chore(deps): update dependency aube to v1.14.1 (#489)

This PR contains the following updates:

| Package | Update | Change | Pending |
|---|---|---|---|
| [aube](https://redirect.github.com/endevco/aube) | minor | `v1.9.1` →
`v1.14.1` | `v1.15.0` |

---

### Release Notes

<details>
<summary>endevco/aube (aube)</summary>

###
[`v1.14.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.14.1):
: Install module split

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.14.0...v1.14.1)

A maintenance release with no user-facing behavior changes. The install
command's growing `commands/install/mod.rs` was split into focused
submodules to keep the install pipeline easier to navigate. Install
behavior, flags, and output are unchanged from v1.14.0.

#### Changed

- *(install)* Extracted the fetch/import pipeline (local source import,
lockfile fetch wrapper, store-index classification, tarball
fetch/import, contextualized-index remapping) into a new
`commands/install/fetch.rs` module
([#&#8203;704](https://redirect.github.com/endevco/aube/pull/704) by
[@&#8203;jdx](https://redirect.github.com/jdx)).
- *(install)* Split the materializer, native-build critical-path
heuristic, and workspace graph/lifecycle/per-project lockfile helpers
into dedicated `materialize.rs`, `critical_path.rs`, and `workspace.rs`
modules
([#&#8203;702](https://redirect.github.com/endevco/aube/pull/702) by
[@&#8203;jdx](https://redirect.github.com/jdx)).
- *(install)* Moved post-pipeline helpers — `--lockfile-dir` importer
remapping, human install summary output, `.aube` cache
invalidation/orphan cleanup, and skipped-build warning replay — into
`lockfile_dir.rs`, `summary.rs`, `sweep.rs`, and `unreviewed_builds.rs`
([#&#8203;698](https://redirect.github.com/endevco/aube/pull/698) by
[@&#8203;jdx](https://redirect.github.com/jdx)).

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.14.0...v1.14.1>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.14.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.14.0):
: Bloom-filtered OSV checks and lifecycle-script content sniffing

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.13.1...v1.14.0)

Two new opt-in supply-chain layers on top of the v1.13 gates: a \~380 KB
bloom-filter prefilter that lets plain reinstalls cheaply probe the OSV
`MAL-*` set without pulling the 200 MB mirror, and a regex-based content
sniff that flags dangerous shapes in dependency
`preinstall`/`install`/`postinstall` scripts before you click through
`aube approve-builds`.

#### Added

- *(install)* **OSV bloom-filter prefilter for lockfile installs**
([#&#8203;680](https://redirect.github.com/endevco/aube/pull/680) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — New
`advisoryBloomCheck` setting (`on` / `required` / `off`, default `off`)
adds a fourth route to the post-resolve OSV decision table. Plain
reinstalls probe the resolved transitive graph against a \~380 KB bloom
filter fetched from
[`endevco/osv-bloom`](https://redirect.github.com/endevco/osv-bloom) —
regenerated upstream every 10 minutes from OSV's `MAL-*` archive — and
only escalate bloom hits to the live `/querybatch` API for exact `(name,
version)` confirmation. Bloom FPR is \~0.1%, so a typical 1000-package
lockfile triggers zero or one extra live-API round trip per install.
When both are configured, the bloom branch wins over the 200 MB
`all.zip` mirror — under 1 MB on the wire, same live-API oracle, same
`ERR_AUBE_MALICIOUS_PACKAGE` on a confirmed hit. Cached under
`$XDG_CACHE_HOME/aube/osv-bloom/` and short-circuits the download when
upstream's `set_digest_sha256` is unchanged. New warning
`WARN_AUBE_OSV_BLOOM_REFRESH_FAILED`: under `on` install continues
against the previously cached filter; under `required` it fails closed
with `ERR_AUBE_ADVISORY_CHECK_FAILED`.

- *(install)* **Content-sniff dependency lifecycle scripts before
approve-builds**
([#&#8203;685](https://redirect.github.com/endevco/aube/pull/685) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — aube's existing
supply-chain gates (OSV `MAL-*`, downloads floor, bun-compat scanner,
`BuildPolicy` allowlist) are all name-based; none inspects what
`postinstall` actually does, which leaves an OSV-ingest-lag window of
12–48h that the 2024–2026 wave of unobfuscated `curl … | sh`
postinstalls walked right through. New regex matcher fires advisory
warnings for known-dangerous shapes in lifecycle script bodies:

| Signal | Catches |
| -------------------- |
----------------------------------------------------------------------------------------------------------------
|
| `ShellPipe` | `curl … \| sh`, `wget … \| bash`, `… \| node` |
| `EvalDecode` | `eval(atob(…))`, `Function(atob(…))`,
`eval(Buffer.from(…))` |
| `CredentialFileRead` | `~/.ssh`, `~/.aws`, `~/.npmrc`, `~/.config/gh`
reads |
| `SecretEnvRead` |
`process.env.*(TOKEN\|SECRET\|API_KEY\|PASSWORD\|ACCESS_KEY\|PRIVATE_KEY\|AUTH)`
|
| `ExfilEndpoint` | Discord/Telegram webhooks, OAST hosts (`oast.pro`,
`interactsh`, `webhook.site`, `pipedream.net`, `ngrok.io`, …) |
| `BareIpHttp` | Bare-IP HTTP fetch targets (literal IPv4 hosts over
plain HTTP) |

Sniff is advisory — `allowBuilds` still gates execution — and shows up
in three places: end-of-install emits one
`WARN_AUBE_SUSPICIOUS_LIFECYCLE_SCRIPT` per flagged package alongside
the existing `WARN_AUBE_IGNORED_BUILD_SCRIPTS`; `aube approve-builds`
annotates picker rows with `⚠ suspicious: <category>` and prints a
pre-picker summary of the matched hook+description; `aube
ignored-builds` indents `⚠ <hook> — <description>` lines under each
`name@version`. Findings are re-derived per install rather than
persisted, so the regex set can evolve without a state-file migration.
Works offline, doesn't degrade to advisory in headless CI.

#### Changed

- Refreshed `benchmarks/results.json` against v1.13.1 and Bun 1.3.14
([#&#8203;687](https://redirect.github.com/endevco/aube/pull/687)) —
public ratios update to warm installs **3× Bun / 6× pnpm**, repeat test
**6× Bun / 45× pnpm**.

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.13.1...v1.14.0>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.13.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.13.1):
: Version-aware transitive MAL-* gate

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.13.0...v1.13.1)

A targeted fix for the transitive supply-chain gate added in v1.13.0:
the post-resolve OSV check is now version-aware, so name-level `MAL-*`
advisories stop blocking installs that resolve to clean versions of the
same package.

#### Fixed

- *(install)* **Version-aware transitive `MAL-*` check**
([#&#8203;682](https://redirect.github.com/endevco/aube/pull/682) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — The post-resolve gate
was reusing the pre-resolve name-only OSV query, so any name-level
advisory hit every install that transitively pulled in *any* version of
that package. Concretely, `aube add cowsay@1.6.0` refused with
`ERR_AUBE_MALICIOUS_PACKAGE` because cowsay's tree includes
`ansi-regex@3.0.1`, and `ansi-regex` carries the Sep 2025 shai-hulud
advisory `MAL-2025-46966` against `6.2.1` — a version published years
after `3.0.1`. The live-API and OSV-mirror lookups now send `(name,
version)` pairs, refusal messages surface `name@version (MAL-…)`, and
the local mirror index bumps to `format = 2` (storing per-advisory
affected versions; v1 indexes rebuild on next refresh, and advisories
with no enumerated versions still fail closed). The pre-resolve `aube
add` name-gate keeps its versionless query — typosquats are malicious in
every version.

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.13.0...v1.13.1>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.13.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.13.0):
: Supply-chain gates for `aube add`

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.12.0...v1.13.0)

#### Added

- *(install)* Bun-compatible pluggable security scanner — drop in any
`securityScanner` package that follows the Bun Security Scanner API
(oven-sh template, `@socketsecurity/bun-security-scanner`, etc.) and
aube runs it post-resolve against the full graph via a `node` bridge
([#&#8203;657](https://redirect.github.com/endevco/aube/pull/657))
- *(add)* Supply-chain gates on `aube add`: OSV `MAL-*` advisory
hard-block plus a weekly-downloads floor with TTY prompt /
`--allow-low-downloads` bypass. New `advisoryCheck` and
`lowDownloadThreshold` settings, both folded into `paranoid: true`
([#&#8203;656](https://redirect.github.com/endevco/aube/pull/656))
- *(install)* OSV checks now extend to the full resolved graph, routed
live-API vs. local OSV mirror based on whether resolution produced fresh
`(name, version)` picks; opt-in `advisoryCheckOnInstall` covers plain
reinstalls, `advisoryCheckEveryInstall` forces live API every time
([#&#8203;678](https://redirect.github.com/endevco/aube/pull/678))
- *(add)* Auto-skip supply-chain gates for packages routed through a
non-`registry.npmjs.org` registry, plus a new `allowedUnpopularPackages`
glob allowlist to silence the downloads gate on known-internal names
([#&#8203;673](https://redirect.github.com/endevco/aube/pull/673))

#### Changed

- *(install)* No longer rewrites `package.json` / workspace yaml to seed
`allowBuilds: { <pkg>: "set this to true or false" }` placeholders for
unreviewed build scripts
([#&#8203;662](https://redirect.github.com/endevco/aube/pull/662))
- *(install perf)* Deleted the pre-resolver direct-dep packument
prefetch; 12–22% wall-time win across fixture size, bandwidth, and RTT
([#&#8203;672](https://redirect.github.com/endevco/aube/pull/672))
- *(add)* `--allow-build=<pkg>` now flips an existing deny instead of
erroring, help renders correctly as `--allow-build=<PKG>`, and the no-op
`--ignore-scripts` is hidden on `add` / `import` / `update`
([#&#8203;660](https://redirect.github.com/endevco/aube/pull/660))

#### Fixed

- *(linker)* Windows bin shims for `aube add --global …
--allow-build=<dep>` no longer emit a duplicated install-root path
segment when `.aube/<dep>/` sits behind a directory junction
([#&#8203;659](https://redirect.github.com/endevco/aube/pull/659))
- *(global)* `aube remove --global` on Windows no longer fails with
`Access is denied (os error 5)` on the hash pointer when it's an NTFS
directory junction
([#&#8203;658](https://redirect.github.com/endevco/aube/pull/658))

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.12.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.12.0):
: Tidier config, smarter installs from bun.lock

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.11.0...v1.12.0)

A round of fixes driven by user reports — `bun.lock` imports now keep
peer-only packages, the store layout is reorganized so one cache mount
covers everything, and `aube config set` stops scribbling unknown keys
into `.npmrc`.

#### Added

- **Smarter `aube config set` / `delete` routing**
([#&#8203;634](https://redirect.github.com/endevco/aube/pull/634) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — Writes only land in
`.npmrc` for the npm-shared surface (per-host auth/cert templates,
scoped registries, and a curated allowlist of npm-standard scalars like
`registry`, `proxy`, `fetch-retries`, …). Aube-only and pnpm-only keys
(`autoInstallPeers`, `dangerouslyAllowAllBuilds`, `pnpmfilePath`, …)
plus unknown free-form keys now go to `~/.config/aube/config.toml`.
Dotted writes for aube map settings — `aube config set --local
allowBuilds.@&#8203;mongodb-js/zstd true`, `aube config set --local
overrides.lodash 4.17.21` — edit a single entry of `pnpm-workspace.yaml`
(or `package.json#<pnpm|aube>.<map>`) in place. `aube config delete`
sweeps both files so legacy writes from older versions are still cleaned
up. New error code `ERR_AUBE_CONFIG_NESTED_AUBE_KEY` covers invalid
nested writes.
- **Polished install progress display**
([#&#8203;616](https://redirect.github.com/endevco/aube/pull/616) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — The bar is now cyan
across every phase (no more "completing twice" as the phase flips
green), reserves the final slice so it never reads 100% while the linker
is still running, and paints a full 100% from a new `done` phase on
`finish()` / `stop()` so the last frame matches the `✓` summary line.
The displayed `~XX MB` total is now a dynamic blend of the static
`unpackedSize × 0.20` fallback and a linear extrapolation from observed
bytes-per-package — converging to the real total instead of overshooting
by \~48%. `resolving` switched yellow → cyan, the `pkgs` counter is
bold/uncolored mid-install, and `WARN_AUBE_SLOW_METADATA` drops
redundant fields.

#### Fixed

- **Peer-only packages from `bun.lock` no longer silently dropped**
([#&#8203;639](https://redirect.github.com/endevco/aube/pull/639) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — `filter_graph`'s GC
walk ran *before* `hoist_auto_installed_peers`, so peer-installed deps
like `@mui/material` that weren't directly listed in workspace
`dependencies:` got pruned as unreachable before the hoist could promote
them. The pipeline now hoists first, then walks. On the linked repro,
`aube install` goes from 6 packages (with broken `@mui/material` /
`@emotion/*`) to 44 with everything resolved.
- **`bun.lock` imports now run the peer-context pass**
([#&#8203;619](https://redirect.github.com/endevco/aube/pull/619) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — `LockfileKind::Bun`
was missing from the `apply_peer_contexts` branch, so peer-dependent
packages landed at `.aube/<pkg>@&#8203;<ver>/` without sibling peer
links and walked up to whatever hoisted copy they found. Now they get
peer-qualified `dep_paths` (e.g.
`@cloudflare+vite-plugin@1.17.1_vite@8.0.10_…`) with correct sibling
symlinks, matching the npm-lockfile import behavior.
- **Stale cached indexes now self-heal at fetch time**
([#&#8203;635](https://redirect.github.com/endevco/aube/pull/635) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — Cached package indexes
moved from `$XDG_CACHE_HOME/aube/index/` into the store at
`<store>/v1/index/`, next to `v1/files/`. The install fast path swapped
`load_index` for `load_index_verified`, so an index whose CAS shards
have drifted out from under it is dropped at fetch classification and
the tarball re-fetched cleanly — instead of the materializer dying
mid-link with `ERR_AUBE_MISSING_STORE_FILE`. Fixes a BuildKit
cache-mount footgun where only one of the two cache dirs would be
persisted.
- **`engines.pnpm` no longer triggers spurious version warnings**
([#&#8203;633](https://redirect.github.com/endevco/aube/pull/633) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — A project pinning
`engines.pnpm: ">=10.11.1"` produced `warn: wanted pnpm >=10.11.1, got
1.x` on every install (or a hard failure under `engine-strict`). Aube
and pnpm live in different version namespaces, so honoring this field
was net-negative. `engines.pnpm` is now skipped entirely; `engines.aube`
is still honored for projects that want to gate on the running tool, and
`engines.node` is unchanged.
- **`update -i` no longer reports phantom upgrade rows for catalog
deps** ([#&#8203;636](https://redirect.github.com/endevco/aube/pull/636)
by [@&#8203;jdx](https://redirect.github.com/jdx)) — When a `catalog:`
dep resolved to a newer version while the same name was pulled in
transitively at an older one (e.g. `jose@6.2.3` direct + `jose@5.10.0`
via `@upstash/qstash`), `lookup_pkg`'s name-scan picked the transitive
snapshot as "current" and offered a downgrade row the rewrite path then
ignored. Lookup now goes through the importer's `DirectDep.dep_path`.
The companion fix extends the `--latest` prerelease guard to the
*locked* version, so `"^1.0.0-rc.1"` isn't silently rewritten to
whatever the registry's `latest` dist-tag points at.
- **`update` / `add` / `dedupe` / `remove` / `audit` preserve
cross-platform optionals and `time:` entries**
([#&#8203;637](https://redirect.github.com/endevco/aube/pull/637) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — These commands now
route through install's `configure_resolver`, inheriting the full
settings pipeline (`supportedArchitectures`, `resolutionMode`,
`minimumReleaseAge`, overrides, …). They opt out of the full-packument
disk cache so an immediately-following re-resolve picks up registry
`dist-tag` changes, and the resolver carries forward the prior
lockfile's `time:` entry when a fresh corgi packument lacks publish time
for a resolved version — so direct deps don't lose their `time:` line on
update.
- **`aube add --global --allow-build=<pkg>` actually pre-approves
builds**
([#&#8203;620](https://redirect.github.com/endevco/aube/pull/620) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — The synthetic inner
`AddArgs` was being built with `allow_build: Vec::new()`, silently
dropping the outer flag and erroring with "must be reviewed before
install" under `strictDepBuilds=true`. The flag is now plumbed through
`run_global` / `run_global_inner` and approvals are written to the
throwaway install dir's `package.json#aube.allowBuilds` before lifecycle
scripts run.

#### Changed

- **`aube store path` now returns the `v1/` directory**
([#&#8203;635](https://redirect.github.com/endevco/aube/pull/635)) — One
level above the previous `v1/files/` output, so a single Docker BuildKit
cache mount or backup captures both the CAS and the new co-located index
dir. Scripts consuming `aube store path` will now mount one level higher
(the intended behavior). A lazy in-place migration from the legacy
`$XDG_CACHE_HOME/aube/index/` location runs on the first store open
after upgrade (rename fast path, recursive-copy fallback for cross-FS).

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.11.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.11.0):
: Workspace-root flags, scoped config, and a 2× macOS CAS fast path

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.10.4...v1.11.0)

#### Added

- *(install)* Fill the resolving bar against a real denominator so the
progress bar advances during dependency resolution
([#&#8203;611](https://redirect.github.com/endevco/aube/pull/611))
- *(outdated, update)* Wire `-w/--workspace-root` to retarget cwd at the
workspace root from a sub-package
([#&#8203;614](https://redirect.github.com/endevco/aube/pull/614))
- *(config)* Scope-split settings precedence and project
`<cwd>/.config/aube/config.toml` support
([#&#8203;608](https://redirect.github.com/endevco/aube/pull/608))
- *(deploy)* Accept `--offline` and `--prefer-offline`, forwarded into
the deploy install
([#&#8203;606](https://redirect.github.com/endevco/aube/pull/606))
- *(store)* Direct-write CAS fast path on macOS under an exclusive
install lock (\~2× per-file CAS write speedup)
([#&#8203;615](https://redirect.github.com/endevco/aube/pull/615))

#### Fixed

- *(linker)* Bin shims now point `NODE_PATH` at the hidden modules dir,
and the isolated linker defaults `preferSymlinkedExecutables` to shims
so `extendNodePath` actually works
([#&#8203;613](https://redirect.github.com/endevco/aube/pull/613))
- *(install/lockfile/outdated/update)* Address several bugs reported in
[#&#8203;602](https://redirect.github.com/endevco/aube/discussions/602):
lockfile rewrites when a dep moves between
`dependencies`/`devDependencies`, `outdated -r` includes the workspace
root, semver-diff color in `Wanted`/`Latest`, smarter `update -i`
picker, and `updateConfig.ignoreDependencies` is loaded from the
workspace root
([#&#8203;610](https://redirect.github.com/endevco/aube/pull/610))
- *(install)* Probe link strategy against the actual destination dir so
cross-FS installs with GVS enabled hardlink instead of falling back to
per-file copy
([#&#8203;604](https://redirect.github.com/endevco/aube/pull/604))
- *(install)* Surface the underlying materializer error instead of a
generic "channel closed" message
([#&#8203;607](https://redirect.github.com/endevco/aube/pull/607))
- *(progress)* Clamp `reused` on a downward `set_total` rebase so
summaries stop reporting `reused > resolved`
([#&#8203;609](https://redirect.github.com/endevco/aube/pull/609))
- *(config)* Preserve a symlinked `~/.config/aube/config.toml` on write
([#&#8203;605](https://redirect.github.com/endevco/aube/pull/605))
- *(registry)* Coalesce slow-metadata warnings into a single resolve-end
summary instead of one warning per slow packument
([#&#8203;592](https://redirect.github.com/endevco/aube/pull/592))

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.10.4`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.4):
: Streaming tarball retries + 32-bit Linux build fix

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.10.3...v1.10.4)

Two targeted fixes: cold installs now retry transient registry failures
on the streaming tarball path, and `aube-store` builds cleanly on 32-bit
Linux again.

#### Fixed

- **Streaming tarball fetch retries transient failures**
([#&#8203;591](https://redirect.github.com/endevco/aube/pull/591) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — `start_tarball_stream`
(the default install hot path for sha512-pinned lockfile entries) used
to skip retry entirely to avoid unwinding partial CAS writes mid-stream.
That reasoning is sound for mid-stream errors, but it also leaked into
*pre-response* failures: a 503, 429, connection refused, or connection
reset before any chunk had flowed would propagate straight back to the
caller with no recovery, while the buffered path retried the same
failures up to `fetchRetries` times. The initial `send().await` now
retries on `is_retriable_status` (5xx + 429, honoring `Retry-After`) and
on transport errors (bounded by `TIMEOUT_RETRY_CAP`), emitting the
existing `WARN_AUBE_HTTP_RETRY_TRANSIENT` / `_TRANSPORT` logs. Once
headers pass `error_for_status` and chunks start flowing, behavior is
unchanged. Caught on a macOS PGO dry-run where Verdaccio / the
throttle-proxy hiccupped and the install bailed without a single retry
log line.
- **`aube-store` builds on 32-bit Linux**
([#&#8203;587](https://redirect.github.com/endevco/aube/pull/587) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — The `posix_fallocate`
wrapper hard-coded `len: i64`, which matches `libc::off_t` on every
64-bit target but breaks armhf, where the default (non-LFS) `off_t =
i32`. The wrapper now takes `libc::off_t` directly and the single call
site casts `bytes.len() as libc::off_t`, unblocking Launchpad's Ubuntu
Resolute armhf build of aube and any downstream
`armv7-unknown-linux-gnueabihf` consumer.

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.10.3`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.3)

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.10.2...v1.10.3)

> \[!NOTE]
> No user-visible code changes since v1.10.2. Tagged so the release-plz
/ `cargo publish` cadence stays unbroken; entries below are CI and
benchmark tooling.

#### Fixed

- *(ci)* Add native `aarch64-unknown-linux-gnu` PGO matrix row and bump
macOS arm64 PGO to `macos-arm64-large` to work around the v1.10.1
instrumented-binary segfault
([#&#8203;582](https://redirect.github.com/endevco/aube/pull/582))
- *(bench)* Install yarn 4 via `npm:@&#8203;yarnpkg/cli-dist@latest` —
the `yarn` npm package only publishes 1.x and 2.x
([#&#8203;583](https://redirect.github.com/endevco/aube/pull/583))
- *(bench)* Pass `--frozen-lockfile` to vlt install scenarios so vlt is
measured on the same path as every other tool in the matrix
([#&#8203;581](https://redirect.github.com/endevco/aube/pull/581))

#### Binaries

This release ships without prebuilt archives. Install via `cargo install
aube`, `mise use aube`, or `npm i -g aube`.

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.10.2`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.2)

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.10.1...v1.10.2)

> \[!NOTE]
> No user-visible code changes since v1.10.1. Tagged so the release-plz
/ `cargo publish` cadence stays unbroken; entries below are CI and
benchmark tooling.

#### Changed

- *(ci)* Bump x86\_64 Linux PGO release runners to `linux-amd64-large`
(32 GB) to fix OOM during the instrumented link step
([#&#8203;577](https://redirect.github.com/endevco/aube/pull/577))
- *(docs)* Benchmark matrix switches yarn to berry, adds **deno** and
**vlt**, refreshes the landing-page chart
([#&#8203;578](https://redirect.github.com/endevco/aube/pull/578))

#### Binaries

This release has a partial archive set. For a complete set of prebuilts,
use a later release — or install via `cargo install aube`, `mise use
aube`, or `npm i -g aube`.

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.10.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.1)

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.10.0...v1.10.1)

#### Added

- *(install)* Post-install summary flags **deprecated** and **outdated**
direct deps inline so you see what to upgrade without scrolling back
through fetch output
([#&#8203;575](https://redirect.github.com/endevco/aube/pull/575))

#### Fixed

- *(deploy)* `aube deploy` resolves `catalog:` references and accepts
packages without an explicit `version` field
([#&#8203;574](https://redirect.github.com/endevco/aube/pull/574))
- *(install)* Pad package counts in the progress UI and drop the ETA
placeholder when none is available
([#&#8203;570](https://redirect.github.com/endevco/aube/pull/570))
- *(release)* `npm publish` skips already-published versions so
re-running the publish workflow is idempotent
([#&#8203;565](https://redirect.github.com/endevco/aube/pull/565))

#### Changed

- *(release)* x86\_64 Linux GNU/musl and macOS arm64 binaries now ship
as PGO-optimized artifacts. Linux x86\_64 uses `cross` for the glibc
baseline; macOS arm64 builds natively
([#&#8203;572](https://redirect.github.com/endevco/aube/pull/572))

#### Performance

- *(registry)* Swap `simd-json` for `sonic-rs` on the packument hot path
([#&#8203;569](https://redirect.github.com/endevco/aube/pull/569))
- *(registry)* Drop deep clone and `fsync` from packument cache writes
([#&#8203;568](https://redirect.github.com/endevco/aube/pull/568))

#### Binaries

This release has a partial archive set. For a complete set of prebuilts,
use a later release — or install via `cargo install aube`, `mise use
aube`, or `npm i -g aube`.

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.10.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.0):
: Recursive runs grow up, install gets a diagnostics microscope

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.9.1...v1.10.0)

#### Added

- *(cli)* Wire the recursive-run flags (`--sort`/`--no-sort`,
`--reverse`, `--resume-from`, `--workspace-concurrency`,
`--reporter-hide-prefix`) and add a per-package output multiplexer for
parallel runs
([#&#8203;545](https://redirect.github.com/endevco/aube/pull/545))
- *(diag)* End-to-end install instrumentation and the `aube diag
analyze` / `aube diag compare` subcommands behind a new `--diag
<summary|trace|live|full>` flag
([#&#8203;547](https://redirect.github.com/endevco/aube/pull/547))
- *(install)* Post-install dependency summary grouped by dependency type
([#&#8203;559](https://redirect.github.com/endevco/aube/pull/559))
- *(update)* `--lockfile-only` flag to refresh `aube-lock.yaml` without
touching `node_modules`
([#&#8203;560](https://redirect.github.com/endevco/aube/pull/560))
- *(add)* `linkWorkspacePackages` and `saveWorkspaceProtocol` settings
plus `--save-workspace-protocol` / `--no-save-workspace-protocol` flags
([#&#8203;539](https://redirect.github.com/endevco/aube/pull/539))

#### Fixed

- *(workspace)* Linker no longer substitutes a workspace sibling for a
registry-pinned dep, lockfile drift flags orphan importers, recursive
`remove` skips projects that don't declare the dep, and parent-relative
`../**` globs in `pnpm-workspace.yaml` are honored
([#&#8203;564](https://redirect.github.com/endevco/aube/pull/564))
- *(workspace)* Filtered runs respect `--workspace-root` and
`includeWorkspaceRoot: true`
([#&#8203;556](https://redirect.github.com/endevco/aube/pull/556))
- *(update)* Filtered workspace updates merge back into the shared root
lockfile under `sharedWorkspaceLockfile=true` instead of leaving
per-package `aube-lock.yaml` files behind
([#&#8203;558](https://redirect.github.com/endevco/aube/pull/558))
- *(update)* `--interactive` renders a multiselect picker, fails fast on
non-TTY, and `--latest` preserves `catalog:` / `catalog:<name>`
specifiers
([#&#8203;552](https://redirect.github.com/endevco/aube/pull/552))
- *(pnpmfile)* Hard-fail the install when a defined `readPackage` hook
returns a non-object
([#&#8203;562](https://redirect.github.com/endevco/aube/pull/562))
- *(deploy)* Keep filtered workspace packages in the index when
`package.json` has no `version`
([#&#8203;549](https://redirect.github.com/endevco/aube/pull/549))
- *(install)* Inherit top-level `pnpm.allowBuilds` approvals into the
nested install used for git-dep `prepare`
([#&#8203;546](https://redirect.github.com/endevco/aube/pull/546))
- *(cli)* Skip `verifyDepsBeforeRun` checks when `npm_lifecycle_event`
is set, fixing both the `error`-mode hard-fail and the `install`-mode
lock deadlock from nested `aube run` inside lifecycle scripts
([#&#8203;538](https://redirect.github.com/endevco/aube/pull/538))
- *(install)* Interactive `aube approve-builds` requires at least one
selection and the TTY guard checks both stdin and stderr
([#&#8203;537](https://redirect.github.com/endevco/aube/pull/537))

#### Changed

- *(install)* New `aube_util::adaptive` limiter (slow-start, AIMD,
CUSUM-gated shrink) wired at every previously magic-numbered concurrency
site, with a separate http1-only reqwest client for tarball downloads
([#&#8203;548](https://redirect.github.com/endevco/aube/pull/548))

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

</details>

---

### Configuration

📅 **Schedule**: (in timezone America/Chicago)

- Branch creation
  - Only on Friday (`* * * * 5`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

mise.toml

@@ -8,7 +8,7 @@ tasks.release-plz = "./scripts/release-plz.sh"
 
 [tools]
 node = '24'
-aube = 'v1.9.1'
+aube = 'v1.14.1'
 git-cliff = 'latest'
 gh = 'latest'
 communique = 'latest'