From 69c24ed9206bc145dcdd8fa072fc6031ceb14c8d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 29 May 2026 05:29:50 +0000 Subject: [PATCH] chore(deps): update dependency aube to v1.15.0 (#498) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.14.1` → `v1.15.0` | `v1.16.0` | --- ### Release Notes
endevco/aube (aube) ### [`v1.15.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.15.0): : Yarn Berry portal/exec/patch + deny-build [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.14.1...v1.15.0) This release closes three Yarn Berry compatibility gaps (`portal:`, `exec:`, and `patch:` protocols), adds an `aube add --deny-build` flag for `strictDepBuilds=true` workflows, and fixes two install-correctness bugs around workspace updates and Bun patched dependencies. #### Added - *(yarn)* **Berry `portal:` and `exec:` protocols** ([#​729](https://redirect.github.com/endevco/aube/pull/729) by [@​jdx](https://redirect.github.com/jdx)) — Yarn Berry lockfile entries using `portal:` and `exec:` are now parsed instead of skipped, and round-trip cleanly when aube writes the lockfile back (`portal:` as `linkType: soft`, `exec:` as a generated hard-link package). `portal:` targets materialize as local packages whose dependencies are followed (matching Yarn's documented difference from `link:`); `exec:` generator scripts run into a temp build directory and the generated package is imported, with versions and dependencies locked at resolve time. `exec:` generators require Node.js on `PATH`, are blocked under `--ignore-scripts`, and are rejected if the generator path resolves outside the project root. - *(yarn)* **Berry `patch:` protocol** ([#​728](https://redirect.github.com/endevco/aube/pull/728) by [@​jdx](https://redirect.github.com/jdx)) — Berry `patch:` resolutions are now parsed into aube's patched-dependency map (builtin patches are skipped), preserved on lockfile write, and threaded through install/link so the referenced Yarn patch files are actually applied during materialization. Previously these entries were silently dropped, so Berry projects relying on `patch:` could install with unpatched package contents. - *(add)* **`aube add --deny-build=`** ([#​730](https://redirect.github.com/endevco/aube/pull/730), closes [#​726](https://redirect.github.com/endevco/aube/discussions/726), by [@​jdx](https://redirect.github.com/jdx)) — Repeatable flag that records a dependency's lifecycle scripts as reviewed-and-denied by writing `allowBuilds.=false` before install. This lets `strictDepBuilds=true` workflows explicitly skip selected package builds without failing the install, and is forwarded through global installs (`aube add -g --deny-build=`). Specifying the same package in both `--allow-build` and `--deny-build` is rejected with the new `ERR_AUBE_CONFLICTING_BUILD_FLAGS`. ```sh # Mark esbuild's postinstall as reviewed-and-denied, then install aube add --deny-build=esbuild esbuild ``` #### Fixed - *(update)* **Workspace-member `aube update` writes to the root lockfile** ([#​732](https://redirect.github.com/endevco/aube/pull/732) by [@​jdx](https://redirect.github.com/jdx)) — `aube update` run inside a workspace member previously started from the nearest project root and produced `sub/aube-lock.yaml`, disagreeing with `aube install` (which already targets the workspace root). Plain member updates now merge into the shared workspace-root `aube-lock.yaml` via the same helper used by filtered/recursive updates, carrying per-importer `workspace_extra_fields` alongside dependency and skipped-optional metadata. - *(bun)* **Bun top-level `patchedDependencies` are applied at install** ([#​724](https://redirect.github.com/endevco/aube/pull/724) by [@​jdx](https://redirect.github.com/jdx)) — aube preserved Bun's `package.json#patchedDependencies` in `bun.lock`, but install-time patch loading only read `pnpm.patchedDependencies`, `aube.patchedDependencies`, and workspace YAML entries — so Bun-only projects could install successfully while materializing unpatched package contents. Bun's top-level field is now merged into the patch sources used by install (including for BOM-prefixed `package.json`), and is correctly removed when the map becomes empty. **Full Changelog**: #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent.
--- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- mise.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mise.toml b/mise.toml index 7d72ab4..46b7126 100644 --- a/mise.toml +++ b/mise.toml @@ -8,7 +8,7 @@ tasks.release-plz = "./scripts/release-plz.sh" [tools] node = '24' -aube = 'v1.14.1' +aube = 'v1.15.0' git-cliff = 'latest' gh = 'latest' communique = 'latest'