockfiles, and
unifies how aube decides where to write workspace settings.

#### Added

- **`aube query`** — a vlt-inspired dependency-graph query command.
Supply a selector expression (attribute predicates plus pseudo-selectors
like `:scripts`, `:bin`, `:peer`, `:type(...)`, `:license(...)`),
optionally scope with workspace `--filter`/`--prod`/`--dev` roots, and
emit human-readable, `--parseable`, or `--json` output. Reads only the
local lockfile.
([#&#8203;380](https://redirect.github.com/endevco/aube/pull/380) by
[@&#8203;jdx](https://redirect.github.com/jdx))

#### Fixed

- **Patches against CRLF text files** — tarballs published from Windows
editors (e.g. `gifuct-js@2.1.2/index.d.ts`) ship CRLF, but
git/pnpm-style patches always emit LF, and diffy refused to match LF
hunks against CRLF context. aube now normalizes the original to LF
before applying and restores CRLF on write — matching pnpm's approach —
with a `\r\r\n` collapse so a literal `\r` byte mid-line doesn't gain a
second carriage return.
([#&#8203;384](https://redirect.github.com/endevco/aube/pull/384) by
[@&#8203;jdx](https://redirect.github.com/jdx))
- **`aube patch-commit` destination** — previously wrote unconditionally
to `pnpm.patchedDependencies` in `package.json` even on projects already
using the pnpm v10+ workspace-yaml home. A single rule now applies to
every command that mutates a setting which can live in either the
workspace yaml or `package.json#{pnpm,aube}.<key>`:

  1. If a workspace yaml exists on disk → write there.
2. Otherwise, if `package.json#pnpm` is already declared → write
`pnpm.<key>` (preserve the user's namespace).
  3. Otherwise → write `aube.<key>`.

`aube patch-remove` now strips entries from every place they could live
and reports the files actually rewritten. The same rule covers `aube
approve-builds` and install-time auto-deny seeding.
([#&#8203;384](https://redirect.github.com/endevco/aube/pull/384) by
[@&#8203;jdx](https://redirect.github.com/jdx))
- **npm-aliased catalog deps from pnpm lockfiles** — `aube install
--frozen-lockfile` previously accepted a pnpm lockfile with `beamcoder:
npm:beamcoder-prebuild@…` declared via `pnpm-workspace.yaml#catalog` and
silently produced an empty `node_modules`, because the importer's
specifier was `'catalog:'` and alias detection only fired on
`specifier.starts_with("npm:")`. Aliases are now detected purely from
the canonical `<real>@&#8203;<resolved>` `version:` shape, with a
peer-suffix strip so `version: 18.2.0(react@18.2.0)` isn't
misclassified.
([#&#8203;384](https://redirect.github.com/endevco/aube/pull/384) by
[@&#8203;jdx](https://redirect.github.com/jdx))
- **Bounded resolver stream** — the resolved-package stream is now a
bounded Tokio channel sized from the same network concurrency used by
fetch workers, with awaited sends so resolver/fetch overlap applies
backpressure instead of accumulating an unbounded queue.
([#&#8203;377](https://redirect.github.com/endevco/aube/pull/377) by
[@&#8203;jdx](https://redirect.github.com/jdx))

#### Changed

- **`aube-workspace.yaml` is the default-write filename** — when neither
`aube-workspace.yaml` nor `pnpm-workspace.yaml` exists, `aube
approve-builds` (and the install-time auto-seed of unreviewed build
scripts) now creates `aube-workspace.yaml` so it pairs with
`aube-lock.yaml` instead of leaving mixed vendor namespaces side by
side. Existing `pnpm-workspace.yaml` files keep being mutated in place.
([#&#8203;382](https://redirect.github.com/endevco/aube/pull/382) by
[@&#8203;jdx](https://redirect.github.com/jdx))
- **Comment-preserving workspace-yaml writes** — yaml writes now skip
the rewrite when the closure produces no structural change, so user
comments survive every no-op update to `allowBuilds`,
`patchedDependencies`, and catalog cleanup.
([#&#8203;384](https://redirect.github.com/endevco/aube/pull/384) by
[@&#8203;jdx](https://redirect.github.com/jdx))
- **Install phase timing sink** — set `AUBE_BENCH_PHASES_FILE` to append
per-phase install timings (resolve/fetch/link/scripts/state/sweep) as
JSONL, optionally tagged with `AUBE_BENCH_SCENARIO`. The benchmark
harness samples aube install-shaped scenarios and
`benchmarks/generate-phase-results.mjs` turns the JSONL into a Markdown
table plus a structured JSON artifact.
([#&#8203;381](https://redirect.github.com/endevco/aube/pull/381) by
[@&#8203;jdx](https://redirect.github.com/jdx))

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.4.0...v1.5.0>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

</details>

---

### Configuration

📅 **Schedule**: (in timezone America/Chicago)

- Branch creation
  - Only on Friday (`* * * * 5`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

mise.lock

@@ -1,9 +1,45 @@
 # @generated - this file is auto-generated by `mise lock` https://mise.en.dev/dev-tools/mise-lock.html
 
 [[tools.aube]]
-version = "1.4.0"
+version = "1.5.1"
 backend = "github:endevco/aube"
 
+[tools.aube."platforms.linux-arm64"]
+checksum = "sha256:b0cd988d2aba504ace90290e8d6d53bd3f414889e310b99fb53f724df6409606"
+url = "https://github.com/endevco/aube/releases/download/v1.5.1/aube-v1.5.1-aarch64-unknown-linux-gnu.tar.gz"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/408581204"
+provenance = "github-attestations"
+
+[tools.aube."platforms.linux-arm64-musl"]
+checksum = "sha256:4d989b33c6f4ba04f33af12c65316dbb3c91c5757fdb4e2c9291d008c30eb2c7"
+url = "https://github.com/endevco/aube/releases/download/v1.5.1/aube-v1.5.1-aarch64-unknown-linux-musl.tar.gz"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/408580997"
+provenance = "github-attestations"
+
+[tools.aube."platforms.linux-x64"]
+checksum = "sha256:f36cfff61d671c89572c36f88ce97e85a6bc2f9352360e8c126c44db58b0c9d4"
+url = "https://github.com/endevco/aube/releases/download/v1.5.1/aube-v1.5.1-x86_64-unknown-linux-gnu.tar.gz"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/408580571"
+provenance = "github-attestations"
+
+[tools.aube."platforms.linux-x64-musl"]
+checksum = "sha256:0180cf78efcbceae71f094147c5d5e8d27587b9f0af685b4cf630414cb8005c8"
+url = "https://github.com/endevco/aube/releases/download/v1.5.1/aube-v1.5.1-x86_64-unknown-linux-musl.tar.gz"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/408579889"
+provenance = "github-attestations"
+
+[tools.aube."platforms.macos-arm64"]
+checksum = "sha256:5c85530c7194a8d3abbd7fdcbc8e6aff177a1eac6b609e9d8cd68fc24576b677"
+url = "https://github.com/endevco/aube/releases/download/v1.5.1/aube-v1.5.1-aarch64-apple-darwin.tar.gz"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/408582611"
+provenance = "github-attestations"
+
+[tools.aube."platforms.windows-x64"]
+checksum = "sha256:5034386d24520e340380f6ee97e1ce13e9545e4fbbfca19a420e5e6580ac9e88"
+url = "https://github.com/endevco/aube/releases/download/v1.5.1/aube-v1.5.1-x86_64-pc-windows-msvc.zip"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/408585848"
+provenance = "github-attestations"
+
 [[tools.communique]]
 version = "1.1.2"
 backend = "github:jdx/communique"
@@ -22,6 +58,7 @@ url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964743
 checksum = "sha256:5e74ead7037f42940c7dba4f6aa4ed968920cbb55a047aa0d291b0c675c65676"
 url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-x86_64-unknown-linux-gnu.tar.gz"
 url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405963914"
+provenance = "github-attestations"
 
 [tools.communique."platforms.linux-x64-musl"]
 checksum = "sha256:01a6a8b49e635a5a209fdaf6c7b2e976374debc2db1c846c033f567fdba0d86c"
@@ -42,10 +79,88 @@ url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964430
 version = "2.92.0"
 backend = "aqua:cli/cli"
 
+[tools.gh."platforms.linux-arm64"]
+checksum = "sha256:c2248526dd0160c08d3fccca2332c3c1a07c15a78b23978e77735f1b5a18cfee"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_linux_arm64.tar.gz"
+provenance = "github-attestations"
+
+[tools.gh."platforms.linux-arm64-musl"]
+checksum = "sha256:c2248526dd0160c08d3fccca2332c3c1a07c15a78b23978e77735f1b5a18cfee"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_linux_arm64.tar.gz"
+provenance = "github-attestations"
+
+[tools.gh."platforms.linux-x64"]
+checksum = "sha256:b57848131bdf0c229cd35e1f2a51aa718199858b2e728410b37e89a428943ec4"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_linux_amd64.tar.gz"
+provenance = "github-attestations"
+
+[tools.gh."platforms.linux-x64-musl"]
+checksum = "sha256:b57848131bdf0c229cd35e1f2a51aa718199858b2e728410b37e89a428943ec4"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_linux_amd64.tar.gz"
+provenance = "github-attestations"
+
+[tools.gh."platforms.macos-arm64"]
+checksum = "sha256:b11c54f6bd7d15ed6590475079e5b2fcf36f45d3991a80041b29c9d0cc1f1d07"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_macOS_arm64.zip"
+provenance = "github-attestations"
+
+[tools.gh."platforms.windows-x64"]
+checksum = "sha256:b6a8df3c8c6b9c80f290906387673bc4d272840f3789c5650e0e4e6e75522785"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_windows_amd64.zip"
+provenance = "github-attestations"
+
 [[tools.git-cliff]]
 version = "2.13.1"
 backend = "aqua:orhun/git-cliff"
 
+[tools.git-cliff."platforms.linux-arm64"]
+checksum = "sha256:4054c124b926c117f3fa048939bc8be0a954f29f3b6f367627e8cb22c1971882"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-aarch64-unknown-linux-musl.tar.gz"
+
+[tools.git-cliff."platforms.linux-arm64-musl"]
+checksum = "sha256:4054c124b926c117f3fa048939bc8be0a954f29f3b6f367627e8cb22c1971882"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-aarch64-unknown-linux-musl.tar.gz"
+
+[tools.git-cliff."platforms.linux-x64"]
+checksum = "sha256:200d2535da6d9703f3bcc8a4d159c3b55eacdb01cf2148c55b3eee9dd04d5249"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-x86_64-unknown-linux-musl.tar.gz"
+
+[tools.git-cliff."platforms.linux-x64-musl"]
+checksum = "sha256:200d2535da6d9703f3bcc8a4d159c3b55eacdb01cf2148c55b3eee9dd04d5249"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-x86_64-unknown-linux-musl.tar.gz"
+
+[tools.git-cliff."platforms.macos-arm64"]
+checksum = "sha256:21547ae4a0421164070ab75c2522864ea5565858a011fabc5f583061b20f1226"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-aarch64-apple-darwin.tar.gz"
+
+[tools.git-cliff."platforms.windows-x64"]
+checksum = "sha256:3ae3a5549e85c7ad5b20192ebcfee4371269deca51255f6f2f2e051c6541f5ca"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-x86_64-pc-windows-msvc.zip"
+
 [[tools.node]]
 version = "24.15.0"
 backend = "core:node"
+
+[tools.node."platforms.linux-arm64"]
+checksum = "sha256:73afc234d558c24919875f51c2d1ea002a2ada4ea6f83601a383869fefa64eed"
+url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-linux-arm64.tar.gz"
+
+[tools.node."platforms.linux-arm64-musl"]
+checksum = "sha256:31e98aa960a067da91edffd5d93bc46657b5d2a8029612c359f5f2ac0060152a"
+url = "https://unofficial-builds.nodejs.org/download/release/v24.15.0/node-v24.15.0-linux-arm64-musl.tar.gz"
+
+[tools.node."platforms.linux-x64"]
+checksum = "sha256:44836872d9aec49f1e6b52a9a922872db9a2b02d235a616a5681b6a85fec8d89"
+url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-linux-x64.tar.gz"
+
+[tools.node."platforms.linux-x64-musl"]
+checksum = "sha256:f55af5bd489c5347b113ca6594cae00a54b30ba57ac5875324311bfc6f4762e3"
+url = "https://unofficial-builds.nodejs.org/download/release/v24.15.0/node-v24.15.0-linux-x64-musl.tar.gz"
+
+[tools.node."platforms.macos-arm64"]
+checksum = "sha256:372331b969779ab5d15b949884fc6eaf88d5afe87bde8ba881d6400b9100ffc4"
+url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-darwin-arm64.tar.gz"
+
+[tools.node."platforms.windows-x64"]
+checksum = "sha256:cc5149eabd53779ce1e7bdc5401643622d0c7e6800ade18928a767e940bb0e62"
+url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-win-x64.zip"

mise.toml

@@ -8,7 +8,7 @@ tasks.release-plz = "./scripts/release-plz.sh"
 
 [tools]
 node = '24'
-aube = '1.4'
+aube = 'v1.5.1'
 git-cliff = 'latest'
 gh = 'latest'
 communique = 'latest'

package.json

@@ -58,5 +58,10 @@
     "rollup-plugin-license": "^3.7.1",
     "typescript": "^6.0.0",
     "typescript-eslint": "^8.16.0"
+  },
+  "aube": {
+    "allowBuilds": {
+      "unrs-resolver": false
+    }
   }
 }