This PR contains the following updates:
| Package | Update | Change | Pending |
|---|---|---|---|
| [aube](https://redirect.github.com/endevco/aube) | minor | `1.4` β
`v1.5.1` | `v1.9.1` (+6) |
---
### Release Notes
<details>
<summary>endevco/aube (aube)</summary>
###
[`v1.5.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.1):
: POSIX colon tarball filenames
[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.5.0...v1.5.1)
A small patch release fixing tarball installs that contain `:` in entry
filenames on POSIX platforms (e.g. `redos-detector@6.1.4`'s
`dist/__mocks__/package-json:version.d.ts`).
#### Fixed
- **POSIX colon tarball filenames** β the store tarball validator and
the linker's `validate_index_key` previously rejected `:` on every
platform to defend against Windows drive-prefix and NTFS
alternate-data-stream ambiguity. That guard was too broad for POSIX,
where colon is a valid filename character, and caused installs of
packages like `redos-detector@6.1.4` to fail. Both guards are now
platform-gated: `:` is still rejected on Windows, but accepted on Linux
and macOS.
([#​386](https://redirect.github.com/endevco/aube/pull/386) by
[@​jdx](https://redirect.github.com/jdx))
**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.5.0...v1.5.1>
#### π Sponsor aube
aube is part of [**en.dev**](https://en.dev) β an independent
developer-tooling studio run by
[@​jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.
If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.
###
[`v1.5.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.0):
: Dependency graph queries and patch/lockfile fixes
[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.4.0...v1.5.0)
This release adds `aube query` for selector-based dependency graph
inspection, fixes patch application against CRLF tarball files, repairs
npm-aliased catalog dependencies in pnpm-generated lockfiles, and
unifies how aube decides where to write workspace settings.
#### Added
- **`aube query`** β a vlt-inspired dependency-graph query command.
Supply a selector expression (attribute predicates plus pseudo-selectors
like `:scripts`, `:bin`, `:peer`, `:type(...)`, `:license(...)`),
optionally scope with workspace `--filter`/`--prod`/`--dev` roots, and
emit human-readable, `--parseable`, or `--json` output. Reads only the
local lockfile.
([#​380](https://redirect.github.com/endevco/aube/pull/380) by
[@​jdx](https://redirect.github.com/jdx))
#### Fixed
- **Patches against CRLF text files** β tarballs published from Windows
editors (e.g. `gifuct-js@2.1.2/index.d.ts`) ship CRLF, but
git/pnpm-style patches always emit LF, and diffy refused to match LF
hunks against CRLF context. aube now normalizes the original to LF
before applying and restores CRLF on write β matching pnpm's approach β
with a `\r\r\n` collapse so a literal `\r` byte mid-line doesn't gain a
second carriage return.
([#​384](https://redirect.github.com/endevco/aube/pull/384) by
[@​jdx](https://redirect.github.com/jdx))
- **`aube patch-commit` destination** β previously wrote unconditionally
to `pnpm.patchedDependencies` in `package.json` even on projects already
using the pnpm v10+ workspace-yaml home. A single rule now applies to
every command that mutates a setting which can live in either the
workspace yaml or `package.json#{pnpm,aube}.<key>`:
1. If a workspace yaml exists on disk β write there.
2. Otherwise, if `package.json#pnpm` is already declared β write
`pnpm.<key>` (preserve the user's namespace).
3. Otherwise β write `aube.<key>`.
`aube patch-remove` now strips entries from every place they could live
and reports the files actually rewritten. The same rule covers `aube
approve-builds` and install-time auto-deny seeding.
([#​384](https://redirect.github.com/endevco/aube/pull/384) by
[@​jdx](https://redirect.github.com/jdx))
- **npm-aliased catalog deps from pnpm lockfiles** β `aube install
--frozen-lockfile` previously accepted a pnpm lockfile with `beamcoder:
npm:beamcoder-prebuild@β¦` declared via `pnpm-workspace.yaml#catalog` and
silently produced an empty `node_modules`, because the importer's
specifier was `'catalog:'` and alias detection only fired on
`specifier.starts_with("npm:")`. Aliases are now detected purely from
the canonical `<real>@​<resolved>` `version:` shape, with a
peer-suffix strip so `version: 18.2.0(react@18.2.0)` isn't
misclassified.
([#​384](https://redirect.github.com/endevco/aube/pull/384) by
[@​jdx](https://redirect.github.com/jdx))
- **Bounded resolver stream** β the resolved-package stream is now a
bounded Tokio channel sized from the same network concurrency used by
fetch workers, with awaited sends so resolver/fetch overlap applies
backpressure instead of accumulating an unbounded queue.
([#​377](https://redirect.github.com/endevco/aube/pull/377) by
[@​jdx](https://redirect.github.com/jdx))
#### Changed
- **`aube-workspace.yaml` is the default-write filename** β when neither
`aube-workspace.yaml` nor `pnpm-workspace.yaml` exists, `aube
approve-builds` (and the install-time auto-seed of unreviewed build
scripts) now creates `aube-workspace.yaml` so it pairs with
`aube-lock.yaml` instead of leaving mixed vendor namespaces side by
side. Existing `pnpm-workspace.yaml` files keep being mutated in place.
([#​382](https://redirect.github.com/endevco/aube/pull/382) by
[@​jdx](https://redirect.github.com/jdx))
- **Comment-preserving workspace-yaml writes** β yaml writes now skip
the rewrite when the closure produces no structural change, so user
comments survive every no-op update to `allowBuilds`,
`patchedDependencies`, and catalog cleanup.
([#​384](https://redirect.github.com/endevco/aube/pull/384) by
[@​jdx](https://redirect.github.com/jdx))
- **Install phase timing sink** β set `AUBE_BENCH_PHASES_FILE` to append
per-phase install timings (resolve/fetch/link/scripts/state/sweep) as
JSONL, optionally tagged with `AUBE_BENCH_SCENARIO`. The benchmark
harness samples aube install-shaped scenarios and
`benchmarks/generate-phase-results.mjs` turns the JSONL into a Markdown
table plus a structured JSON artifact.
([#​381](https://redirect.github.com/endevco/aube/pull/381) by
[@​jdx](https://redirect.github.com/jdx))
**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.4.0...v1.5.0>
#### π Sponsor aube
aube is part of [**en.dev**](https://en.dev) β an independent
developer-tooling studio run by
[@​jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.
If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.
</details>
---
### Configuration
π **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
π¦ **Automerge**: Enabled.
β» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
π **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
## Summary
Switches the project's package-manager surface from a mix of `npm` /
`pnpm` / `bun` (different commands in different files) to a single tool:
[aube](https://aube.en.dev), en.dev's pnpm-compat package manager
(native Rust, fast, drops cleanly into pnpm/npm-compatible workflows).
| | Before | After |
|---|---|---|
| Workflows install step | `npm ci` | `aube ci` |
| Workflows run scripts | `npm run X` | `aubr X` (`aubr` is the `aube
run` shorthand) |
| `mise.toml` tasks | mixed `npm run` / `bun run` | `aubr X` |
| Lockfile | `package-lock.json` | `package-lock.json` (unchanged β aube
reads it directly) |
The `aubr` binary ships alongside `aube` in the same install β it's the
script-runner shorthand (`aubr <script>` β‘ `aube run <script>`). Saves a
word in every workflow / mise.toml line.
## What didn't change
- **`package-lock.json`** stays as the canonical lockfile. aube reads it
directly; no `aube-lock.yaml` is generated. Running `npm install` still
works for any dev who hasn't switched to aube yet.
- **`package.json` scripts** still use `npm run X` for nested
invocations (e.g. `"all": "npm run format:write && β¦"`). The literal
`npm` works for both callers β aube's shell exec finds `npm` in PATH,
the inner invocation re-runs the same package.json script. Keeping these
PM-agnostic avoids a forced cutover for downstream contributors.
- **`dist/`** is byte-identical after `aubr all` β parity with the
npm-built bundle verified locally.
## New project files
- **`.npmrc`** β single line: `node-linker=hoisted`. Forces a flat,
npm-style `node_modules` layout instead of aube's default
symlink/virtual-store. Required because `rollup --configPlugin
@rollup/plugin-typescript` resolves the plugin from cwd's node_modules,
and the isolated layout puts rollup under `node_modules/.aube/...` where
standard module resolution can't reach back to the project root for the
plugin. npm reads `.npmrc` but ignores `node-linker` (npm always
installs flat), so the file is safe for both PMs.
- **`pnpm-workspace.yaml`** β generated by aube 1.4 to record
build-script approvals (`unrs-resolver: false`). Project-level config;
commits like a `package.json` companion.
Pinned `aube = '1.4'` in `mise.toml`'s tools so `mise install`
provisions the right binary locally.
## Why aube
Single tool replacing three. Less context-switching for contributors,
fewer places to run `npm audit` / `bun upgrade` / `pnpm dedupe`. aube's
cold-cache install for this repo's deps is ~3s vs `npm ci` at ~10s.
## Test plan
- [x] `aube install` from clean β succeeds, all 441 packages link
cleanly
- [x] `aubr all` (format + lint + package) β succeeds, `dist/`
byte-identical to checked-in version
- [x] `aubr format:check` β clean
- [x] `aubr lint` β clean
- [x] `aubr package` β produces `dist/index.js`, `dist/index.js.map`,
`dist/licenses.txt` matching what's checked in
- [ ] Workflows: `Continuous Integration` / `autofix.ci` / `Check dist/`
/ `test` all pass on this PR
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Mostly CI/build-system plumbing; risk is workflow or packaging
breakage (dependency install layout, rollup config) that could prevent
`dist/` from rebuilding or CI from running, but it doesnβt change
runtime action logic.
>
> **Overview**
> Switches GitHub Actions workflows to install tooling via
`jdx/mise-action` and run installs/scripts with `aube`/`aubr` instead of
`actions/setup-node` + `npm ci`/`npm run`.
>
> Pins `aube` (`1.4`) in `mise.toml`, updates `mise` tasks and developer
docs (`CLAUDE.md`) to use `aube`/`aubr`, and adds `.npmrc`
(`node-linker=hoisted`) plus a `.gitignore` entry to avoid committing
`aube`βs generated `pnpm-workspace.yaml`.
>
> Adjusts the packaging script to use `rollup.config.mjs` (replacing the
previous TS config invocation).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
fd6530d89f. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
## Summary
- Add communique tool to mise.toml
- Add `enhance-release` job to release workflow that runs after release
creation to generate AI-enhanced release notes
## Test plan
- [ ] Verify next release triggers the enhance-release job
- [ ] Confirm ANTHROPIC_API_KEY secret is configured in repo settings
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Adds a new post-release GitHub Actions job that uses an external AI
API and an elevated token to modify GitHub release notes; failures or
misconfigured secrets can break the release workflow and token scope
matters.
>
> **Overview**
> After the `release` job completes, the workflow now runs a new
`enhance-release` job that computes the tag from `package.json` and
calls `communique generate ... --github-release` to update the GitHub
release notes.
>
> The PR also adds `communique` to `mise.toml` so the tool is available
in CI, and wires in `ANTHROPIC_API_KEY` plus a dedicated
`RELEASE_PLZ_GITHUB_TOKEN` for the release-note update step.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
d2335f661c. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
