13
0
Fork 0
mirror of https://github.com/jdx/mise-action.git synced 2026-07-03 09:59:32 +00:00
Commit graph

17 commits

Author SHA1 Message Date
jdx
e47eed9a5f
chore: update aube tool version (#501)
Some checks failed
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
Check dist/ / Check dist/ (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
2026-05-31 09:20:02 -05:00
renovate[bot]
69c24ed920
chore(deps): update dependency aube to v1.15.0 (#498)
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
This PR contains the following updates:

| Package | Update | Change | Pending |
|---|---|---|---|
| [aube](https://redirect.github.com/endevco/aube) | minor | `v1.14.1` →
`v1.15.0` | `v1.16.0` |

---

### Release Notes

<details>
<summary>endevco/aube (aube)</summary>

###
[`v1.15.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.15.0):
: Yarn Berry portal/exec/patch + deny-build

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.14.1...v1.15.0)

This release closes three Yarn Berry compatibility gaps (`portal:`,
`exec:`, and `patch:` protocols), adds an `aube add --deny-build` flag
for `strictDepBuilds=true` workflows, and fixes two install-correctness
bugs around workspace updates and Bun patched dependencies.

#### Added

- *(yarn)* **Berry `portal:` and `exec:` protocols**
([#&#8203;729](https://redirect.github.com/endevco/aube/pull/729) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — Yarn Berry lockfile
entries using `portal:` and `exec:` are now parsed instead of skipped,
and round-trip cleanly when aube writes the lockfile back (`portal:` as
`linkType: soft`, `exec:` as a generated hard-link package). `portal:`
targets materialize as local packages whose dependencies are followed
(matching Yarn's documented difference from `link:`); `exec:` generator
scripts run into a temp build directory and the generated package is
imported, with versions and dependencies locked at resolve time. `exec:`
generators require Node.js on `PATH`, are blocked under
`--ignore-scripts`, and are rejected if the generator path resolves
outside the project root.

- *(yarn)* **Berry `patch:` protocol**
([#&#8203;728](https://redirect.github.com/endevco/aube/pull/728) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — Berry `patch:`
resolutions are now parsed into aube's patched-dependency map (builtin
patches are skipped), preserved on lockfile write, and threaded through
install/link so the referenced Yarn patch files are actually applied
during materialization. Previously these entries were silently dropped,
so Berry projects relying on `patch:` could install with unpatched
package contents.

- *(add)* **`aube add --deny-build=<pkg>`**
([#&#8203;730](https://redirect.github.com/endevco/aube/pull/730),
closes
[#&#8203;726](https://redirect.github.com/endevco/aube/discussions/726),
by [@&#8203;jdx](https://redirect.github.com/jdx)) — Repeatable flag
that records a dependency's lifecycle scripts as reviewed-and-denied by
writing `allowBuilds.<pkg>=false` before install. This lets
`strictDepBuilds=true` workflows explicitly skip selected package builds
without failing the install, and is forwarded through global installs
(`aube add -g --deny-build=<pkg>`). Specifying the same package in both
`--allow-build` and `--deny-build` is rejected with the new
`ERR_AUBE_CONFLICTING_BUILD_FLAGS`.

  ```sh
  # Mark esbuild's postinstall as reviewed-and-denied, then install
  aube add --deny-build=esbuild esbuild
  ```

#### Fixed

- *(update)* **Workspace-member `aube update` writes to the root
lockfile**
([#&#8203;732](https://redirect.github.com/endevco/aube/pull/732) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — `aube update` run
inside a workspace member previously started from the nearest project
root and produced `sub/aube-lock.yaml`, disagreeing with `aube install`
(which already targets the workspace root). Plain member updates now
merge into the shared workspace-root `aube-lock.yaml` via the same
helper used by filtered/recursive updates, carrying per-importer
`workspace_extra_fields` alongside dependency and skipped-optional
metadata.

- *(bun)* **Bun top-level `patchedDependencies` are applied at install**
([#&#8203;724](https://redirect.github.com/endevco/aube/pull/724) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — aube preserved Bun's
`package.json#patchedDependencies` in `bun.lock`, but install-time patch
loading only read `pnpm.patchedDependencies`,
`aube.patchedDependencies`, and workspace YAML entries — so Bun-only
projects could install successfully while materializing unpatched
package contents. Bun's top-level field is now merged into the patch
sources used by install (including for BOM-prefixed `package.json`), and
is correctly removed when the map becomes empty.

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.14.1...v1.15.0>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

</details>

---

### Configuration

📅 **Schedule**: (in timezone America/Chicago)

- Branch creation
  - Only on Friday (`* * * * 5`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTguMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5OC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-29 05:29:50 +00:00
renovate[bot]
5b45072a5e
chore(deps): update dependency aube to v1.14.1 (#489)
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
This PR contains the following updates:

| Package | Update | Change | Pending |
|---|---|---|---|
| [aube](https://redirect.github.com/endevco/aube) | minor | `v1.9.1` →
`v1.14.1` | `v1.15.0` |

---

### Release Notes

<details>
<summary>endevco/aube (aube)</summary>

###
[`v1.14.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.14.1):
: Install module split

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.14.0...v1.14.1)

A maintenance release with no user-facing behavior changes. The install
command's growing `commands/install/mod.rs` was split into focused
submodules to keep the install pipeline easier to navigate. Install
behavior, flags, and output are unchanged from v1.14.0.

#### Changed

- *(install)* Extracted the fetch/import pipeline (local source import,
lockfile fetch wrapper, store-index classification, tarball
fetch/import, contextualized-index remapping) into a new
`commands/install/fetch.rs` module
([#&#8203;704](https://redirect.github.com/endevco/aube/pull/704) by
[@&#8203;jdx](https://redirect.github.com/jdx)).
- *(install)* Split the materializer, native-build critical-path
heuristic, and workspace graph/lifecycle/per-project lockfile helpers
into dedicated `materialize.rs`, `critical_path.rs`, and `workspace.rs`
modules
([#&#8203;702](https://redirect.github.com/endevco/aube/pull/702) by
[@&#8203;jdx](https://redirect.github.com/jdx)).
- *(install)* Moved post-pipeline helpers — `--lockfile-dir` importer
remapping, human install summary output, `.aube` cache
invalidation/orphan cleanup, and skipped-build warning replay — into
`lockfile_dir.rs`, `summary.rs`, `sweep.rs`, and `unreviewed_builds.rs`
([#&#8203;698](https://redirect.github.com/endevco/aube/pull/698) by
[@&#8203;jdx](https://redirect.github.com/jdx)).

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.14.0...v1.14.1>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.14.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.14.0):
: Bloom-filtered OSV checks and lifecycle-script content sniffing

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.13.1...v1.14.0)

Two new opt-in supply-chain layers on top of the v1.13 gates: a \~380 KB
bloom-filter prefilter that lets plain reinstalls cheaply probe the OSV
`MAL-*` set without pulling the 200 MB mirror, and a regex-based content
sniff that flags dangerous shapes in dependency
`preinstall`/`install`/`postinstall` scripts before you click through
`aube approve-builds`.

#### Added

- *(install)* **OSV bloom-filter prefilter for lockfile installs**
([#&#8203;680](https://redirect.github.com/endevco/aube/pull/680) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — New
`advisoryBloomCheck` setting (`on` / `required` / `off`, default `off`)
adds a fourth route to the post-resolve OSV decision table. Plain
reinstalls probe the resolved transitive graph against a \~380 KB bloom
filter fetched from
[`endevco/osv-bloom`](https://redirect.github.com/endevco/osv-bloom) —
regenerated upstream every 10 minutes from OSV's `MAL-*` archive — and
only escalate bloom hits to the live `/querybatch` API for exact `(name,
version)` confirmation. Bloom FPR is \~0.1%, so a typical 1000-package
lockfile triggers zero or one extra live-API round trip per install.
When both are configured, the bloom branch wins over the 200 MB
`all.zip` mirror — under 1 MB on the wire, same live-API oracle, same
`ERR_AUBE_MALICIOUS_PACKAGE` on a confirmed hit. Cached under
`$XDG_CACHE_HOME/aube/osv-bloom/` and short-circuits the download when
upstream's `set_digest_sha256` is unchanged. New warning
`WARN_AUBE_OSV_BLOOM_REFRESH_FAILED`: under `on` install continues
against the previously cached filter; under `required` it fails closed
with `ERR_AUBE_ADVISORY_CHECK_FAILED`.

- *(install)* **Content-sniff dependency lifecycle scripts before
approve-builds**
([#&#8203;685](https://redirect.github.com/endevco/aube/pull/685) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — aube's existing
supply-chain gates (OSV `MAL-*`, downloads floor, bun-compat scanner,
`BuildPolicy` allowlist) are all name-based; none inspects what
`postinstall` actually does, which leaves an OSV-ingest-lag window of
12–48h that the 2024–2026 wave of unobfuscated `curl … | sh`
postinstalls walked right through. New regex matcher fires advisory
warnings for known-dangerous shapes in lifecycle script bodies:

| Signal | Catches |
| -------------------- |
----------------------------------------------------------------------------------------------------------------
|
| `ShellPipe` | `curl … \| sh`, `wget … \| bash`, `… \| node` |
| `EvalDecode` | `eval(atob(…))`, `Function(atob(…))`,
`eval(Buffer.from(…))` |
| `CredentialFileRead` | `~/.ssh`, `~/.aws`, `~/.npmrc`, `~/.config/gh`
reads |
| `SecretEnvRead` |
`process.env.*(TOKEN\|SECRET\|API_KEY\|PASSWORD\|ACCESS_KEY\|PRIVATE_KEY\|AUTH)`
|
| `ExfilEndpoint` | Discord/Telegram webhooks, OAST hosts (`oast.pro`,
`interactsh`, `webhook.site`, `pipedream.net`, `ngrok.io`, …) |
| `BareIpHttp` | Bare-IP HTTP fetch targets (literal IPv4 hosts over
plain HTTP) |

Sniff is advisory — `allowBuilds` still gates execution — and shows up
in three places: end-of-install emits one
`WARN_AUBE_SUSPICIOUS_LIFECYCLE_SCRIPT` per flagged package alongside
the existing `WARN_AUBE_IGNORED_BUILD_SCRIPTS`; `aube approve-builds`
annotates picker rows with `⚠ suspicious: <category>` and prints a
pre-picker summary of the matched hook+description; `aube
ignored-builds` indents `⚠ <hook> — <description>` lines under each
`name@version`. Findings are re-derived per install rather than
persisted, so the regex set can evolve without a state-file migration.
Works offline, doesn't degrade to advisory in headless CI.

#### Changed

- Refreshed `benchmarks/results.json` against v1.13.1 and Bun 1.3.14
([#&#8203;687](https://redirect.github.com/endevco/aube/pull/687)) —
public ratios update to warm installs **3× Bun / 6× pnpm**, repeat test
**6× Bun / 45× pnpm**.

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.13.1...v1.14.0>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.13.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.13.1):
: Version-aware transitive MAL-* gate

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.13.0...v1.13.1)

A targeted fix for the transitive supply-chain gate added in v1.13.0:
the post-resolve OSV check is now version-aware, so name-level `MAL-*`
advisories stop blocking installs that resolve to clean versions of the
same package.

#### Fixed

- *(install)* **Version-aware transitive `MAL-*` check**
([#&#8203;682](https://redirect.github.com/endevco/aube/pull/682) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — The post-resolve gate
was reusing the pre-resolve name-only OSV query, so any name-level
advisory hit every install that transitively pulled in *any* version of
that package. Concretely, `aube add cowsay@1.6.0` refused with
`ERR_AUBE_MALICIOUS_PACKAGE` because cowsay's tree includes
`ansi-regex@3.0.1`, and `ansi-regex` carries the Sep 2025 shai-hulud
advisory `MAL-2025-46966` against `6.2.1` — a version published years
after `3.0.1`. The live-API and OSV-mirror lookups now send `(name,
version)` pairs, refusal messages surface `name@version (MAL-…)`, and
the local mirror index bumps to `format = 2` (storing per-advisory
affected versions; v1 indexes rebuild on next refresh, and advisories
with no enumerated versions still fail closed). The pre-resolve `aube
add` name-gate keeps its versionless query — typosquats are malicious in
every version.

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.13.0...v1.13.1>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.13.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.13.0):
: Supply-chain gates for `aube add`

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.12.0...v1.13.0)

#### Added

- *(install)* Bun-compatible pluggable security scanner — drop in any
`securityScanner` package that follows the Bun Security Scanner API
(oven-sh template, `@socketsecurity/bun-security-scanner`, etc.) and
aube runs it post-resolve against the full graph via a `node` bridge
([#&#8203;657](https://redirect.github.com/endevco/aube/pull/657))
- *(add)* Supply-chain gates on `aube add`: OSV `MAL-*` advisory
hard-block plus a weekly-downloads floor with TTY prompt /
`--allow-low-downloads` bypass. New `advisoryCheck` and
`lowDownloadThreshold` settings, both folded into `paranoid: true`
([#&#8203;656](https://redirect.github.com/endevco/aube/pull/656))
- *(install)* OSV checks now extend to the full resolved graph, routed
live-API vs. local OSV mirror based on whether resolution produced fresh
`(name, version)` picks; opt-in `advisoryCheckOnInstall` covers plain
reinstalls, `advisoryCheckEveryInstall` forces live API every time
([#&#8203;678](https://redirect.github.com/endevco/aube/pull/678))
- *(add)* Auto-skip supply-chain gates for packages routed through a
non-`registry.npmjs.org` registry, plus a new `allowedUnpopularPackages`
glob allowlist to silence the downloads gate on known-internal names
([#&#8203;673](https://redirect.github.com/endevco/aube/pull/673))

#### Changed

- *(install)* No longer rewrites `package.json` / workspace yaml to seed
`allowBuilds: { <pkg>: "set this to true or false" }` placeholders for
unreviewed build scripts
([#&#8203;662](https://redirect.github.com/endevco/aube/pull/662))
- *(install perf)* Deleted the pre-resolver direct-dep packument
prefetch; 12–22% wall-time win across fixture size, bandwidth, and RTT
([#&#8203;672](https://redirect.github.com/endevco/aube/pull/672))
- *(add)* `--allow-build=<pkg>` now flips an existing deny instead of
erroring, help renders correctly as `--allow-build=<PKG>`, and the no-op
`--ignore-scripts` is hidden on `add` / `import` / `update`
([#&#8203;660](https://redirect.github.com/endevco/aube/pull/660))

#### Fixed

- *(linker)* Windows bin shims for `aube add --global …
--allow-build=<dep>` no longer emit a duplicated install-root path
segment when `.aube/<dep>/` sits behind a directory junction
([#&#8203;659](https://redirect.github.com/endevco/aube/pull/659))
- *(global)* `aube remove --global` on Windows no longer fails with
`Access is denied (os error 5)` on the hash pointer when it's an NTFS
directory junction
([#&#8203;658](https://redirect.github.com/endevco/aube/pull/658))

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.12.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.12.0):
: Tidier config, smarter installs from bun.lock

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.11.0...v1.12.0)

A round of fixes driven by user reports — `bun.lock` imports now keep
peer-only packages, the store layout is reorganized so one cache mount
covers everything, and `aube config set` stops scribbling unknown keys
into `.npmrc`.

#### Added

- **Smarter `aube config set` / `delete` routing**
([#&#8203;634](https://redirect.github.com/endevco/aube/pull/634) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — Writes only land in
`.npmrc` for the npm-shared surface (per-host auth/cert templates,
scoped registries, and a curated allowlist of npm-standard scalars like
`registry`, `proxy`, `fetch-retries`, …). Aube-only and pnpm-only keys
(`autoInstallPeers`, `dangerouslyAllowAllBuilds`, `pnpmfilePath`, …)
plus unknown free-form keys now go to `~/.config/aube/config.toml`.
Dotted writes for aube map settings — `aube config set --local
allowBuilds.@&#8203;mongodb-js/zstd true`, `aube config set --local
overrides.lodash 4.17.21` — edit a single entry of `pnpm-workspace.yaml`
(or `package.json#<pnpm|aube>.<map>`) in place. `aube config delete`
sweeps both files so legacy writes from older versions are still cleaned
up. New error code `ERR_AUBE_CONFIG_NESTED_AUBE_KEY` covers invalid
nested writes.
- **Polished install progress display**
([#&#8203;616](https://redirect.github.com/endevco/aube/pull/616) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — The bar is now cyan
across every phase (no more "completing twice" as the phase flips
green), reserves the final slice so it never reads 100% while the linker
is still running, and paints a full 100% from a new `done` phase on
`finish()` / `stop()` so the last frame matches the `✓` summary line.
The displayed `~XX MB` total is now a dynamic blend of the static
`unpackedSize × 0.20` fallback and a linear extrapolation from observed
bytes-per-package — converging to the real total instead of overshooting
by \~48%. `resolving` switched yellow → cyan, the `pkgs` counter is
bold/uncolored mid-install, and `WARN_AUBE_SLOW_METADATA` drops
redundant fields.

#### Fixed

- **Peer-only packages from `bun.lock` no longer silently dropped**
([#&#8203;639](https://redirect.github.com/endevco/aube/pull/639) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — `filter_graph`'s GC
walk ran *before* `hoist_auto_installed_peers`, so peer-installed deps
like `@mui/material` that weren't directly listed in workspace
`dependencies:` got pruned as unreachable before the hoist could promote
them. The pipeline now hoists first, then walks. On the linked repro,
`aube install` goes from 6 packages (with broken `@mui/material` /
`@emotion/*`) to 44 with everything resolved.
- **`bun.lock` imports now run the peer-context pass**
([#&#8203;619](https://redirect.github.com/endevco/aube/pull/619) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — `LockfileKind::Bun`
was missing from the `apply_peer_contexts` branch, so peer-dependent
packages landed at `.aube/<pkg>@&#8203;<ver>/` without sibling peer
links and walked up to whatever hoisted copy they found. Now they get
peer-qualified `dep_paths` (e.g.
`@cloudflare+vite-plugin@1.17.1_vite@8.0.10_…`) with correct sibling
symlinks, matching the npm-lockfile import behavior.
- **Stale cached indexes now self-heal at fetch time**
([#&#8203;635](https://redirect.github.com/endevco/aube/pull/635) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — Cached package indexes
moved from `$XDG_CACHE_HOME/aube/index/` into the store at
`<store>/v1/index/`, next to `v1/files/`. The install fast path swapped
`load_index` for `load_index_verified`, so an index whose CAS shards
have drifted out from under it is dropped at fetch classification and
the tarball re-fetched cleanly — instead of the materializer dying
mid-link with `ERR_AUBE_MISSING_STORE_FILE`. Fixes a BuildKit
cache-mount footgun where only one of the two cache dirs would be
persisted.
- **`engines.pnpm` no longer triggers spurious version warnings**
([#&#8203;633](https://redirect.github.com/endevco/aube/pull/633) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — A project pinning
`engines.pnpm: ">=10.11.1"` produced `warn: wanted pnpm >=10.11.1, got
1.x` on every install (or a hard failure under `engine-strict`). Aube
and pnpm live in different version namespaces, so honoring this field
was net-negative. `engines.pnpm` is now skipped entirely; `engines.aube`
is still honored for projects that want to gate on the running tool, and
`engines.node` is unchanged.
- **`update -i` no longer reports phantom upgrade rows for catalog
deps** ([#&#8203;636](https://redirect.github.com/endevco/aube/pull/636)
by [@&#8203;jdx](https://redirect.github.com/jdx)) — When a `catalog:`
dep resolved to a newer version while the same name was pulled in
transitively at an older one (e.g. `jose@6.2.3` direct + `jose@5.10.0`
via `@upstash/qstash`), `lookup_pkg`'s name-scan picked the transitive
snapshot as "current" and offered a downgrade row the rewrite path then
ignored. Lookup now goes through the importer's `DirectDep.dep_path`.
The companion fix extends the `--latest` prerelease guard to the
*locked* version, so `"^1.0.0-rc.1"` isn't silently rewritten to
whatever the registry's `latest` dist-tag points at.
- **`update` / `add` / `dedupe` / `remove` / `audit` preserve
cross-platform optionals and `time:` entries**
([#&#8203;637](https://redirect.github.com/endevco/aube/pull/637) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — These commands now
route through install's `configure_resolver`, inheriting the full
settings pipeline (`supportedArchitectures`, `resolutionMode`,
`minimumReleaseAge`, overrides, …). They opt out of the full-packument
disk cache so an immediately-following re-resolve picks up registry
`dist-tag` changes, and the resolver carries forward the prior
lockfile's `time:` entry when a fresh corgi packument lacks publish time
for a resolved version — so direct deps don't lose their `time:` line on
update.
- **`aube add --global --allow-build=<pkg>` actually pre-approves
builds**
([#&#8203;620](https://redirect.github.com/endevco/aube/pull/620) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — The synthetic inner
`AddArgs` was being built with `allow_build: Vec::new()`, silently
dropping the outer flag and erroring with "must be reviewed before
install" under `strictDepBuilds=true`. The flag is now plumbed through
`run_global` / `run_global_inner` and approvals are written to the
throwaway install dir's `package.json#aube.allowBuilds` before lifecycle
scripts run.

#### Changed

- **`aube store path` now returns the `v1/` directory**
([#&#8203;635](https://redirect.github.com/endevco/aube/pull/635)) — One
level above the previous `v1/files/` output, so a single Docker BuildKit
cache mount or backup captures both the CAS and the new co-located index
dir. Scripts consuming `aube store path` will now mount one level higher
(the intended behavior). A lazy in-place migration from the legacy
`$XDG_CACHE_HOME/aube/index/` location runs on the first store open
after upgrade (rename fast path, recursive-copy fallback for cross-FS).

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.11.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.11.0):
: Workspace-root flags, scoped config, and a 2× macOS CAS fast path

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.10.4...v1.11.0)

#### Added

- *(install)* Fill the resolving bar against a real denominator so the
progress bar advances during dependency resolution
([#&#8203;611](https://redirect.github.com/endevco/aube/pull/611))
- *(outdated, update)* Wire `-w/--workspace-root` to retarget cwd at the
workspace root from a sub-package
([#&#8203;614](https://redirect.github.com/endevco/aube/pull/614))
- *(config)* Scope-split settings precedence and project
`<cwd>/.config/aube/config.toml` support
([#&#8203;608](https://redirect.github.com/endevco/aube/pull/608))
- *(deploy)* Accept `--offline` and `--prefer-offline`, forwarded into
the deploy install
([#&#8203;606](https://redirect.github.com/endevco/aube/pull/606))
- *(store)* Direct-write CAS fast path on macOS under an exclusive
install lock (\~2× per-file CAS write speedup)
([#&#8203;615](https://redirect.github.com/endevco/aube/pull/615))

#### Fixed

- *(linker)* Bin shims now point `NODE_PATH` at the hidden modules dir,
and the isolated linker defaults `preferSymlinkedExecutables` to shims
so `extendNodePath` actually works
([#&#8203;613](https://redirect.github.com/endevco/aube/pull/613))
- *(install/lockfile/outdated/update)* Address several bugs reported in
[#&#8203;602](https://redirect.github.com/endevco/aube/discussions/602):
lockfile rewrites when a dep moves between
`dependencies`/`devDependencies`, `outdated -r` includes the workspace
root, semver-diff color in `Wanted`/`Latest`, smarter `update -i`
picker, and `updateConfig.ignoreDependencies` is loaded from the
workspace root
([#&#8203;610](https://redirect.github.com/endevco/aube/pull/610))
- *(install)* Probe link strategy against the actual destination dir so
cross-FS installs with GVS enabled hardlink instead of falling back to
per-file copy
([#&#8203;604](https://redirect.github.com/endevco/aube/pull/604))
- *(install)* Surface the underlying materializer error instead of a
generic "channel closed" message
([#&#8203;607](https://redirect.github.com/endevco/aube/pull/607))
- *(progress)* Clamp `reused` on a downward `set_total` rebase so
summaries stop reporting `reused > resolved`
([#&#8203;609](https://redirect.github.com/endevco/aube/pull/609))
- *(config)* Preserve a symlinked `~/.config/aube/config.toml` on write
([#&#8203;605](https://redirect.github.com/endevco/aube/pull/605))
- *(registry)* Coalesce slow-metadata warnings into a single resolve-end
summary instead of one warning per slow packument
([#&#8203;592](https://redirect.github.com/endevco/aube/pull/592))

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.10.4`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.4):
: Streaming tarball retries + 32-bit Linux build fix

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.10.3...v1.10.4)

Two targeted fixes: cold installs now retry transient registry failures
on the streaming tarball path, and `aube-store` builds cleanly on 32-bit
Linux again.

#### Fixed

- **Streaming tarball fetch retries transient failures**
([#&#8203;591](https://redirect.github.com/endevco/aube/pull/591) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — `start_tarball_stream`
(the default install hot path for sha512-pinned lockfile entries) used
to skip retry entirely to avoid unwinding partial CAS writes mid-stream.
That reasoning is sound for mid-stream errors, but it also leaked into
*pre-response* failures: a 503, 429, connection refused, or connection
reset before any chunk had flowed would propagate straight back to the
caller with no recovery, while the buffered path retried the same
failures up to `fetchRetries` times. The initial `send().await` now
retries on `is_retriable_status` (5xx + 429, honoring `Retry-After`) and
on transport errors (bounded by `TIMEOUT_RETRY_CAP`), emitting the
existing `WARN_AUBE_HTTP_RETRY_TRANSIENT` / `_TRANSPORT` logs. Once
headers pass `error_for_status` and chunks start flowing, behavior is
unchanged. Caught on a macOS PGO dry-run where Verdaccio / the
throttle-proxy hiccupped and the install bailed without a single retry
log line.
- **`aube-store` builds on 32-bit Linux**
([#&#8203;587](https://redirect.github.com/endevco/aube/pull/587) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — The `posix_fallocate`
wrapper hard-coded `len: i64`, which matches `libc::off_t` on every
64-bit target but breaks armhf, where the default (non-LFS) `off_t =
i32`. The wrapper now takes `libc::off_t` directly and the single call
site casts `bytes.len() as libc::off_t`, unblocking Launchpad's Ubuntu
Resolute armhf build of aube and any downstream
`armv7-unknown-linux-gnueabihf` consumer.

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.10.3`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.3)

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.10.2...v1.10.3)

> \[!NOTE]
> No user-visible code changes since v1.10.2. Tagged so the release-plz
/ `cargo publish` cadence stays unbroken; entries below are CI and
benchmark tooling.

#### Fixed

- *(ci)* Add native `aarch64-unknown-linux-gnu` PGO matrix row and bump
macOS arm64 PGO to `macos-arm64-large` to work around the v1.10.1
instrumented-binary segfault
([#&#8203;582](https://redirect.github.com/endevco/aube/pull/582))
- *(bench)* Install yarn 4 via `npm:@&#8203;yarnpkg/cli-dist@latest` —
the `yarn` npm package only publishes 1.x and 2.x
([#&#8203;583](https://redirect.github.com/endevco/aube/pull/583))
- *(bench)* Pass `--frozen-lockfile` to vlt install scenarios so vlt is
measured on the same path as every other tool in the matrix
([#&#8203;581](https://redirect.github.com/endevco/aube/pull/581))

#### Binaries

This release ships without prebuilt archives. Install via `cargo install
aube`, `mise use aube`, or `npm i -g aube`.

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.10.2`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.2)

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.10.1...v1.10.2)

> \[!NOTE]
> No user-visible code changes since v1.10.1. Tagged so the release-plz
/ `cargo publish` cadence stays unbroken; entries below are CI and
benchmark tooling.

#### Changed

- *(ci)* Bump x86\_64 Linux PGO release runners to `linux-amd64-large`
(32 GB) to fix OOM during the instrumented link step
([#&#8203;577](https://redirect.github.com/endevco/aube/pull/577))
- *(docs)* Benchmark matrix switches yarn to berry, adds **deno** and
**vlt**, refreshes the landing-page chart
([#&#8203;578](https://redirect.github.com/endevco/aube/pull/578))

#### Binaries

This release has a partial archive set. For a complete set of prebuilts,
use a later release — or install via `cargo install aube`, `mise use
aube`, or `npm i -g aube`.

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.10.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.1)

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.10.0...v1.10.1)

#### Added

- *(install)* Post-install summary flags **deprecated** and **outdated**
direct deps inline so you see what to upgrade without scrolling back
through fetch output
([#&#8203;575](https://redirect.github.com/endevco/aube/pull/575))

#### Fixed

- *(deploy)* `aube deploy` resolves `catalog:` references and accepts
packages without an explicit `version` field
([#&#8203;574](https://redirect.github.com/endevco/aube/pull/574))
- *(install)* Pad package counts in the progress UI and drop the ETA
placeholder when none is available
([#&#8203;570](https://redirect.github.com/endevco/aube/pull/570))
- *(release)* `npm publish` skips already-published versions so
re-running the publish workflow is idempotent
([#&#8203;565](https://redirect.github.com/endevco/aube/pull/565))

#### Changed

- *(release)* x86\_64 Linux GNU/musl and macOS arm64 binaries now ship
as PGO-optimized artifacts. Linux x86\_64 uses `cross` for the glibc
baseline; macOS arm64 builds natively
([#&#8203;572](https://redirect.github.com/endevco/aube/pull/572))

#### Performance

- *(registry)* Swap `simd-json` for `sonic-rs` on the packument hot path
([#&#8203;569](https://redirect.github.com/endevco/aube/pull/569))
- *(registry)* Drop deep clone and `fsync` from packument cache writes
([#&#8203;568](https://redirect.github.com/endevco/aube/pull/568))

#### Binaries

This release has a partial archive set. For a complete set of prebuilts,
use a later release — or install via `cargo install aube`, `mise use
aube`, or `npm i -g aube`.

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.10.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.0):
: Recursive runs grow up, install gets a diagnostics microscope

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.9.1...v1.10.0)

#### Added

- *(cli)* Wire the recursive-run flags (`--sort`/`--no-sort`,
`--reverse`, `--resume-from`, `--workspace-concurrency`,
`--reporter-hide-prefix`) and add a per-package output multiplexer for
parallel runs
([#&#8203;545](https://redirect.github.com/endevco/aube/pull/545))
- *(diag)* End-to-end install instrumentation and the `aube diag
analyze` / `aube diag compare` subcommands behind a new `--diag
<summary|trace|live|full>` flag
([#&#8203;547](https://redirect.github.com/endevco/aube/pull/547))
- *(install)* Post-install dependency summary grouped by dependency type
([#&#8203;559](https://redirect.github.com/endevco/aube/pull/559))
- *(update)* `--lockfile-only` flag to refresh `aube-lock.yaml` without
touching `node_modules`
([#&#8203;560](https://redirect.github.com/endevco/aube/pull/560))
- *(add)* `linkWorkspacePackages` and `saveWorkspaceProtocol` settings
plus `--save-workspace-protocol` / `--no-save-workspace-protocol` flags
([#&#8203;539](https://redirect.github.com/endevco/aube/pull/539))

#### Fixed

- *(workspace)* Linker no longer substitutes a workspace sibling for a
registry-pinned dep, lockfile drift flags orphan importers, recursive
`remove` skips projects that don't declare the dep, and parent-relative
`../**` globs in `pnpm-workspace.yaml` are honored
([#&#8203;564](https://redirect.github.com/endevco/aube/pull/564))
- *(workspace)* Filtered runs respect `--workspace-root` and
`includeWorkspaceRoot: true`
([#&#8203;556](https://redirect.github.com/endevco/aube/pull/556))
- *(update)* Filtered workspace updates merge back into the shared root
lockfile under `sharedWorkspaceLockfile=true` instead of leaving
per-package `aube-lock.yaml` files behind
([#&#8203;558](https://redirect.github.com/endevco/aube/pull/558))
- *(update)* `--interactive` renders a multiselect picker, fails fast on
non-TTY, and `--latest` preserves `catalog:` / `catalog:<name>`
specifiers
([#&#8203;552](https://redirect.github.com/endevco/aube/pull/552))
- *(pnpmfile)* Hard-fail the install when a defined `readPackage` hook
returns a non-object
([#&#8203;562](https://redirect.github.com/endevco/aube/pull/562))
- *(deploy)* Keep filtered workspace packages in the index when
`package.json` has no `version`
([#&#8203;549](https://redirect.github.com/endevco/aube/pull/549))
- *(install)* Inherit top-level `pnpm.allowBuilds` approvals into the
nested install used for git-dep `prepare`
([#&#8203;546](https://redirect.github.com/endevco/aube/pull/546))
- *(cli)* Skip `verifyDepsBeforeRun` checks when `npm_lifecycle_event`
is set, fixing both the `error`-mode hard-fail and the `install`-mode
lock deadlock from nested `aube run` inside lifecycle scripts
([#&#8203;538](https://redirect.github.com/endevco/aube/pull/538))
- *(install)* Interactive `aube approve-builds` requires at least one
selection and the TTY guard checks both stdin and stderr
([#&#8203;537](https://redirect.github.com/endevco/aube/pull/537))

#### Changed

- *(install)* New `aube_util::adaptive` limiter (slow-start, AIMD,
CUSUM-gated shrink) wired at every previously magic-numbered concurrency
site, with a separate http1-only reqwest client for tarball downloads
([#&#8203;548](https://redirect.github.com/endevco/aube/pull/548))

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

</details>

---

### Configuration

📅 **Schedule**: (in timezone America/Chicago)

- Branch creation
  - Only on Friday (`* * * * 5`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-22 06:35:41 +00:00
renovate[bot]
43db152e9b
chore(deps): update dependency aube to v1.9.1 (#478)
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
This PR contains the following updates:

| Package | Update | Change | Pending |
|---|---|---|---|
| [aube](https://redirect.github.com/endevco/aube) | minor | `v1.6.2` →
`v1.9.1` | `v1.14.1` (+10) |

---

### Release Notes

<details>
<summary>endevco/aube (aube)</summary>

###
[`v1.9.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.9.1):
: Cold install overhaul, HTTP prefetch, and workspace fixes

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.9.0...v1.9.1)

A performance- and correctness-focused patch release. Cold installs get
a streaming tarball pipeline, Linux gets an `O_TMPFILE`+`linkat` CAS
fast path, and the resolver's cold path overlaps DNS, TLS, and packument
prefetch with the manifest/workspace/lockfile work that used to
serialize them. On the fix side, `aube run` once again finds `node-gyp`
for package scripts, and `aube update` / `aube outdated` stop trying to
fetch unpublished `workspace:` deps from the registry.

#### Added

- **Pre-resolver packument prefetch + shared HTTP utilities**
([#&#8203;529](https://redirect.github.com/endevco/aube/pull/529) by
[@&#8203;imjustprism](https://redirect.github.com/imjustprism)) — a new
`aube-util::http` module consolidates client-side primitives (`prewarm`,
`priority`, `race`, `resolve`, `ticket_cache`) so leaf crates share one
warm-pool surface with consistent killswitch semantics. On install
entry, aube now reads `package.json` and fires fire-and-forget packument
GETs for every registry-shaped direct dep before workspace yaml load,
settings resolve, lockfile parse, and resolver construction — by the
time the resolver pops its first task, the packument cache and reqwest
pool are warm. `RegistryClient::prewarm_connection` now covers the
default registry **plus** every scoped (`@org:registry=...`) and per-uri
auth registry, with parallel DNS preresolve so DNS RTT hides behind the
TLS handshake. Abbreviated packument GETs also send `Priority: u=0` (RFC
9218 Critical) so H2 schedulers prioritize resolver-blocking metadata
over pending tarball frames. New killswitches:
`AUBE_DISABLE_DNS_PRERESOLVE`, `AUBE_DISABLE_REQUEST_RACING`,
`AUBE_DISABLE_PREFETCH`, `AUBE_DISABLE_TLS_TICKET_CACHE`. Prefetch is a
no-op when offline or when any lockfile is present.

- **Cold install pipeline overhaul**
([#&#8203;522](https://redirect.github.com/endevco/aube/pull/522) by
[@&#8203;imjustprism](https://redirect.github.com/imjustprism)) —
several overlapping wins on the cold-cache path:

- **Streaming tarball pipeline** (opt-in via `AUBE_TARBALL_STREAM=1`,
killswitch `AUBE_DISABLE_TARBALL_STREAM`) — HTTP body chunks pipe
through SHA-512 + gz + tar + CAS via an mpsc bridge instead of buffering
the whole tarball; non-SHA-512 SRI falls back to buffered. Bounded by
the registry's `tarball_max_bytes` cap.
- **Linux `O_TMPFILE` + `linkat` CAS publish** with `EOPNOTSUPP`
fallback to the tempfile path, `posix_fallocate` to avoid ext4
fragmentation, and `posix_fadvise(DONTNEED)` to free page cache after
publish. Killswitch: `AUBE_DISABLE_O_TMPFILE`.
- **Materialize-stream into the lockfile fast path** — both lockfile and
no-lockfile branches now share the GVS prewarm materializer, hiding
30-200ms of GVS reflinks behind the in-flight download tail.
- **Resolver tuning** — foldhash on `graph_hash` hot maps, pre-sized
resolver caches, thread-local `node_semver::Version` parse cache,
`PARALLEL_IMPORT_THRESHOLD` lowered from 256 to 16 (median npm tarball
is 7 files), and pinned tokio `worker_threads` (`cpu.min(8)`) /
`max_blocking_threads(64)` (tunable via `AUBE_TOKIO_WORKERS` /
`AUBE_TOKIO_BLOCKING`).
- **Windows** gets `FILE_ATTRIBUTE_NOT_CONTENT_INDEXED` on the store
root; cross-volume detection (drive letters on Windows, `dev` id on
Unix) is gated per-platform.

Reported same-volume Windows cold-install ratios: 1.80x-8.75x faster
than Bun across svelte/vite/next/babylon.

- **Per-project materialize pipelined into fetch**
([#&#8203;527](https://redirect.github.com/endevco/aube/pull/527) by
[@&#8203;imjustprism](https://redirect.github.com/imjustprism)) — when
GVS is off, each fetched `(canonical_key, PackageIndex)` triggers
`materialize_into` against `.aube/<dep_path>/` immediately, so by the
time fetch finishes the dedicated link phase only has to create
top-level `node_modules/<name>` symlinks. The driver now uses `JoinSet`
instead of `Vec<JoinHandle>`, so on early-return all in-flight tasks
abort instead of detaching and racing install cleanup. \~10% improvement
on warm fresh installs in the local benchmark matrix.

#### Fixed

- **`aube run` / `aube test` find `node-gyp`**
([#&#8203;518](https://redirect.github.com/endevco/aube/pull/518) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — package scripts only
had `node_modules/.bin` prepended to `PATH`, so `aube test` would fail
with `node-gyp: not found` on hosts that didn't already ship it. Script
execution now reuses aube's existing node-gyp bootstrap (via a lazy shim
bin dir + `AUBE_NODE_GYP_EXE` / `AUBE_NODE_GYP_PROJECT_DIR`), matching
pnpm/npm behavior. Ports pnpm's `lifecycleScripts.ts:128` coverage into
the offline node-gyp bootstrap bats suite.

- **`workspace:` deps in `aube update` / `aube outdated`**
([#&#8203;523](https://redirect.github.com/endevco/aube/pull/523) by
[@&#8203;jdx](https://redirect.github.com/jdx), fixes
[#&#8203;520](https://redirect.github.com/endevco/aube/discussions/520))
— `aube update` now discovers workspace package `name`/`version` pairs
and passes them into resolver workspace resolution so `workspace:` deps
from `package.json#workspaces` resolve locally instead of triggering
registry packument fetches. `aube outdated` filters out direct deps with
`workspace:` specifiers and reports "no matching dependencies" rather
than attempting a packument fetch. Adds a new
`WARN_AUBE_WORKSPACE_PACKAGE_MISSING_NAME` warning code for workspace
packages without a `name` field.

- **Resolver peer-context divergence is fatal**
([#&#8203;522](https://redirect.github.com/endevco/aube/pull/522) by
[@&#8203;imjustprism](https://redirect.github.com/imjustprism)) —
`apply_peer_contexts` hitting `MAX_ITERATIONS` used to log a warning and
ship a broken graph; it now returns a fatal
`Error::PeerContextDivergence(usize)`. `state::remove_state` errors at
`--force` and GVS-transition sites also propagate instead of being
silently swallowed, so permission-denied or Windows-locked sidecars no
longer defeat the freshness check.

- **Tarball hardening**
([#&#8203;522](https://redirect.github.com/endevco/aube/pull/522) by
[@&#8203;imjustprism](https://redirect.github.com/imjustprism)) —
entries declared as 0 bytes with non-zero stream payload are now
rejected (synthetic-entry injection guard), and GNU `LongName` /
`LongLink` metadata records are correctly accepted.

- **Patches loaded once per cwd**
([#&#8203;529](https://redirect.github.com/endevco/aube/pull/529) by
[@&#8203;imjustprism](https://redirect.github.com/imjustprism)) —
`load_patches_for_linker` walked `patches/` from disk 2-3 times per
install (lockfile-prewarm, no-lockfile-prewarm, and link-phase sites).
Now cached per cwd via `OnceLock<Mutex<HashMap<PathBuf, ...>>>`.

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.9.0...v1.9.1>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.9.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.9.0):
: Comment-preserving workspace edits, deploy bundling, and node
--inspect

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.8.0...v1.9.0)

A focused release: `aube deploy` learns to bundle workspace siblings and
local-path deps into the deploy artifact, workspace-yaml writers stop
eating user comments, aube-owned settings move out of `.npmrc`, and
`aube run` forwards Node debugger flags.

#### Added

- **Aube settings move out of `.npmrc`**
([#&#8203;517](https://redirect.github.com/endevco/aube/pull/517) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — known aube-owned
settings now live in `~/.config/aube/config.toml` (XDG-aware), while
registry, auth, and unknown keys keep using `.npmrc`. `aube config
get/set/list/delete` reads and writes the right file automatically, and
migrating a known setting cleans up the stale `.npmrc` entry. `.npmrc`
writes are also atomic against the **symlink target** now, so dotfile
setups that symlink `~/.npmrc` into a managed config repo stop having
the symlink replaced by a regular file.

- **`aube run --inspect` / `--inspect-brk`**
([#&#8203;515](https://redirect.github.com/endevco/aube/pull/515) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — both flags accept an
optional `[host:]port` (e.g. `--inspect=9229`,
`--inspect-brk=0.0.0.0:9230`) and are forwarded as explicit Node argv
when aube can identify a Node-backed target — direct `node ...` scripts
in `package.json` and local `node_modules/.bin` fallbacks resolved
through shims/symlinks. The flags are passed as argv rather than via
`NODE_OPTIONS`, so the debugger doesn't attach to nested Node processes
spawned by the script.

- **`aube deploy --no-prod`**
([#&#8203;507](https://redirect.github.com/endevco/aube/pull/507) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — opt out of the default
`--prod` filter for deploys that need devDependencies at runtime
(test-harness staging, build-step artifacts). Mutually exclusive with
`--prod` / `--dev`; combine with `--no-optional` to keep prod + dev but
drop optionals.

- **Comment-preserving workspace yaml writes**
([#&#8203;511](https://redirect.github.com/endevco/aube/pull/511) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — every workspace-yaml
writer (`approve-builds`, `patch-commit`, `patch-remove`, the daily
`cleanupUnusedCatalogs` install pass, and `aube config set --location
workspace`) now routes through `yamlpatch` instead of round-tripping the
file through a serializer. Keys, comments, and whitespace the edit
didn't touch land back on disk byte-identical, so user annotations on
adjacent entries survive. Empty/missing files still go through the
regular serializer since there are no comments to preserve.

#### Fixed

- **`aube deploy` bundles local dependencies**
([#&#8203;507](https://redirect.github.com/endevco/aube/pull/507) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — fixes two real bugs
reported in
[#&#8203;345](https://redirect.github.com/endevco/aube/discussions/345):

- **`workspace:*` siblings tried to fetch from the registry.** Deploy
used to rewrite `workspace:*` to a concrete version and ask install to
resolve it — fine for published siblings, broken for the (very common)
unpublished case. Reachable workspace siblings are now copied into
`<target>/.aube-deploy-injected/<id>/` and the manifest spec becomes a
relative `file:` pointer. Recursion handles sibling chains where a
sibling's own deps are workspace siblings.
- **`file:` deps resolved relative to the deploy output dir.** A
`file:../local-vendor` spec used to ride along unchanged in the deployed
manifest, pointing at `<target>/../local-vendor` instead of the source
workspace's `local-vendor`. Local-path deps now go through the same
staging pipeline.

When bundling occurs the lockfile-subset path is skipped, since the
rewritten `file:` pointers don't appear in the source lockfile and would
otherwise trip a frozen install.

- **`aube remove` preserves dependency order**
([#&#8203;511](https://redirect.github.com/endevco/aube/pull/511) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — dropping one dep used
to alphabetize the remaining entries in the affected `package.json`
section as a side effect. Surviving entries now stay in their original
on-disk order, matching pnpm/npm. (`aube add` is unaffected — sorted
inserts there are intentional.)

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.8.0...v1.9.0>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.8.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.8.0):
: Stable error codes, smarter run/dlx, and a new install progress UI

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.7.0...v1.8.0)

A polish-and-plumbing release: install progress gets a from-scratch
redesign, errors and warnings now carry stable identifiers (with bespoke
exit codes and dep-chain context), `aube run` / `aube dlx` prefer
locally-installed binaries, and a handful of workspace-from-subpackage
and `aube add` ergonomics get fixed.

#### Added

- **Redesigned install progress UI**
([#&#8203;501](https://redirect.github.com/endevco/aube/pull/501) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — fixed 15-char bar on
the left, stats on the right, phase-aware label (`resolving` /
`fetching` / `linking`), ETA, transfer rate, and an estimated install
size derived from the resolve stream:

  ```
  aube 1.8.0 by en.dev
  █████░░░░░░░░░░ 23/142 pkgs · 4.2 MB / ~13.8 MB · 1.4 MB/s · ETA 5s
  ███████████████ 1230/1230 pkgs · linking
  ✓ resolved 1230 · reused 98 · downloaded 1132 (54.6 MB) in 6.8s
  ```

Installs that finish before the first 2s heartbeat now print a single
self-identifying summary line (`✓ installed 5 packages in 423ms`)
instead of a partial bar. Also fixes two real bookkeeping bugs (a `2/1
packages` overflow on platform-mismatched non-optional deps, and the
"stuck at 90%" undercount caused by `filter_graph` dropping packages
after the denominator was inflated).

- **Local bins for `aube run` and `aube dlx`**
([#&#8203;502](https://redirect.github.com/endevco/aube/pull/502) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — `aube run <name>`
falls back to `node_modules/.bin/<name>` when no `package.json` script
matches, and `aube dlx` / `aubx` will execute an already-installed local
binary instead of doing a throwaway install. Pass `-p` / `--package` (or
a versioned spec) to force the install path.

- **Stable error and warning codes**
([#&#8203;492](https://redirect.github.com/endevco/aube/pull/492) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — every error and
warning aube emits now carries an `ERR_AUBE_*` or `WARN_AUBE_*`
identifier in a structured field, so CI scripts and ndjson consumers can
branch on the code instead of substring-matching English messages. A
curated subset maps to bespoke Unix exit codes (10–99 in 10-wide ranges
by category) so shells can react to specific failures without parsing
stderr — e.g. `aube install --frozen-lockfile` in an empty dir exits
with `10` (`ERR_AUBE_NO_LOCKFILE`). Post-resolver errors that mention a
specific package now also include the dependency chain back to the
importer (`chain: a@1 > b@2 > leaf@3`) so a tarball-integrity or fetch
failure tells you *why* your install pulled that transitive dep. The
full code list lives at `docs/error-codes.md`.

#### Fixed

- **`aube why` / `list` / `query` from a workspace subpackage**
([#&#8203;504](https://redirect.github.com/endevco/aube/pull/504) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — these commands
resolved cwd via the nearest `package.json`, so running them inside
`packages/foo/` errored with `No lockfile found. Run aube install
first.` even though the workspace lockfile sat one level up. They now
walk up to the workspace root when one is present.

- **Workspace lifecycle scripts and pnpm-lock npm aliases**
([#&#8203;500](https://redirect.github.com/endevco/aube/pull/500) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — recursive workspace
installs now run `preinstall`/`install`/`postinstall`/`prepare` for each
linked workspace importer in dependency order (not just the root), and
the build-script policy merges `pnpm.allowBuilds` /
`onlyBuiltDependencies` / `neverBuiltDependencies` across all
participating manifests so a member can approve its own dep's builds.
`pnpm-lock.yaml` now writes npm aliases in pnpm's native
`<real>@&#8203;<version>` encoding instead of leaking aube's internal
`aliasOf` field.

- **`aube add` auto-detects local paths**
([#&#8203;499](https://redirect.github.com/endevco/aube/pull/499) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — `aube add
/path/to/lib`, `./lib`, `~/lib`, `file:./lib`, and `link:./lib` no
longer fall through to the registry path with a confusing `HTTP 405
Method Not Allowed`. Bare paths default to `link:` for directories and
`file:` for tarballs (pnpm parity); explicit prefixes are preserved.
Tarball-suffix paths emit a clear "not yet supported in `aube add`" hint
instead of a 405.

#### Changed

- **Per-command `--help` is bucketed**
([#&#8203;505](https://redirect.github.com/endevco/aube/pull/505) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — `--frozen-lockfile` /
`--prefer-frozen-lockfile`, `--registry` + `--fetch-*`, and
`--disable/--enable-global-virtual-store` moved off the global flag set
into per-command groups under `Lockfile` / `Network` / `Virtual store`
headings, and now appear only on commands that consume them. Seven
pnpm-compat no-op flags (`--workspace-packages`, `--ignore-workspace`,
`--include-workspace-root`, `--aggregate-output`, `--stream`,
`--use-stderr`, `--yes`) are still parsed but hidden from `--help`.
Pre-subcommand placement still works (`aube --frozen-lockfile install`,
`aube --registry=URL install`) via an argv pre-pass.

One caveat: implicit-script invocations like `aube --frozen-lockfile
dev` (where `dev` is a `package.json` script) no longer apply the flag —
write `aube run --frozen-lockfile dev` instead.

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.7.0...v1.8.0>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.7.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.7.0):
: Local & git specs in aube add, faster cold installs

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.6.2...v1.7.0)

A feature-heavy release: `aube add` learns git and local-path specs,
workspace commands gain support for yaml-only "coordinator" monorepos,
`aube update` and `aube rebuild` get pnpm-parity polish, and a deep
performance pass speeds up cold installs by up to \~1.9×.

#### Highlights

- **`aube add` is now a one-stop shop** for git, GitHub-shorthand, and
`link:` / `file:` local-path dependencies — not just registry packages.
- **Performance pass on the install hot path**
([#&#8203;469](https://redirect.github.com/endevco/aube/pull/469)) lands
streaming SHA-512, parallel CAS imports, TLS prewarm, fetch reordering,
and a long tail of cold-path cleanups, with measured cold-install
speedups up to \~1.9× vs v1.6.2.
- **Workspace and pnpm parity polish** across `update`, `rebuild`,
yaml-only roots, unversioned members, and nested `link:` / `file:`
resolution.

#### Added

- **`aube add file:./pkg` / `link:../sibling`**
([#&#8203;487](https://redirect.github.com/endevco/aube/pull/487) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — local-path specs are
routed through a non-registry branch, with the manifest key derived from
the path basename (with `.tgz` / `.tar.gz` stripped) or from an explicit
alias. `aube add my-bundle@file:./bundle.tgz` works too.

- **`aube add` supports git specs**
([#&#8203;483](https://redirect.github.com/endevco/aube/pull/483) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — bare GitHub shorthand,
`github:` / `gitlab:` / `bitbucket:` prefixes, full `git+ssh` /
`git+https` URLs, and aliases. The verbatim spec is written to
`package.json` and the resolver handles the rest:

  ```bash
  aube add kevva/is-negative
  aube add github:kevva/is-positive
  aube add my-alias@git+https://github.com/kevva/is-negative.git
  ```

- **Yaml-only workspace roots**
([#&#8203;486](https://redirect.github.com/endevco/aube/pull/486) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — `install`, `list`,
`run -r`, `query`, and `why` now work in pure-coordinator monorepos that
have `pnpm-workspace.yaml` / `aube-workspace.yaml` at the root but no
root `package.json` (Turborepo-style layouts). Single-project commands
like `add` / `remove` still hard-error without a manifest.

- **`aube update <pkg>` rewrites manifest ranges by default**
([#&#8203;479](https://redirect.github.com/endevco/aube/pull/479) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — caret/tilde ranges
(`^1.2.0`, `~1.2.0`) are rewritten to track the resolved in-range max,
matching pnpm. Other shapes (`>=`, exact pins, dist-tags, git,
`workspace:`) stay frozen. Set `update-rewrites-specifier=false` to keep
the previous behavior.

- **`aube rebuild <pkg>...`**
([#&#8203;477](https://redirect.github.com/endevco/aube/pull/477) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — runs lifecycle scripts
only for the named deps, bypasses the `allowBuilds` /
`onlyBuiltDependencies` policy, and skips root hooks. Composes with
`--filter`. Bare `aube rebuild` continues to do a full policy-respecting
rebuild.

- **Persistent unreviewed-builds warning**
([#&#8203;476](https://redirect.github.com/endevco/aube/pull/476) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — repeat warm-path
installs no longer swallow the "ignored build scripts for N package(s)"
nudge; the spec keys are persisted in `.aube-state` and re-emitted on
every install.

- **`aube update --depth` no longer silently ignored**
([#&#8203;473](https://redirect.github.com/endevco/aube/pull/473) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — emits a one-line
warning pointing at `rm aube-lock.yaml && aube install` for the only
useful semantic case.

#### Fixed

- **Faster cold installs**
([#&#8203;469](https://redirect.github.com/endevco/aube/pull/469) by
[@&#8203;imjustprism](https://redirect.github.com/imjustprism)) — a wide
hot-path pass with measurable wins on real registries:

  | Project           |    v1.6.2 |  v1.7.0 | Speedup |
  | ----------------- | --------: | ------: | ------: |
  | svelte (56 pkg)   |   1393 ms | 1386 ms |   1.01× |
  | vue (117 pkg)     |   1590 ms | 1360 ms |   1.17× |
  | next.js (336 pkg) |  14071 ms | 9160 ms |   1.54× |
  | babylon (21 pkg)  | \~6000 ms | 3186 ms |  \~1.9× |

Highlights: streaming SHA-512 over the wire (no second buffered hash
pass), two-phase parallel CAS tar import, speculative TLS/HTTP/2 prewarm
behind manifest parse, native-build packages floated to the front of the
fetch queue, `Accept-Encoding: gzip, br, zstd` on packuments, in-process
DNS cache via `hickory-dns`, mmap+rayon BLAKE3 over 4 MiB, network
concurrency default raised 64 → 128, and zero-copy packument parsing.
Every change ships with an `AUBE_DISABLE_*` killswitch
(`AUBE_DISABLE_STREAMING_SHA512`, `AUBE_DISABLE_SPECULATIVE_TLS`,
`AUBE_DISABLE_CRITICAL_PATH`, `AUBE_DISABLE_PARALLEL_IMPORT`,
`AUBE_DISABLE_MMAP_BLAKE3`, `AUBE_DISABLE_SNAPSHOTS`) plus an
`AUBE_CONCURRENCY=N` clamp.
- **Nested `link:` / `file:` resolution**
([#&#8203;470](https://redirect.github.com/endevco/aube/pull/470) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — fixes the `transitive
local specifier link:./libs/foo cannot be resolved without the parent
package source root` install error in two cases: a `file:` / `link:`
parent declaring a transitive `link:`, and a root `pnpm.overrides`
rewriting a registry dep to a local path. Override paths now anchor at
the project root like pnpm does.
- **Workspace members without `version`**
([#&#8203;480](https://redirect.github.com/endevco/aube/pull/480) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — fall back to `0.0.0`
instead of hard-erroring. `workspace:*` / `^` / `~` siblings still link
locally; specific ranges like `workspace:^2.0.0` still correctly fail to
satisfy. Unblocks repos like
[tuist/tuist#10584](https://redirect.github.com/tuist/tuist/pull/10584).
- **Bare `user/repo` parsed as GitHub shorthand**
([#&#8203;472](https://redirect.github.com/endevco/aube/pull/472) by
[@&#8203;jdx](https://redirect.github.com/jdx)) in lockfile/spec
parsing, with `update --latest` now skipping git-spec deps so they can't
be silently rewritten into registry pins.
- **CLI short help wraps cleanly**
([#&#8203;478](https://redirect.github.com/endevco/aube/pull/478) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — many flags across
`add`, `install`, `publish`, `update`, `view`, etc. had multi-line doc
comments that clap merged into 120+ char paragraphs for `-h`. Now each
flag has a one-line summary followed by the longer prose, restoring
readable short help on standard terminals.

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.6.2...v1.7.0>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

</details>

---

### Configuration

📅 **Schedule**: (in timezone America/Chicago)

- Branch creation
  - Only on Friday (`* * * * 5`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzkuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE3OS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-15 05:32:30 +00:00
renovate[bot]
590bfd78fa
chore(deps): update dependency aube to v1.6.2 (#466)
This PR contains the following updates:

| Package | Update | Change | Pending |
|---|---|---|---|
| [aube](https://redirect.github.com/endevco/aube) | minor | `v1.5.1` →
`v1.6.2` | `v1.9.1` (+3) |

---

### Release Notes

<details>
<summary>endevco/aube (aube)</summary>

###
[`v1.6.2`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.2):
: Engines coverage catches up to pnpm

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.6.1...v1.6.2)

A small patch release that closes engine-validation gaps with pnpm.

#### Fixed

- **Broader engines coverage**
([#&#8203;458](https://redirect.github.com/endevco/aube/pull/458) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — aube now honors engine
constraints it previously skipped:
- `engines.aube` and `engines.pnpm` on root and workspace project
manifests are checked against the running aube version (aube positions
itself as a pnpm-compatible drop-in, so `engines.pnpm` is honored as if
aube were that pnpm).
- `engines.node` is now enforced on workspace project manifests, not
just the root.
- Warning output labels which engine triggered the mismatch (e.g.
`wanted node >=20`, `wanted aube >=99999`, `wanted pnpm >=8`), and the
`engine-strict` error message stays compatible with existing assertions.
- `engines.{aube,pnpm}` on transitive deps remain skipped on purpose,
since wild packages routinely pin author toolchains.

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.6.1...v1.6.2>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.6.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.1)

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.6.0...v1.6.1)

##### Fixed

- Unblocked the `v1.6.0` publishing path so missing Linux release assets
and downstream package publishes could be backfilled
([#&#8203;460](https://redirect.github.com/endevco/aube/pull/460)).
- Made the resolver build script tolerate environments where the primer
generator exists but `node` is not installed, falling back to an empty
primer with a Cargo warning instead of panicking
([#&#8203;460](https://redirect.github.com/endevco/aube/pull/460)).
- Moved npm publishing and PPA upload jobs back to GitHub-hosted runners
where npm provenance and Launchpad FTP uploads work correctly
([#&#8203;460](https://redirect.github.com/endevco/aube/pull/460)).

##### Other

- Refreshed benchmarks for the 1.5.2 baseline
([#&#8203;459](https://redirect.github.com/endevco/aube/pull/459)).

###
[`v1.6.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.0)

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.5.1...v1.6.0)

##### Highlights

- Added broader pnpm compatibility for `aube add`, `aube update`,
pnpmfile hooks, catalog saves, workspace protocol parsing, and lockfile
directory configuration.
- Added generic `--config.<key>=<value>` overrides plus fetch timeout,
retry, backoff, `--pnpmfile`, and `--global-pnpmfile` flags.
- Improved install, resolver, registry, linker, manifest, settings, and
state hot paths with shared caches, cheaper hashes, fewer repeated
filesystem probes, and compressed packument fetches.
- Expanded pnpm parity coverage across update, hooks, allow-build
review, monorepo filter, prefer-offline, and misc install behavior.

##### Added

- `aube update` now parses `<pkg>@&#8203;<spec>` arguments and can
update indirect dependencies
([#&#8203;446](https://redirect.github.com/endevco/aube/pull/446)).
- `aube add` can bootstrap a missing `package.json`, matching pnpm
behavior covered by newly ported misc tests
([#&#8203;417](https://redirect.github.com/endevco/aube/pull/417)).
- `--config.<key>=<value>` flags provide generic CLI config overrides
([#&#8203;447](https://redirect.github.com/endevco/aube/pull/447)).
- `--lockfile-dir` / `lockfileDir` support allows commands to target a
foreign lockfile directory when valid
([#&#8203;431](https://redirect.github.com/endevco/aube/pull/431)).
- Fetch controls were added for timeout, retry count, and retry backoff
behavior
([#&#8203;436](https://redirect.github.com/endevco/aube/pull/436)).
- `--pnpmfile` and `--global-pnpmfile` flags were added, with pnpmfile
hooks wired into update and `preResolution` support
([#&#8203;439](https://redirect.github.com/endevco/aube/pull/439),
[#&#8203;423](https://redirect.github.com/endevco/aube/pull/423)).
- pnpmfile `ctx.log` records now emit as `pnpm:hook` NDJSON on stdout
([#&#8203;440](https://redirect.github.com/endevco/aube/pull/440)).
- `--save-catalog`, `workspace:*` parsing, and
`sharedWorkspaceLockfile=false` support landed together
([#&#8203;418](https://redirect.github.com/endevco/aube/pull/418)).
- Empty `--allow-build` values now use pnpm's verbatim error wording
([#&#8203;444](https://redirect.github.com/endevco/aube/pull/444)).

##### Fixed

- `AUBE_VIRTUAL_STORE_DIR` is honored from the environment, with
additional pnpm misc parity coverage
([#&#8203;456](https://redirect.github.com/endevco/aube/pull/456)).
- `aube update --latest` preserves prerelease pins that are already
higher than the latest stable version
([#&#8203;445](https://redirect.github.com/endevco/aube/pull/445)).
- `.` is rejected as a foreign `--lockfile-dir` importer and the related
docs were corrected
([#&#8203;442](https://redirect.github.com/endevco/aube/pull/442)).
- npm `package-lock.json` workspace importers are preserved when parsing
and writing lockfiles
([#&#8203;443](https://redirect.github.com/endevco/aube/pull/443)).
- Lifecycle script behavior closed three pnpm parity gaps
([#&#8203;421](https://redirect.github.com/endevco/aube/pull/421)).
- The resolver now ships an empty bundled metadata primer when the
generator script cannot run, instead of failing the build
([#&#8203;425](https://redirect.github.com/endevco/aube/pull/425)).

##### Performance

- Cached hot-path work across install, resolver, registry, linker,
manifest parsing, settings lookup, and install state freshness checks
([#&#8203;453](https://redirect.github.com/endevco/aube/pull/453)).
- Deduplicated and cached repeated install/resolver work, including
graph hashing, patch fingerprints, lockfile parsing, env capture, script
policy lookup, workspace-root scans, and registry auth token matching
([#&#8203;449](https://redirect.github.com/endevco/aube/pull/449)).
- Refreshed benchmark results for the 1.5.2 baseline
([#&#8203;448](https://redirect.github.com/endevco/aube/pull/448),
[#&#8203;452](https://redirect.github.com/endevco/aube/pull/452)).

##### Testing and Parity

- Ported pnpm monorepo filter tests and wired `--fail-if-no-match`
([#&#8203;457](https://redirect.github.com/endevco/aube/pull/457)).
- Ported additional pnpm hook, allowBuilds review, update,
prefer-offline, circular peer, trust-policy, peer warning, top-level
plugin, and registry fixture coverage
([#&#8203;455](https://redirect.github.com/endevco/aube/pull/455),
[#&#8203;441](https://redirect.github.com/endevco/aube/pull/441),
[#&#8203;438](https://redirect.github.com/endevco/aube/pull/438),
[#&#8203;454](https://redirect.github.com/endevco/aube/pull/454),
[#&#8203;434](https://redirect.github.com/endevco/aube/pull/434),
[#&#8203;433](https://redirect.github.com/endevco/aube/pull/433),
[#&#8203;424](https://redirect.github.com/endevco/aube/pull/424)).

</details>

---

### Configuration

📅 **Schedule**: (in timezone America/Chicago)

- Branch creation
  - Only on Friday (`* * * * 5`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2026-05-09 01:39:13 +00:00
renovate[bot]
396ce9daa2
chore(deps): update dependency aube to v1.5.1 (#463)
This PR contains the following updates:

| Package | Update | Change | Pending |
|---|---|---|---|
| [aube](https://redirect.github.com/endevco/aube) | minor | `1.4` →
`v1.5.1` | `v1.9.1` (+6) |

---

### Release Notes

<details>
<summary>endevco/aube (aube)</summary>

###
[`v1.5.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.1):
: POSIX colon tarball filenames

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.5.0...v1.5.1)

A small patch release fixing tarball installs that contain `:` in entry
filenames on POSIX platforms (e.g. `redos-detector@6.1.4`'s
`dist/__mocks__/package-json:version.d.ts`).

#### Fixed

- **POSIX colon tarball filenames** — the store tarball validator and
the linker's `validate_index_key` previously rejected `:` on every
platform to defend against Windows drive-prefix and NTFS
alternate-data-stream ambiguity. That guard was too broad for POSIX,
where colon is a valid filename character, and caused installs of
packages like `redos-detector@6.1.4` to fail. Both guards are now
platform-gated: `:` is still rejected on Windows, but accepted on Linux
and macOS.
([#&#8203;386](https://redirect.github.com/endevco/aube/pull/386) by
[@&#8203;jdx](https://redirect.github.com/jdx))

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.5.0...v1.5.1>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.5.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.0):
: Dependency graph queries and patch/lockfile fixes

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.4.0...v1.5.0)

This release adds `aube query` for selector-based dependency graph
inspection, fixes patch application against CRLF tarball files, repairs
npm-aliased catalog dependencies in pnpm-generated lockfiles, and
unifies how aube decides where to write workspace settings.

#### Added

- **`aube query`** — a vlt-inspired dependency-graph query command.
Supply a selector expression (attribute predicates plus pseudo-selectors
like `:scripts`, `:bin`, `:peer`, `:type(...)`, `:license(...)`),
optionally scope with workspace `--filter`/`--prod`/`--dev` roots, and
emit human-readable, `--parseable`, or `--json` output. Reads only the
local lockfile.
([#&#8203;380](https://redirect.github.com/endevco/aube/pull/380) by
[@&#8203;jdx](https://redirect.github.com/jdx))

#### Fixed

- **Patches against CRLF text files** — tarballs published from Windows
editors (e.g. `gifuct-js@2.1.2/index.d.ts`) ship CRLF, but
git/pnpm-style patches always emit LF, and diffy refused to match LF
hunks against CRLF context. aube now normalizes the original to LF
before applying and restores CRLF on write — matching pnpm's approach —
with a `\r\r\n` collapse so a literal `\r` byte mid-line doesn't gain a
second carriage return.
([#&#8203;384](https://redirect.github.com/endevco/aube/pull/384) by
[@&#8203;jdx](https://redirect.github.com/jdx))
- **`aube patch-commit` destination** — previously wrote unconditionally
to `pnpm.patchedDependencies` in `package.json` even on projects already
using the pnpm v10+ workspace-yaml home. A single rule now applies to
every command that mutates a setting which can live in either the
workspace yaml or `package.json#{pnpm,aube}.<key>`:

  1. If a workspace yaml exists on disk → write there.
2. Otherwise, if `package.json#pnpm` is already declared → write
`pnpm.<key>` (preserve the user's namespace).
  3. Otherwise → write `aube.<key>`.

`aube patch-remove` now strips entries from every place they could live
and reports the files actually rewritten. The same rule covers `aube
approve-builds` and install-time auto-deny seeding.
([#&#8203;384](https://redirect.github.com/endevco/aube/pull/384) by
[@&#8203;jdx](https://redirect.github.com/jdx))
- **npm-aliased catalog deps from pnpm lockfiles** — `aube install
--frozen-lockfile` previously accepted a pnpm lockfile with `beamcoder:
npm:beamcoder-prebuild@…` declared via `pnpm-workspace.yaml#catalog` and
silently produced an empty `node_modules`, because the importer's
specifier was `'catalog:'` and alias detection only fired on
`specifier.starts_with("npm:")`. Aliases are now detected purely from
the canonical `<real>@&#8203;<resolved>` `version:` shape, with a
peer-suffix strip so `version: 18.2.0(react@18.2.0)` isn't
misclassified.
([#&#8203;384](https://redirect.github.com/endevco/aube/pull/384) by
[@&#8203;jdx](https://redirect.github.com/jdx))
- **Bounded resolver stream** — the resolved-package stream is now a
bounded Tokio channel sized from the same network concurrency used by
fetch workers, with awaited sends so resolver/fetch overlap applies
backpressure instead of accumulating an unbounded queue.
([#&#8203;377](https://redirect.github.com/endevco/aube/pull/377) by
[@&#8203;jdx](https://redirect.github.com/jdx))

#### Changed

- **`aube-workspace.yaml` is the default-write filename** — when neither
`aube-workspace.yaml` nor `pnpm-workspace.yaml` exists, `aube
approve-builds` (and the install-time auto-seed of unreviewed build
scripts) now creates `aube-workspace.yaml` so it pairs with
`aube-lock.yaml` instead of leaving mixed vendor namespaces side by
side. Existing `pnpm-workspace.yaml` files keep being mutated in place.
([#&#8203;382](https://redirect.github.com/endevco/aube/pull/382) by
[@&#8203;jdx](https://redirect.github.com/jdx))
- **Comment-preserving workspace-yaml writes** — yaml writes now skip
the rewrite when the closure produces no structural change, so user
comments survive every no-op update to `allowBuilds`,
`patchedDependencies`, and catalog cleanup.
([#&#8203;384](https://redirect.github.com/endevco/aube/pull/384) by
[@&#8203;jdx](https://redirect.github.com/jdx))
- **Install phase timing sink** — set `AUBE_BENCH_PHASES_FILE` to append
per-phase install timings (resolve/fetch/link/scripts/state/sweep) as
JSONL, optionally tagged with `AUBE_BENCH_SCENARIO`. The benchmark
harness samples aube install-shaped scenarios and
`benchmarks/generate-phase-results.mjs` turns the JSONL into a Markdown
table plus a structured JSON artifact.
([#&#8203;381](https://redirect.github.com/endevco/aube/pull/381) by
[@&#8203;jdx](https://redirect.github.com/jdx))

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.4.0...v1.5.0>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

</details>

---

### Configuration

📅 **Schedule**: (in timezone America/Chicago)

- Branch creation
  - Only on Friday (`* * * * 5`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2026-05-08 05:30:45 +00:00
jdx
0a780158e1
chore: migrate package manager from npm/pnpm/bun to aube (#455)
## Summary

Switches the project's package-manager surface from a mix of `npm` /
`pnpm` / `bun` (different commands in different files) to a single tool:
[aube](https://aube.en.dev), en.dev's pnpm-compat package manager
(native Rust, fast, drops cleanly into pnpm/npm-compatible workflows).

| | Before | After |
|---|---|---|
| Workflows install step | `npm ci` | `aube ci` |
| Workflows run scripts | `npm run X` | `aubr X` (`aubr` is the `aube
run` shorthand) |
| `mise.toml` tasks | mixed `npm run` / `bun run` | `aubr X` |
| Lockfile | `package-lock.json` | `package-lock.json` (unchanged — aube
reads it directly) |

The `aubr` binary ships alongside `aube` in the same install — it's the
script-runner shorthand (`aubr <script>` ≡ `aube run <script>`). Saves a
word in every workflow / mise.toml line.

## What didn't change

- **`package-lock.json`** stays as the canonical lockfile. aube reads it
directly; no `aube-lock.yaml` is generated. Running `npm install` still
works for any dev who hasn't switched to aube yet.
- **`package.json` scripts** still use `npm run X` for nested
invocations (e.g. `"all": "npm run format:write && …"`). The literal
`npm` works for both callers — aube's shell exec finds `npm` in PATH,
the inner invocation re-runs the same package.json script. Keeping these
PM-agnostic avoids a forced cutover for downstream contributors.
- **`dist/`** is byte-identical after `aubr all` — parity with the
npm-built bundle verified locally.

## New project files

- **`.npmrc`** — single line: `node-linker=hoisted`. Forces a flat,
npm-style `node_modules` layout instead of aube's default
symlink/virtual-store. Required because `rollup --configPlugin
@rollup/plugin-typescript` resolves the plugin from cwd's node_modules,
and the isolated layout puts rollup under `node_modules/.aube/...` where
standard module resolution can't reach back to the project root for the
plugin. npm reads `.npmrc` but ignores `node-linker` (npm always
installs flat), so the file is safe for both PMs.
- **`pnpm-workspace.yaml`** — generated by aube 1.4 to record
build-script approvals (`unrs-resolver: false`). Project-level config;
commits like a `package.json` companion.

Pinned `aube = '1.4'` in `mise.toml`'s tools so `mise install`
provisions the right binary locally.

## Why aube

Single tool replacing three. Less context-switching for contributors,
fewer places to run `npm audit` / `bun upgrade` / `pnpm dedupe`. aube's
cold-cache install for this repo's deps is ~3s vs `npm ci` at ~10s.

## Test plan

- [x] `aube install` from clean — succeeds, all 441 packages link
cleanly
- [x] `aubr all` (format + lint + package) — succeeds, `dist/`
byte-identical to checked-in version
- [x] `aubr format:check` — clean
- [x] `aubr lint` — clean
- [x] `aubr package` — produces `dist/index.js`, `dist/index.js.map`,
`dist/licenses.txt` matching what's checked in
- [ ] Workflows: `Continuous Integration` / `autofix.ci` / `Check dist/`
/ `test` all pass on this PR

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Mostly CI/build-system plumbing; risk is workflow or packaging
breakage (dependency install layout, rollup config) that could prevent
`dist/` from rebuilding or CI from running, but it doesn’t change
runtime action logic.
> 
> **Overview**
> Switches GitHub Actions workflows to install tooling via
`jdx/mise-action` and run installs/scripts with `aube`/`aubr` instead of
`actions/setup-node` + `npm ci`/`npm run`.
> 
> Pins `aube` (`1.4`) in `mise.toml`, updates `mise` tasks and developer
docs (`CLAUDE.md`) to use `aube`/`aubr`, and adds `.npmrc`
(`node-linker=hoisted`) plus a `.gitignore` entry to avoid committing
`aube`’s generated `pnpm-workspace.yaml`.
> 
> Adjusts the packaging script to use `rollup.config.mjs` (replacing the
previous TS config invocation).
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
fd6530d89f. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2026-04-29 09:13:34 -05:00
jdx
0b4dcb0c10
ci: add communique to enhance release notes (#411)
## Summary
- Add communique tool to mise.toml
- Add `enhance-release` job to release workflow that runs after release
creation to generate AI-enhanced release notes

## Test plan
- [ ] Verify next release triggers the enhance-release job
- [ ] Confirm ANTHROPIC_API_KEY secret is configured in repo settings

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Adds a new post-release GitHub Actions job that uses an external AI
API and an elevated token to modify GitHub release notes; failures or
misconfigured secrets can break the release workflow and token scope
matters.
> 
> **Overview**
> After the `release` job completes, the workflow now runs a new
`enhance-release` job that computes the tag from `package.json` and
calls `communique generate ... --github-release` to update the GitHub
release notes.
> 
> The PR also adds `communique` to `mise.toml` so the tool is available
in CI, and wires in `ANTHROPIC_API_KEY` plus a dedicated
`RELEASE_PLZ_GITHUB_TOKEN` for the release-note update step.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
d2335f661c. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-22 11:24:46 -05:00
jdx
bd8ba20c56
chore: added release-plz 2025-07-16 04:49:54 +00:00
jdx
ec352a8916
chore: node-24 2025-06-17 12:12:32 -05:00
jdx
5f7b5f779d
chore: loosen node version 2024-12-23 11:40:23 -08:00
jdx
3601336acb
chore: updated deps 2024-12-13 06:03:07 -06:00
jdx
793f8df484
chore: added pre-commit task 2024-11-18 13:24:06 -06:00
renovate[bot]
c34172bab2
chore(deps): update dependency node to v22 (#143)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-11-18 13:21:45 -06:00
renovate[bot]
c1be5dfbbf
chore(deps): update dependency node to v20.18.0 (#126)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-10-07 10:37:39 +00:00
renovate[bot]
9d00159afd
chore(deps): update dependency node to v20.17.0 (#112)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-09-25 21:29:21 +00:00
jdx
5d3e058edf
feat: support windows (#122) 2024-09-25 21:27:52 +00:00
Renamed from .mise.toml (Browse further)