mirror of
https://github.com/jdx/mise-action.git
synced 2026-07-03 09:59:32 +00:00
17 commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
e47eed9a5f
|
chore: update aube tool version (#501)
Some checks failed
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
Check dist/ / Check dist/ (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
|
||
|
|
69c24ed920
|
chore(deps): update dependency aube to v1.15.0 (#498)
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.14.1` → `v1.15.0` | `v1.16.0` | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.15.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.15.0): : Yarn Berry portal/exec/patch + deny-build [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.14.1...v1.15.0) This release closes three Yarn Berry compatibility gaps (`portal:`, `exec:`, and `patch:` protocols), adds an `aube add --deny-build` flag for `strictDepBuilds=true` workflows, and fixes two install-correctness bugs around workspace updates and Bun patched dependencies. #### Added - *(yarn)* **Berry `portal:` and `exec:` protocols** ([#​729](https://redirect.github.com/endevco/aube/pull/729) by [@​jdx](https://redirect.github.com/jdx)) — Yarn Berry lockfile entries using `portal:` and `exec:` are now parsed instead of skipped, and round-trip cleanly when aube writes the lockfile back (`portal:` as `linkType: soft`, `exec:` as a generated hard-link package). `portal:` targets materialize as local packages whose dependencies are followed (matching Yarn's documented difference from `link:`); `exec:` generator scripts run into a temp build directory and the generated package is imported, with versions and dependencies locked at resolve time. `exec:` generators require Node.js on `PATH`, are blocked under `--ignore-scripts`, and are rejected if the generator path resolves outside the project root. - *(yarn)* **Berry `patch:` protocol** ([#​728](https://redirect.github.com/endevco/aube/pull/728) by [@​jdx](https://redirect.github.com/jdx)) — Berry `patch:` resolutions are now parsed into aube's patched-dependency map (builtin patches are skipped), preserved on lockfile write, and threaded through install/link so the referenced Yarn patch files are actually applied during materialization. Previously these entries were silently dropped, so Berry projects relying on `patch:` could install with unpatched package contents. - *(add)* **`aube add --deny-build=<pkg>`** ([#​730](https://redirect.github.com/endevco/aube/pull/730), closes [#​726](https://redirect.github.com/endevco/aube/discussions/726), by [@​jdx](https://redirect.github.com/jdx)) — Repeatable flag that records a dependency's lifecycle scripts as reviewed-and-denied by writing `allowBuilds.<pkg>=false` before install. This lets `strictDepBuilds=true` workflows explicitly skip selected package builds without failing the install, and is forwarded through global installs (`aube add -g --deny-build=<pkg>`). Specifying the same package in both `--allow-build` and `--deny-build` is rejected with the new `ERR_AUBE_CONFLICTING_BUILD_FLAGS`. ```sh # Mark esbuild's postinstall as reviewed-and-denied, then install aube add --deny-build=esbuild esbuild ``` #### Fixed - *(update)* **Workspace-member `aube update` writes to the root lockfile** ([#​732](https://redirect.github.com/endevco/aube/pull/732) by [@​jdx](https://redirect.github.com/jdx)) — `aube update` run inside a workspace member previously started from the nearest project root and produced `sub/aube-lock.yaml`, disagreeing with `aube install` (which already targets the workspace root). Plain member updates now merge into the shared workspace-root `aube-lock.yaml` via the same helper used by filtered/recursive updates, carrying per-importer `workspace_extra_fields` alongside dependency and skipped-optional metadata. - *(bun)* **Bun top-level `patchedDependencies` are applied at install** ([#​724](https://redirect.github.com/endevco/aube/pull/724) by [@​jdx](https://redirect.github.com/jdx)) — aube preserved Bun's `package.json#patchedDependencies` in `bun.lock`, but install-time patch loading only read `pnpm.patchedDependencies`, `aube.patchedDependencies`, and workspace YAML entries — so Bun-only projects could install successfully while materializing unpatched package contents. Bun's top-level field is now merged into the patch sources used by install (including for BOM-prefixed `package.json`), and is correctly removed when the map becomes empty. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.14.1...v1.15.0> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTguMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5OC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
5b45072a5e
|
chore(deps): update dependency aube to v1.14.1 (#489)
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.9.1` → `v1.14.1` | `v1.15.0` | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.14.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.14.1): : Install module split [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.14.0...v1.14.1) A maintenance release with no user-facing behavior changes. The install command's growing `commands/install/mod.rs` was split into focused submodules to keep the install pipeline easier to navigate. Install behavior, flags, and output are unchanged from v1.14.0. #### Changed - *(install)* Extracted the fetch/import pipeline (local source import, lockfile fetch wrapper, store-index classification, tarball fetch/import, contextualized-index remapping) into a new `commands/install/fetch.rs` module ([#​704](https://redirect.github.com/endevco/aube/pull/704) by [@​jdx](https://redirect.github.com/jdx)). - *(install)* Split the materializer, native-build critical-path heuristic, and workspace graph/lifecycle/per-project lockfile helpers into dedicated `materialize.rs`, `critical_path.rs`, and `workspace.rs` modules ([#​702](https://redirect.github.com/endevco/aube/pull/702) by [@​jdx](https://redirect.github.com/jdx)). - *(install)* Moved post-pipeline helpers — `--lockfile-dir` importer remapping, human install summary output, `.aube` cache invalidation/orphan cleanup, and skipped-build warning replay — into `lockfile_dir.rs`, `summary.rs`, `sweep.rs`, and `unreviewed_builds.rs` ([#​698](https://redirect.github.com/endevco/aube/pull/698) by [@​jdx](https://redirect.github.com/jdx)). **Full Changelog**: <https://github.com/endevco/aube/compare/v1.14.0...v1.14.1> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.14.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.14.0): : Bloom-filtered OSV checks and lifecycle-script content sniffing [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.13.1...v1.14.0) Two new opt-in supply-chain layers on top of the v1.13 gates: a \~380 KB bloom-filter prefilter that lets plain reinstalls cheaply probe the OSV `MAL-*` set without pulling the 200 MB mirror, and a regex-based content sniff that flags dangerous shapes in dependency `preinstall`/`install`/`postinstall` scripts before you click through `aube approve-builds`. #### Added - *(install)* **OSV bloom-filter prefilter for lockfile installs** ([#​680](https://redirect.github.com/endevco/aube/pull/680) by [@​jdx](https://redirect.github.com/jdx)) — New `advisoryBloomCheck` setting (`on` / `required` / `off`, default `off`) adds a fourth route to the post-resolve OSV decision table. Plain reinstalls probe the resolved transitive graph against a \~380 KB bloom filter fetched from [`endevco/osv-bloom`](https://redirect.github.com/endevco/osv-bloom) — regenerated upstream every 10 minutes from OSV's `MAL-*` archive — and only escalate bloom hits to the live `/querybatch` API for exact `(name, version)` confirmation. Bloom FPR is \~0.1%, so a typical 1000-package lockfile triggers zero or one extra live-API round trip per install. When both are configured, the bloom branch wins over the 200 MB `all.zip` mirror — under 1 MB on the wire, same live-API oracle, same `ERR_AUBE_MALICIOUS_PACKAGE` on a confirmed hit. Cached under `$XDG_CACHE_HOME/aube/osv-bloom/` and short-circuits the download when upstream's `set_digest_sha256` is unchanged. New warning `WARN_AUBE_OSV_BLOOM_REFRESH_FAILED`: under `on` install continues against the previously cached filter; under `required` it fails closed with `ERR_AUBE_ADVISORY_CHECK_FAILED`. - *(install)* **Content-sniff dependency lifecycle scripts before approve-builds** ([#​685](https://redirect.github.com/endevco/aube/pull/685) by [@​jdx](https://redirect.github.com/jdx)) — aube's existing supply-chain gates (OSV `MAL-*`, downloads floor, bun-compat scanner, `BuildPolicy` allowlist) are all name-based; none inspects what `postinstall` actually does, which leaves an OSV-ingest-lag window of 12–48h that the 2024–2026 wave of unobfuscated `curl … | sh` postinstalls walked right through. New regex matcher fires advisory warnings for known-dangerous shapes in lifecycle script bodies: | Signal | Catches | | -------------------- | ---------------------------------------------------------------------------------------------------------------- | | `ShellPipe` | `curl … \| sh`, `wget … \| bash`, `… \| node` | | `EvalDecode` | `eval(atob(…))`, `Function(atob(…))`, `eval(Buffer.from(…))` | | `CredentialFileRead` | `~/.ssh`, `~/.aws`, `~/.npmrc`, `~/.config/gh` reads | | `SecretEnvRead` | `process.env.*(TOKEN\|SECRET\|API_KEY\|PASSWORD\|ACCESS_KEY\|PRIVATE_KEY\|AUTH)` | | `ExfilEndpoint` | Discord/Telegram webhooks, OAST hosts (`oast.pro`, `interactsh`, `webhook.site`, `pipedream.net`, `ngrok.io`, …) | | `BareIpHttp` | Bare-IP HTTP fetch targets (literal IPv4 hosts over plain HTTP) | Sniff is advisory — `allowBuilds` still gates execution — and shows up in three places: end-of-install emits one `WARN_AUBE_SUSPICIOUS_LIFECYCLE_SCRIPT` per flagged package alongside the existing `WARN_AUBE_IGNORED_BUILD_SCRIPTS`; `aube approve-builds` annotates picker rows with `⚠ suspicious: <category>` and prints a pre-picker summary of the matched hook+description; `aube ignored-builds` indents `⚠ <hook> — <description>` lines under each `name@version`. Findings are re-derived per install rather than persisted, so the regex set can evolve without a state-file migration. Works offline, doesn't degrade to advisory in headless CI. #### Changed - Refreshed `benchmarks/results.json` against v1.13.1 and Bun 1.3.14 ([#​687](https://redirect.github.com/endevco/aube/pull/687)) — public ratios update to warm installs **3× Bun / 6× pnpm**, repeat test **6× Bun / 45× pnpm**. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.13.1...v1.14.0> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.13.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.13.1): : Version-aware transitive MAL-* gate [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.13.0...v1.13.1) A targeted fix for the transitive supply-chain gate added in v1.13.0: the post-resolve OSV check is now version-aware, so name-level `MAL-*` advisories stop blocking installs that resolve to clean versions of the same package. #### Fixed - *(install)* **Version-aware transitive `MAL-*` check** ([#​682](https://redirect.github.com/endevco/aube/pull/682) by [@​jdx](https://redirect.github.com/jdx)) — The post-resolve gate was reusing the pre-resolve name-only OSV query, so any name-level advisory hit every install that transitively pulled in *any* version of that package. Concretely, `aube add cowsay@1.6.0` refused with `ERR_AUBE_MALICIOUS_PACKAGE` because cowsay's tree includes `ansi-regex@3.0.1`, and `ansi-regex` carries the Sep 2025 shai-hulud advisory `MAL-2025-46966` against `6.2.1` — a version published years after `3.0.1`. The live-API and OSV-mirror lookups now send `(name, version)` pairs, refusal messages surface `name@version (MAL-…)`, and the local mirror index bumps to `format = 2` (storing per-advisory affected versions; v1 indexes rebuild on next refresh, and advisories with no enumerated versions still fail closed). The pre-resolve `aube add` name-gate keeps its versionless query — typosquats are malicious in every version. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.13.0...v1.13.1> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.13.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.13.0): : Supply-chain gates for `aube add` [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.12.0...v1.13.0) #### Added - *(install)* Bun-compatible pluggable security scanner — drop in any `securityScanner` package that follows the Bun Security Scanner API (oven-sh template, `@socketsecurity/bun-security-scanner`, etc.) and aube runs it post-resolve against the full graph via a `node` bridge ([#​657](https://redirect.github.com/endevco/aube/pull/657)) - *(add)* Supply-chain gates on `aube add`: OSV `MAL-*` advisory hard-block plus a weekly-downloads floor with TTY prompt / `--allow-low-downloads` bypass. New `advisoryCheck` and `lowDownloadThreshold` settings, both folded into `paranoid: true` ([#​656](https://redirect.github.com/endevco/aube/pull/656)) - *(install)* OSV checks now extend to the full resolved graph, routed live-API vs. local OSV mirror based on whether resolution produced fresh `(name, version)` picks; opt-in `advisoryCheckOnInstall` covers plain reinstalls, `advisoryCheckEveryInstall` forces live API every time ([#​678](https://redirect.github.com/endevco/aube/pull/678)) - *(add)* Auto-skip supply-chain gates for packages routed through a non-`registry.npmjs.org` registry, plus a new `allowedUnpopularPackages` glob allowlist to silence the downloads gate on known-internal names ([#​673](https://redirect.github.com/endevco/aube/pull/673)) #### Changed - *(install)* No longer rewrites `package.json` / workspace yaml to seed `allowBuilds: { <pkg>: "set this to true or false" }` placeholders for unreviewed build scripts ([#​662](https://redirect.github.com/endevco/aube/pull/662)) - *(install perf)* Deleted the pre-resolver direct-dep packument prefetch; 12–22% wall-time win across fixture size, bandwidth, and RTT ([#​672](https://redirect.github.com/endevco/aube/pull/672)) - *(add)* `--allow-build=<pkg>` now flips an existing deny instead of erroring, help renders correctly as `--allow-build=<PKG>`, and the no-op `--ignore-scripts` is hidden on `add` / `import` / `update` ([#​660](https://redirect.github.com/endevco/aube/pull/660)) #### Fixed - *(linker)* Windows bin shims for `aube add --global … --allow-build=<dep>` no longer emit a duplicated install-root path segment when `.aube/<dep>/` sits behind a directory junction ([#​659](https://redirect.github.com/endevco/aube/pull/659)) - *(global)* `aube remove --global` on Windows no longer fails with `Access is denied (os error 5)` on the hash pointer when it's an NTFS directory junction ([#​658](https://redirect.github.com/endevco/aube/pull/658)) #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.12.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.12.0): : Tidier config, smarter installs from bun.lock [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.11.0...v1.12.0) A round of fixes driven by user reports — `bun.lock` imports now keep peer-only packages, the store layout is reorganized so one cache mount covers everything, and `aube config set` stops scribbling unknown keys into `.npmrc`. #### Added - **Smarter `aube config set` / `delete` routing** ([#​634](https://redirect.github.com/endevco/aube/pull/634) by [@​jdx](https://redirect.github.com/jdx)) — Writes only land in `.npmrc` for the npm-shared surface (per-host auth/cert templates, scoped registries, and a curated allowlist of npm-standard scalars like `registry`, `proxy`, `fetch-retries`, …). Aube-only and pnpm-only keys (`autoInstallPeers`, `dangerouslyAllowAllBuilds`, `pnpmfilePath`, …) plus unknown free-form keys now go to `~/.config/aube/config.toml`. Dotted writes for aube map settings — `aube config set --local allowBuilds.@​mongodb-js/zstd true`, `aube config set --local overrides.lodash 4.17.21` — edit a single entry of `pnpm-workspace.yaml` (or `package.json#<pnpm|aube>.<map>`) in place. `aube config delete` sweeps both files so legacy writes from older versions are still cleaned up. New error code `ERR_AUBE_CONFIG_NESTED_AUBE_KEY` covers invalid nested writes. - **Polished install progress display** ([#​616](https://redirect.github.com/endevco/aube/pull/616) by [@​jdx](https://redirect.github.com/jdx)) — The bar is now cyan across every phase (no more "completing twice" as the phase flips green), reserves the final slice so it never reads 100% while the linker is still running, and paints a full 100% from a new `done` phase on `finish()` / `stop()` so the last frame matches the `✓` summary line. The displayed `~XX MB` total is now a dynamic blend of the static `unpackedSize × 0.20` fallback and a linear extrapolation from observed bytes-per-package — converging to the real total instead of overshooting by \~48%. `resolving` switched yellow → cyan, the `pkgs` counter is bold/uncolored mid-install, and `WARN_AUBE_SLOW_METADATA` drops redundant fields. #### Fixed - **Peer-only packages from `bun.lock` no longer silently dropped** ([#​639](https://redirect.github.com/endevco/aube/pull/639) by [@​jdx](https://redirect.github.com/jdx)) — `filter_graph`'s GC walk ran *before* `hoist_auto_installed_peers`, so peer-installed deps like `@mui/material` that weren't directly listed in workspace `dependencies:` got pruned as unreachable before the hoist could promote them. The pipeline now hoists first, then walks. On the linked repro, `aube install` goes from 6 packages (with broken `@mui/material` / `@emotion/*`) to 44 with everything resolved. - **`bun.lock` imports now run the peer-context pass** ([#​619](https://redirect.github.com/endevco/aube/pull/619) by [@​jdx](https://redirect.github.com/jdx)) — `LockfileKind::Bun` was missing from the `apply_peer_contexts` branch, so peer-dependent packages landed at `.aube/<pkg>@​<ver>/` without sibling peer links and walked up to whatever hoisted copy they found. Now they get peer-qualified `dep_paths` (e.g. `@cloudflare+vite-plugin@1.17.1_vite@8.0.10_…`) with correct sibling symlinks, matching the npm-lockfile import behavior. - **Stale cached indexes now self-heal at fetch time** ([#​635](https://redirect.github.com/endevco/aube/pull/635) by [@​jdx](https://redirect.github.com/jdx)) — Cached package indexes moved from `$XDG_CACHE_HOME/aube/index/` into the store at `<store>/v1/index/`, next to `v1/files/`. The install fast path swapped `load_index` for `load_index_verified`, so an index whose CAS shards have drifted out from under it is dropped at fetch classification and the tarball re-fetched cleanly — instead of the materializer dying mid-link with `ERR_AUBE_MISSING_STORE_FILE`. Fixes a BuildKit cache-mount footgun where only one of the two cache dirs would be persisted. - **`engines.pnpm` no longer triggers spurious version warnings** ([#​633](https://redirect.github.com/endevco/aube/pull/633) by [@​jdx](https://redirect.github.com/jdx)) — A project pinning `engines.pnpm: ">=10.11.1"` produced `warn: wanted pnpm >=10.11.1, got 1.x` on every install (or a hard failure under `engine-strict`). Aube and pnpm live in different version namespaces, so honoring this field was net-negative. `engines.pnpm` is now skipped entirely; `engines.aube` is still honored for projects that want to gate on the running tool, and `engines.node` is unchanged. - **`update -i` no longer reports phantom upgrade rows for catalog deps** ([#​636](https://redirect.github.com/endevco/aube/pull/636) by [@​jdx](https://redirect.github.com/jdx)) — When a `catalog:` dep resolved to a newer version while the same name was pulled in transitively at an older one (e.g. `jose@6.2.3` direct + `jose@5.10.0` via `@upstash/qstash`), `lookup_pkg`'s name-scan picked the transitive snapshot as "current" and offered a downgrade row the rewrite path then ignored. Lookup now goes through the importer's `DirectDep.dep_path`. The companion fix extends the `--latest` prerelease guard to the *locked* version, so `"^1.0.0-rc.1"` isn't silently rewritten to whatever the registry's `latest` dist-tag points at. - **`update` / `add` / `dedupe` / `remove` / `audit` preserve cross-platform optionals and `time:` entries** ([#​637](https://redirect.github.com/endevco/aube/pull/637) by [@​jdx](https://redirect.github.com/jdx)) — These commands now route through install's `configure_resolver`, inheriting the full settings pipeline (`supportedArchitectures`, `resolutionMode`, `minimumReleaseAge`, overrides, …). They opt out of the full-packument disk cache so an immediately-following re-resolve picks up registry `dist-tag` changes, and the resolver carries forward the prior lockfile's `time:` entry when a fresh corgi packument lacks publish time for a resolved version — so direct deps don't lose their `time:` line on update. - **`aube add --global --allow-build=<pkg>` actually pre-approves builds** ([#​620](https://redirect.github.com/endevco/aube/pull/620) by [@​jdx](https://redirect.github.com/jdx)) — The synthetic inner `AddArgs` was being built with `allow_build: Vec::new()`, silently dropping the outer flag and erroring with "must be reviewed before install" under `strictDepBuilds=true`. The flag is now plumbed through `run_global` / `run_global_inner` and approvals are written to the throwaway install dir's `package.json#aube.allowBuilds` before lifecycle scripts run. #### Changed - **`aube store path` now returns the `v1/` directory** ([#​635](https://redirect.github.com/endevco/aube/pull/635)) — One level above the previous `v1/files/` output, so a single Docker BuildKit cache mount or backup captures both the CAS and the new co-located index dir. Scripts consuming `aube store path` will now mount one level higher (the intended behavior). A lazy in-place migration from the legacy `$XDG_CACHE_HOME/aube/index/` location runs on the first store open after upgrade (rename fast path, recursive-copy fallback for cross-FS). #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.11.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.11.0): : Workspace-root flags, scoped config, and a 2× macOS CAS fast path [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.4...v1.11.0) #### Added - *(install)* Fill the resolving bar against a real denominator so the progress bar advances during dependency resolution ([#​611](https://redirect.github.com/endevco/aube/pull/611)) - *(outdated, update)* Wire `-w/--workspace-root` to retarget cwd at the workspace root from a sub-package ([#​614](https://redirect.github.com/endevco/aube/pull/614)) - *(config)* Scope-split settings precedence and project `<cwd>/.config/aube/config.toml` support ([#​608](https://redirect.github.com/endevco/aube/pull/608)) - *(deploy)* Accept `--offline` and `--prefer-offline`, forwarded into the deploy install ([#​606](https://redirect.github.com/endevco/aube/pull/606)) - *(store)* Direct-write CAS fast path on macOS under an exclusive install lock (\~2× per-file CAS write speedup) ([#​615](https://redirect.github.com/endevco/aube/pull/615)) #### Fixed - *(linker)* Bin shims now point `NODE_PATH` at the hidden modules dir, and the isolated linker defaults `preferSymlinkedExecutables` to shims so `extendNodePath` actually works ([#​613](https://redirect.github.com/endevco/aube/pull/613)) - *(install/lockfile/outdated/update)* Address several bugs reported in [#​602](https://redirect.github.com/endevco/aube/discussions/602): lockfile rewrites when a dep moves between `dependencies`/`devDependencies`, `outdated -r` includes the workspace root, semver-diff color in `Wanted`/`Latest`, smarter `update -i` picker, and `updateConfig.ignoreDependencies` is loaded from the workspace root ([#​610](https://redirect.github.com/endevco/aube/pull/610)) - *(install)* Probe link strategy against the actual destination dir so cross-FS installs with GVS enabled hardlink instead of falling back to per-file copy ([#​604](https://redirect.github.com/endevco/aube/pull/604)) - *(install)* Surface the underlying materializer error instead of a generic "channel closed" message ([#​607](https://redirect.github.com/endevco/aube/pull/607)) - *(progress)* Clamp `reused` on a downward `set_total` rebase so summaries stop reporting `reused > resolved` ([#​609](https://redirect.github.com/endevco/aube/pull/609)) - *(config)* Preserve a symlinked `~/.config/aube/config.toml` on write ([#​605](https://redirect.github.com/endevco/aube/pull/605)) - *(registry)* Coalesce slow-metadata warnings into a single resolve-end summary instead of one warning per slow packument ([#​592](https://redirect.github.com/endevco/aube/pull/592)) #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.4`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.4): : Streaming tarball retries + 32-bit Linux build fix [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.3...v1.10.4) Two targeted fixes: cold installs now retry transient registry failures on the streaming tarball path, and `aube-store` builds cleanly on 32-bit Linux again. #### Fixed - **Streaming tarball fetch retries transient failures** ([#​591](https://redirect.github.com/endevco/aube/pull/591) by [@​jdx](https://redirect.github.com/jdx)) — `start_tarball_stream` (the default install hot path for sha512-pinned lockfile entries) used to skip retry entirely to avoid unwinding partial CAS writes mid-stream. That reasoning is sound for mid-stream errors, but it also leaked into *pre-response* failures: a 503, 429, connection refused, or connection reset before any chunk had flowed would propagate straight back to the caller with no recovery, while the buffered path retried the same failures up to `fetchRetries` times. The initial `send().await` now retries on `is_retriable_status` (5xx + 429, honoring `Retry-After`) and on transport errors (bounded by `TIMEOUT_RETRY_CAP`), emitting the existing `WARN_AUBE_HTTP_RETRY_TRANSIENT` / `_TRANSPORT` logs. Once headers pass `error_for_status` and chunks start flowing, behavior is unchanged. Caught on a macOS PGO dry-run where Verdaccio / the throttle-proxy hiccupped and the install bailed without a single retry log line. - **`aube-store` builds on 32-bit Linux** ([#​587](https://redirect.github.com/endevco/aube/pull/587) by [@​jdx](https://redirect.github.com/jdx)) — The `posix_fallocate` wrapper hard-coded `len: i64`, which matches `libc::off_t` on every 64-bit target but breaks armhf, where the default (non-LFS) `off_t = i32`. The wrapper now takes `libc::off_t` directly and the single call site casts `bytes.len() as libc::off_t`, unblocking Launchpad's Ubuntu Resolute armhf build of aube and any downstream `armv7-unknown-linux-gnueabihf` consumer. #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.3`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.3) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.2...v1.10.3) > \[!NOTE] > No user-visible code changes since v1.10.2. Tagged so the release-plz / `cargo publish` cadence stays unbroken; entries below are CI and benchmark tooling. #### Fixed - *(ci)* Add native `aarch64-unknown-linux-gnu` PGO matrix row and bump macOS arm64 PGO to `macos-arm64-large` to work around the v1.10.1 instrumented-binary segfault ([#​582](https://redirect.github.com/endevco/aube/pull/582)) - *(bench)* Install yarn 4 via `npm:@​yarnpkg/cli-dist@latest` — the `yarn` npm package only publishes 1.x and 2.x ([#​583](https://redirect.github.com/endevco/aube/pull/583)) - *(bench)* Pass `--frozen-lockfile` to vlt install scenarios so vlt is measured on the same path as every other tool in the matrix ([#​581](https://redirect.github.com/endevco/aube/pull/581)) #### Binaries This release ships without prebuilt archives. Install via `cargo install aube`, `mise use aube`, or `npm i -g aube`. #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.2`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.2) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.1...v1.10.2) > \[!NOTE] > No user-visible code changes since v1.10.1. Tagged so the release-plz / `cargo publish` cadence stays unbroken; entries below are CI and benchmark tooling. #### Changed - *(ci)* Bump x86\_64 Linux PGO release runners to `linux-amd64-large` (32 GB) to fix OOM during the instrumented link step ([#​577](https://redirect.github.com/endevco/aube/pull/577)) - *(docs)* Benchmark matrix switches yarn to berry, adds **deno** and **vlt**, refreshes the landing-page chart ([#​578](https://redirect.github.com/endevco/aube/pull/578)) #### Binaries This release has a partial archive set. For a complete set of prebuilts, use a later release — or install via `cargo install aube`, `mise use aube`, or `npm i -g aube`. #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.1) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.0...v1.10.1) #### Added - *(install)* Post-install summary flags **deprecated** and **outdated** direct deps inline so you see what to upgrade without scrolling back through fetch output ([#​575](https://redirect.github.com/endevco/aube/pull/575)) #### Fixed - *(deploy)* `aube deploy` resolves `catalog:` references and accepts packages without an explicit `version` field ([#​574](https://redirect.github.com/endevco/aube/pull/574)) - *(install)* Pad package counts in the progress UI and drop the ETA placeholder when none is available ([#​570](https://redirect.github.com/endevco/aube/pull/570)) - *(release)* `npm publish` skips already-published versions so re-running the publish workflow is idempotent ([#​565](https://redirect.github.com/endevco/aube/pull/565)) #### Changed - *(release)* x86\_64 Linux GNU/musl and macOS arm64 binaries now ship as PGO-optimized artifacts. Linux x86\_64 uses `cross` for the glibc baseline; macOS arm64 builds natively ([#​572](https://redirect.github.com/endevco/aube/pull/572)) #### Performance - *(registry)* Swap `simd-json` for `sonic-rs` on the packument hot path ([#​569](https://redirect.github.com/endevco/aube/pull/569)) - *(registry)* Drop deep clone and `fsync` from packument cache writes ([#​568](https://redirect.github.com/endevco/aube/pull/568)) #### Binaries This release has a partial archive set. For a complete set of prebuilts, use a later release — or install via `cargo install aube`, `mise use aube`, or `npm i -g aube`. #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.0): : Recursive runs grow up, install gets a diagnostics microscope [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.9.1...v1.10.0) #### Added - *(cli)* Wire the recursive-run flags (`--sort`/`--no-sort`, `--reverse`, `--resume-from`, `--workspace-concurrency`, `--reporter-hide-prefix`) and add a per-package output multiplexer for parallel runs ([#​545](https://redirect.github.com/endevco/aube/pull/545)) - *(diag)* End-to-end install instrumentation and the `aube diag analyze` / `aube diag compare` subcommands behind a new `--diag <summary|trace|live|full>` flag ([#​547](https://redirect.github.com/endevco/aube/pull/547)) - *(install)* Post-install dependency summary grouped by dependency type ([#​559](https://redirect.github.com/endevco/aube/pull/559)) - *(update)* `--lockfile-only` flag to refresh `aube-lock.yaml` without touching `node_modules` ([#​560](https://redirect.github.com/endevco/aube/pull/560)) - *(add)* `linkWorkspacePackages` and `saveWorkspaceProtocol` settings plus `--save-workspace-protocol` / `--no-save-workspace-protocol` flags ([#​539](https://redirect.github.com/endevco/aube/pull/539)) #### Fixed - *(workspace)* Linker no longer substitutes a workspace sibling for a registry-pinned dep, lockfile drift flags orphan importers, recursive `remove` skips projects that don't declare the dep, and parent-relative `../**` globs in `pnpm-workspace.yaml` are honored ([#​564](https://redirect.github.com/endevco/aube/pull/564)) - *(workspace)* Filtered runs respect `--workspace-root` and `includeWorkspaceRoot: true` ([#​556](https://redirect.github.com/endevco/aube/pull/556)) - *(update)* Filtered workspace updates merge back into the shared root lockfile under `sharedWorkspaceLockfile=true` instead of leaving per-package `aube-lock.yaml` files behind ([#​558](https://redirect.github.com/endevco/aube/pull/558)) - *(update)* `--interactive` renders a multiselect picker, fails fast on non-TTY, and `--latest` preserves `catalog:` / `catalog:<name>` specifiers ([#​552](https://redirect.github.com/endevco/aube/pull/552)) - *(pnpmfile)* Hard-fail the install when a defined `readPackage` hook returns a non-object ([#​562](https://redirect.github.com/endevco/aube/pull/562)) - *(deploy)* Keep filtered workspace packages in the index when `package.json` has no `version` ([#​549](https://redirect.github.com/endevco/aube/pull/549)) - *(install)* Inherit top-level `pnpm.allowBuilds` approvals into the nested install used for git-dep `prepare` ([#​546](https://redirect.github.com/endevco/aube/pull/546)) - *(cli)* Skip `verifyDepsBeforeRun` checks when `npm_lifecycle_event` is set, fixing both the `error`-mode hard-fail and the `install`-mode lock deadlock from nested `aube run` inside lifecycle scripts ([#​538](https://redirect.github.com/endevco/aube/pull/538)) - *(install)* Interactive `aube approve-builds` requires at least one selection and the TTY guard checks both stdin and stderr ([#​537](https://redirect.github.com/endevco/aube/pull/537)) #### Changed - *(install)* New `aube_util::adaptive` limiter (slow-start, AIMD, CUSUM-gated shrink) wired at every previously magic-numbered concurrency site, with a separate http1-only reqwest client for tarball downloads ([#​548](https://redirect.github.com/endevco/aube/pull/548)) #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
43db152e9b
|
chore(deps): update dependency aube to v1.9.1 (#478)
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.6.2` → `v1.9.1` | `v1.14.1` (+10) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.9.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.9.1): : Cold install overhaul, HTTP prefetch, and workspace fixes [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.9.0...v1.9.1) A performance- and correctness-focused patch release. Cold installs get a streaming tarball pipeline, Linux gets an `O_TMPFILE`+`linkat` CAS fast path, and the resolver's cold path overlaps DNS, TLS, and packument prefetch with the manifest/workspace/lockfile work that used to serialize them. On the fix side, `aube run` once again finds `node-gyp` for package scripts, and `aube update` / `aube outdated` stop trying to fetch unpublished `workspace:` deps from the registry. #### Added - **Pre-resolver packument prefetch + shared HTTP utilities** ([#​529](https://redirect.github.com/endevco/aube/pull/529) by [@​imjustprism](https://redirect.github.com/imjustprism)) — a new `aube-util::http` module consolidates client-side primitives (`prewarm`, `priority`, `race`, `resolve`, `ticket_cache`) so leaf crates share one warm-pool surface with consistent killswitch semantics. On install entry, aube now reads `package.json` and fires fire-and-forget packument GETs for every registry-shaped direct dep before workspace yaml load, settings resolve, lockfile parse, and resolver construction — by the time the resolver pops its first task, the packument cache and reqwest pool are warm. `RegistryClient::prewarm_connection` now covers the default registry **plus** every scoped (`@org:registry=...`) and per-uri auth registry, with parallel DNS preresolve so DNS RTT hides behind the TLS handshake. Abbreviated packument GETs also send `Priority: u=0` (RFC 9218 Critical) so H2 schedulers prioritize resolver-blocking metadata over pending tarball frames. New killswitches: `AUBE_DISABLE_DNS_PRERESOLVE`, `AUBE_DISABLE_REQUEST_RACING`, `AUBE_DISABLE_PREFETCH`, `AUBE_DISABLE_TLS_TICKET_CACHE`. Prefetch is a no-op when offline or when any lockfile is present. - **Cold install pipeline overhaul** ([#​522](https://redirect.github.com/endevco/aube/pull/522) by [@​imjustprism](https://redirect.github.com/imjustprism)) — several overlapping wins on the cold-cache path: - **Streaming tarball pipeline** (opt-in via `AUBE_TARBALL_STREAM=1`, killswitch `AUBE_DISABLE_TARBALL_STREAM`) — HTTP body chunks pipe through SHA-512 + gz + tar + CAS via an mpsc bridge instead of buffering the whole tarball; non-SHA-512 SRI falls back to buffered. Bounded by the registry's `tarball_max_bytes` cap. - **Linux `O_TMPFILE` + `linkat` CAS publish** with `EOPNOTSUPP` fallback to the tempfile path, `posix_fallocate` to avoid ext4 fragmentation, and `posix_fadvise(DONTNEED)` to free page cache after publish. Killswitch: `AUBE_DISABLE_O_TMPFILE`. - **Materialize-stream into the lockfile fast path** — both lockfile and no-lockfile branches now share the GVS prewarm materializer, hiding 30-200ms of GVS reflinks behind the in-flight download tail. - **Resolver tuning** — foldhash on `graph_hash` hot maps, pre-sized resolver caches, thread-local `node_semver::Version` parse cache, `PARALLEL_IMPORT_THRESHOLD` lowered from 256 to 16 (median npm tarball is 7 files), and pinned tokio `worker_threads` (`cpu.min(8)`) / `max_blocking_threads(64)` (tunable via `AUBE_TOKIO_WORKERS` / `AUBE_TOKIO_BLOCKING`). - **Windows** gets `FILE_ATTRIBUTE_NOT_CONTENT_INDEXED` on the store root; cross-volume detection (drive letters on Windows, `dev` id on Unix) is gated per-platform. Reported same-volume Windows cold-install ratios: 1.80x-8.75x faster than Bun across svelte/vite/next/babylon. - **Per-project materialize pipelined into fetch** ([#​527](https://redirect.github.com/endevco/aube/pull/527) by [@​imjustprism](https://redirect.github.com/imjustprism)) — when GVS is off, each fetched `(canonical_key, PackageIndex)` triggers `materialize_into` against `.aube/<dep_path>/` immediately, so by the time fetch finishes the dedicated link phase only has to create top-level `node_modules/<name>` symlinks. The driver now uses `JoinSet` instead of `Vec<JoinHandle>`, so on early-return all in-flight tasks abort instead of detaching and racing install cleanup. \~10% improvement on warm fresh installs in the local benchmark matrix. #### Fixed - **`aube run` / `aube test` find `node-gyp`** ([#​518](https://redirect.github.com/endevco/aube/pull/518) by [@​jdx](https://redirect.github.com/jdx)) — package scripts only had `node_modules/.bin` prepended to `PATH`, so `aube test` would fail with `node-gyp: not found` on hosts that didn't already ship it. Script execution now reuses aube's existing node-gyp bootstrap (via a lazy shim bin dir + `AUBE_NODE_GYP_EXE` / `AUBE_NODE_GYP_PROJECT_DIR`), matching pnpm/npm behavior. Ports pnpm's `lifecycleScripts.ts:128` coverage into the offline node-gyp bootstrap bats suite. - **`workspace:` deps in `aube update` / `aube outdated`** ([#​523](https://redirect.github.com/endevco/aube/pull/523) by [@​jdx](https://redirect.github.com/jdx), fixes [#​520](https://redirect.github.com/endevco/aube/discussions/520)) — `aube update` now discovers workspace package `name`/`version` pairs and passes them into resolver workspace resolution so `workspace:` deps from `package.json#workspaces` resolve locally instead of triggering registry packument fetches. `aube outdated` filters out direct deps with `workspace:` specifiers and reports "no matching dependencies" rather than attempting a packument fetch. Adds a new `WARN_AUBE_WORKSPACE_PACKAGE_MISSING_NAME` warning code for workspace packages without a `name` field. - **Resolver peer-context divergence is fatal** ([#​522](https://redirect.github.com/endevco/aube/pull/522) by [@​imjustprism](https://redirect.github.com/imjustprism)) — `apply_peer_contexts` hitting `MAX_ITERATIONS` used to log a warning and ship a broken graph; it now returns a fatal `Error::PeerContextDivergence(usize)`. `state::remove_state` errors at `--force` and GVS-transition sites also propagate instead of being silently swallowed, so permission-denied or Windows-locked sidecars no longer defeat the freshness check. - **Tarball hardening** ([#​522](https://redirect.github.com/endevco/aube/pull/522) by [@​imjustprism](https://redirect.github.com/imjustprism)) — entries declared as 0 bytes with non-zero stream payload are now rejected (synthetic-entry injection guard), and GNU `LongName` / `LongLink` metadata records are correctly accepted. - **Patches loaded once per cwd** ([#​529](https://redirect.github.com/endevco/aube/pull/529) by [@​imjustprism](https://redirect.github.com/imjustprism)) — `load_patches_for_linker` walked `patches/` from disk 2-3 times per install (lockfile-prewarm, no-lockfile-prewarm, and link-phase sites). Now cached per cwd via `OnceLock<Mutex<HashMap<PathBuf, ...>>>`. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.9.0...v1.9.1> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.9.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.9.0): : Comment-preserving workspace edits, deploy bundling, and node --inspect [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.8.0...v1.9.0) A focused release: `aube deploy` learns to bundle workspace siblings and local-path deps into the deploy artifact, workspace-yaml writers stop eating user comments, aube-owned settings move out of `.npmrc`, and `aube run` forwards Node debugger flags. #### Added - **Aube settings move out of `.npmrc`** ([#​517](https://redirect.github.com/endevco/aube/pull/517) by [@​jdx](https://redirect.github.com/jdx)) — known aube-owned settings now live in `~/.config/aube/config.toml` (XDG-aware), while registry, auth, and unknown keys keep using `.npmrc`. `aube config get/set/list/delete` reads and writes the right file automatically, and migrating a known setting cleans up the stale `.npmrc` entry. `.npmrc` writes are also atomic against the **symlink target** now, so dotfile setups that symlink `~/.npmrc` into a managed config repo stop having the symlink replaced by a regular file. - **`aube run --inspect` / `--inspect-brk`** ([#​515](https://redirect.github.com/endevco/aube/pull/515) by [@​jdx](https://redirect.github.com/jdx)) — both flags accept an optional `[host:]port` (e.g. `--inspect=9229`, `--inspect-brk=0.0.0.0:9230`) and are forwarded as explicit Node argv when aube can identify a Node-backed target — direct `node ...` scripts in `package.json` and local `node_modules/.bin` fallbacks resolved through shims/symlinks. The flags are passed as argv rather than via `NODE_OPTIONS`, so the debugger doesn't attach to nested Node processes spawned by the script. - **`aube deploy --no-prod`** ([#​507](https://redirect.github.com/endevco/aube/pull/507) by [@​jdx](https://redirect.github.com/jdx)) — opt out of the default `--prod` filter for deploys that need devDependencies at runtime (test-harness staging, build-step artifacts). Mutually exclusive with `--prod` / `--dev`; combine with `--no-optional` to keep prod + dev but drop optionals. - **Comment-preserving workspace yaml writes** ([#​511](https://redirect.github.com/endevco/aube/pull/511) by [@​jdx](https://redirect.github.com/jdx)) — every workspace-yaml writer (`approve-builds`, `patch-commit`, `patch-remove`, the daily `cleanupUnusedCatalogs` install pass, and `aube config set --location workspace`) now routes through `yamlpatch` instead of round-tripping the file through a serializer. Keys, comments, and whitespace the edit didn't touch land back on disk byte-identical, so user annotations on adjacent entries survive. Empty/missing files still go through the regular serializer since there are no comments to preserve. #### Fixed - **`aube deploy` bundles local dependencies** ([#​507](https://redirect.github.com/endevco/aube/pull/507) by [@​jdx](https://redirect.github.com/jdx)) — fixes two real bugs reported in [#​345](https://redirect.github.com/endevco/aube/discussions/345): - **`workspace:*` siblings tried to fetch from the registry.** Deploy used to rewrite `workspace:*` to a concrete version and ask install to resolve it — fine for published siblings, broken for the (very common) unpublished case. Reachable workspace siblings are now copied into `<target>/.aube-deploy-injected/<id>/` and the manifest spec becomes a relative `file:` pointer. Recursion handles sibling chains where a sibling's own deps are workspace siblings. - **`file:` deps resolved relative to the deploy output dir.** A `file:../local-vendor` spec used to ride along unchanged in the deployed manifest, pointing at `<target>/../local-vendor` instead of the source workspace's `local-vendor`. Local-path deps now go through the same staging pipeline. When bundling occurs the lockfile-subset path is skipped, since the rewritten `file:` pointers don't appear in the source lockfile and would otherwise trip a frozen install. - **`aube remove` preserves dependency order** ([#​511](https://redirect.github.com/endevco/aube/pull/511) by [@​jdx](https://redirect.github.com/jdx)) — dropping one dep used to alphabetize the remaining entries in the affected `package.json` section as a side effect. Surviving entries now stay in their original on-disk order, matching pnpm/npm. (`aube add` is unaffected — sorted inserts there are intentional.) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.8.0...v1.9.0> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.8.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.8.0): : Stable error codes, smarter run/dlx, and a new install progress UI [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.7.0...v1.8.0) A polish-and-plumbing release: install progress gets a from-scratch redesign, errors and warnings now carry stable identifiers (with bespoke exit codes and dep-chain context), `aube run` / `aube dlx` prefer locally-installed binaries, and a handful of workspace-from-subpackage and `aube add` ergonomics get fixed. #### Added - **Redesigned install progress UI** ([#​501](https://redirect.github.com/endevco/aube/pull/501) by [@​jdx](https://redirect.github.com/jdx)) — fixed 15-char bar on the left, stats on the right, phase-aware label (`resolving` / `fetching` / `linking`), ETA, transfer rate, and an estimated install size derived from the resolve stream: ``` aube 1.8.0 by en.dev █████░░░░░░░░░░ 23/142 pkgs · 4.2 MB / ~13.8 MB · 1.4 MB/s · ETA 5s ███████████████ 1230/1230 pkgs · linking ✓ resolved 1230 · reused 98 · downloaded 1132 (54.6 MB) in 6.8s ``` Installs that finish before the first 2s heartbeat now print a single self-identifying summary line (`✓ installed 5 packages in 423ms`) instead of a partial bar. Also fixes two real bookkeeping bugs (a `2/1 packages` overflow on platform-mismatched non-optional deps, and the "stuck at 90%" undercount caused by `filter_graph` dropping packages after the denominator was inflated). - **Local bins for `aube run` and `aube dlx`** ([#​502](https://redirect.github.com/endevco/aube/pull/502) by [@​jdx](https://redirect.github.com/jdx)) — `aube run <name>` falls back to `node_modules/.bin/<name>` when no `package.json` script matches, and `aube dlx` / `aubx` will execute an already-installed local binary instead of doing a throwaway install. Pass `-p` / `--package` (or a versioned spec) to force the install path. - **Stable error and warning codes** ([#​492](https://redirect.github.com/endevco/aube/pull/492) by [@​jdx](https://redirect.github.com/jdx)) — every error and warning aube emits now carries an `ERR_AUBE_*` or `WARN_AUBE_*` identifier in a structured field, so CI scripts and ndjson consumers can branch on the code instead of substring-matching English messages. A curated subset maps to bespoke Unix exit codes (10–99 in 10-wide ranges by category) so shells can react to specific failures without parsing stderr — e.g. `aube install --frozen-lockfile` in an empty dir exits with `10` (`ERR_AUBE_NO_LOCKFILE`). Post-resolver errors that mention a specific package now also include the dependency chain back to the importer (`chain: a@1 > b@2 > leaf@3`) so a tarball-integrity or fetch failure tells you *why* your install pulled that transitive dep. The full code list lives at `docs/error-codes.md`. #### Fixed - **`aube why` / `list` / `query` from a workspace subpackage** ([#​504](https://redirect.github.com/endevco/aube/pull/504) by [@​jdx](https://redirect.github.com/jdx)) — these commands resolved cwd via the nearest `package.json`, so running them inside `packages/foo/` errored with `No lockfile found. Run aube install first.` even though the workspace lockfile sat one level up. They now walk up to the workspace root when one is present. - **Workspace lifecycle scripts and pnpm-lock npm aliases** ([#​500](https://redirect.github.com/endevco/aube/pull/500) by [@​jdx](https://redirect.github.com/jdx)) — recursive workspace installs now run `preinstall`/`install`/`postinstall`/`prepare` for each linked workspace importer in dependency order (not just the root), and the build-script policy merges `pnpm.allowBuilds` / `onlyBuiltDependencies` / `neverBuiltDependencies` across all participating manifests so a member can approve its own dep's builds. `pnpm-lock.yaml` now writes npm aliases in pnpm's native `<real>@​<version>` encoding instead of leaking aube's internal `aliasOf` field. - **`aube add` auto-detects local paths** ([#​499](https://redirect.github.com/endevco/aube/pull/499) by [@​jdx](https://redirect.github.com/jdx)) — `aube add /path/to/lib`, `./lib`, `~/lib`, `file:./lib`, and `link:./lib` no longer fall through to the registry path with a confusing `HTTP 405 Method Not Allowed`. Bare paths default to `link:` for directories and `file:` for tarballs (pnpm parity); explicit prefixes are preserved. Tarball-suffix paths emit a clear "not yet supported in `aube add`" hint instead of a 405. #### Changed - **Per-command `--help` is bucketed** ([#​505](https://redirect.github.com/endevco/aube/pull/505) by [@​jdx](https://redirect.github.com/jdx)) — `--frozen-lockfile` / `--prefer-frozen-lockfile`, `--registry` + `--fetch-*`, and `--disable/--enable-global-virtual-store` moved off the global flag set into per-command groups under `Lockfile` / `Network` / `Virtual store` headings, and now appear only on commands that consume them. Seven pnpm-compat no-op flags (`--workspace-packages`, `--ignore-workspace`, `--include-workspace-root`, `--aggregate-output`, `--stream`, `--use-stderr`, `--yes`) are still parsed but hidden from `--help`. Pre-subcommand placement still works (`aube --frozen-lockfile install`, `aube --registry=URL install`) via an argv pre-pass. One caveat: implicit-script invocations like `aube --frozen-lockfile dev` (where `dev` is a `package.json` script) no longer apply the flag — write `aube run --frozen-lockfile dev` instead. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.7.0...v1.8.0> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.7.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.7.0): : Local & git specs in aube add, faster cold installs [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.6.2...v1.7.0) A feature-heavy release: `aube add` learns git and local-path specs, workspace commands gain support for yaml-only "coordinator" monorepos, `aube update` and `aube rebuild` get pnpm-parity polish, and a deep performance pass speeds up cold installs by up to \~1.9×. #### Highlights - **`aube add` is now a one-stop shop** for git, GitHub-shorthand, and `link:` / `file:` local-path dependencies — not just registry packages. - **Performance pass on the install hot path** ([#​469](https://redirect.github.com/endevco/aube/pull/469)) lands streaming SHA-512, parallel CAS imports, TLS prewarm, fetch reordering, and a long tail of cold-path cleanups, with measured cold-install speedups up to \~1.9× vs v1.6.2. - **Workspace and pnpm parity polish** across `update`, `rebuild`, yaml-only roots, unversioned members, and nested `link:` / `file:` resolution. #### Added - **`aube add file:./pkg` / `link:../sibling`** ([#​487](https://redirect.github.com/endevco/aube/pull/487) by [@​jdx](https://redirect.github.com/jdx)) — local-path specs are routed through a non-registry branch, with the manifest key derived from the path basename (with `.tgz` / `.tar.gz` stripped) or from an explicit alias. `aube add my-bundle@file:./bundle.tgz` works too. - **`aube add` supports git specs** ([#​483](https://redirect.github.com/endevco/aube/pull/483) by [@​jdx](https://redirect.github.com/jdx)) — bare GitHub shorthand, `github:` / `gitlab:` / `bitbucket:` prefixes, full `git+ssh` / `git+https` URLs, and aliases. The verbatim spec is written to `package.json` and the resolver handles the rest: ```bash aube add kevva/is-negative aube add github:kevva/is-positive aube add my-alias@git+https://github.com/kevva/is-negative.git ``` - **Yaml-only workspace roots** ([#​486](https://redirect.github.com/endevco/aube/pull/486) by [@​jdx](https://redirect.github.com/jdx)) — `install`, `list`, `run -r`, `query`, and `why` now work in pure-coordinator monorepos that have `pnpm-workspace.yaml` / `aube-workspace.yaml` at the root but no root `package.json` (Turborepo-style layouts). Single-project commands like `add` / `remove` still hard-error without a manifest. - **`aube update <pkg>` rewrites manifest ranges by default** ([#​479](https://redirect.github.com/endevco/aube/pull/479) by [@​jdx](https://redirect.github.com/jdx)) — caret/tilde ranges (`^1.2.0`, `~1.2.0`) are rewritten to track the resolved in-range max, matching pnpm. Other shapes (`>=`, exact pins, dist-tags, git, `workspace:`) stay frozen. Set `update-rewrites-specifier=false` to keep the previous behavior. - **`aube rebuild <pkg>...`** ([#​477](https://redirect.github.com/endevco/aube/pull/477) by [@​jdx](https://redirect.github.com/jdx)) — runs lifecycle scripts only for the named deps, bypasses the `allowBuilds` / `onlyBuiltDependencies` policy, and skips root hooks. Composes with `--filter`. Bare `aube rebuild` continues to do a full policy-respecting rebuild. - **Persistent unreviewed-builds warning** ([#​476](https://redirect.github.com/endevco/aube/pull/476) by [@​jdx](https://redirect.github.com/jdx)) — repeat warm-path installs no longer swallow the "ignored build scripts for N package(s)" nudge; the spec keys are persisted in `.aube-state` and re-emitted on every install. - **`aube update --depth` no longer silently ignored** ([#​473](https://redirect.github.com/endevco/aube/pull/473) by [@​jdx](https://redirect.github.com/jdx)) — emits a one-line warning pointing at `rm aube-lock.yaml && aube install` for the only useful semantic case. #### Fixed - **Faster cold installs** ([#​469](https://redirect.github.com/endevco/aube/pull/469) by [@​imjustprism](https://redirect.github.com/imjustprism)) — a wide hot-path pass with measurable wins on real registries: | Project | v1.6.2 | v1.7.0 | Speedup | | ----------------- | --------: | ------: | ------: | | svelte (56 pkg) | 1393 ms | 1386 ms | 1.01× | | vue (117 pkg) | 1590 ms | 1360 ms | 1.17× | | next.js (336 pkg) | 14071 ms | 9160 ms | 1.54× | | babylon (21 pkg) | \~6000 ms | 3186 ms | \~1.9× | Highlights: streaming SHA-512 over the wire (no second buffered hash pass), two-phase parallel CAS tar import, speculative TLS/HTTP/2 prewarm behind manifest parse, native-build packages floated to the front of the fetch queue, `Accept-Encoding: gzip, br, zstd` on packuments, in-process DNS cache via `hickory-dns`, mmap+rayon BLAKE3 over 4 MiB, network concurrency default raised 64 → 128, and zero-copy packument parsing. Every change ships with an `AUBE_DISABLE_*` killswitch (`AUBE_DISABLE_STREAMING_SHA512`, `AUBE_DISABLE_SPECULATIVE_TLS`, `AUBE_DISABLE_CRITICAL_PATH`, `AUBE_DISABLE_PARALLEL_IMPORT`, `AUBE_DISABLE_MMAP_BLAKE3`, `AUBE_DISABLE_SNAPSHOTS`) plus an `AUBE_CONCURRENCY=N` clamp. - **Nested `link:` / `file:` resolution** ([#​470](https://redirect.github.com/endevco/aube/pull/470) by [@​jdx](https://redirect.github.com/jdx)) — fixes the `transitive local specifier link:./libs/foo cannot be resolved without the parent package source root` install error in two cases: a `file:` / `link:` parent declaring a transitive `link:`, and a root `pnpm.overrides` rewriting a registry dep to a local path. Override paths now anchor at the project root like pnpm does. - **Workspace members without `version`** ([#​480](https://redirect.github.com/endevco/aube/pull/480) by [@​jdx](https://redirect.github.com/jdx)) — fall back to `0.0.0` instead of hard-erroring. `workspace:*` / `^` / `~` siblings still link locally; specific ranges like `workspace:^2.0.0` still correctly fail to satisfy. Unblocks repos like [tuist/tuist#10584](https://redirect.github.com/tuist/tuist/pull/10584). - **Bare `user/repo` parsed as GitHub shorthand** ([#​472](https://redirect.github.com/endevco/aube/pull/472) by [@​jdx](https://redirect.github.com/jdx)) in lockfile/spec parsing, with `update --latest` now skipping git-spec deps so they can't be silently rewritten into registry pins. - **CLI short help wraps cleanly** ([#​478](https://redirect.github.com/endevco/aube/pull/478) by [@​jdx](https://redirect.github.com/jdx)) — many flags across `add`, `install`, `publish`, `update`, `view`, etc. had multi-line doc comments that clap merged into 120+ char paragraphs for `-h`. Now each flag has a one-line summary followed by the longer prose, restoring readable short help on standard terminals. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.6.2...v1.7.0> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzkuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE3OS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
590bfd78fa
|
chore(deps): update dependency aube to v1.6.2 (#466)
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.5.1` → `v1.6.2` | `v1.9.1` (+3) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.6.2`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.2): : Engines coverage catches up to pnpm [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.6.1...v1.6.2) A small patch release that closes engine-validation gaps with pnpm. #### Fixed - **Broader engines coverage** ([#​458](https://redirect.github.com/endevco/aube/pull/458) by [@​jdx](https://redirect.github.com/jdx)) — aube now honors engine constraints it previously skipped: - `engines.aube` and `engines.pnpm` on root and workspace project manifests are checked against the running aube version (aube positions itself as a pnpm-compatible drop-in, so `engines.pnpm` is honored as if aube were that pnpm). - `engines.node` is now enforced on workspace project manifests, not just the root. - Warning output labels which engine triggered the mismatch (e.g. `wanted node >=20`, `wanted aube >=99999`, `wanted pnpm >=8`), and the `engine-strict` error message stays compatible with existing assertions. - `engines.{aube,pnpm}` on transitive deps remain skipped on purpose, since wild packages routinely pin author toolchains. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.6.1...v1.6.2> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.6.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.1) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.6.0...v1.6.1) ##### Fixed - Unblocked the `v1.6.0` publishing path so missing Linux release assets and downstream package publishes could be backfilled ([#​460](https://redirect.github.com/endevco/aube/pull/460)). - Made the resolver build script tolerate environments where the primer generator exists but `node` is not installed, falling back to an empty primer with a Cargo warning instead of panicking ([#​460](https://redirect.github.com/endevco/aube/pull/460)). - Moved npm publishing and PPA upload jobs back to GitHub-hosted runners where npm provenance and Launchpad FTP uploads work correctly ([#​460](https://redirect.github.com/endevco/aube/pull/460)). ##### Other - Refreshed benchmarks for the 1.5.2 baseline ([#​459](https://redirect.github.com/endevco/aube/pull/459)). ### [`v1.6.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.0) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.5.1...v1.6.0) ##### Highlights - Added broader pnpm compatibility for `aube add`, `aube update`, pnpmfile hooks, catalog saves, workspace protocol parsing, and lockfile directory configuration. - Added generic `--config.<key>=<value>` overrides plus fetch timeout, retry, backoff, `--pnpmfile`, and `--global-pnpmfile` flags. - Improved install, resolver, registry, linker, manifest, settings, and state hot paths with shared caches, cheaper hashes, fewer repeated filesystem probes, and compressed packument fetches. - Expanded pnpm parity coverage across update, hooks, allow-build review, monorepo filter, prefer-offline, and misc install behavior. ##### Added - `aube update` now parses `<pkg>@​<spec>` arguments and can update indirect dependencies ([#​446](https://redirect.github.com/endevco/aube/pull/446)). - `aube add` can bootstrap a missing `package.json`, matching pnpm behavior covered by newly ported misc tests ([#​417](https://redirect.github.com/endevco/aube/pull/417)). - `--config.<key>=<value>` flags provide generic CLI config overrides ([#​447](https://redirect.github.com/endevco/aube/pull/447)). - `--lockfile-dir` / `lockfileDir` support allows commands to target a foreign lockfile directory when valid ([#​431](https://redirect.github.com/endevco/aube/pull/431)). - Fetch controls were added for timeout, retry count, and retry backoff behavior ([#​436](https://redirect.github.com/endevco/aube/pull/436)). - `--pnpmfile` and `--global-pnpmfile` flags were added, with pnpmfile hooks wired into update and `preResolution` support ([#​439](https://redirect.github.com/endevco/aube/pull/439), [#​423](https://redirect.github.com/endevco/aube/pull/423)). - pnpmfile `ctx.log` records now emit as `pnpm:hook` NDJSON on stdout ([#​440](https://redirect.github.com/endevco/aube/pull/440)). - `--save-catalog`, `workspace:*` parsing, and `sharedWorkspaceLockfile=false` support landed together ([#​418](https://redirect.github.com/endevco/aube/pull/418)). - Empty `--allow-build` values now use pnpm's verbatim error wording ([#​444](https://redirect.github.com/endevco/aube/pull/444)). ##### Fixed - `AUBE_VIRTUAL_STORE_DIR` is honored from the environment, with additional pnpm misc parity coverage ([#​456](https://redirect.github.com/endevco/aube/pull/456)). - `aube update --latest` preserves prerelease pins that are already higher than the latest stable version ([#​445](https://redirect.github.com/endevco/aube/pull/445)). - `.` is rejected as a foreign `--lockfile-dir` importer and the related docs were corrected ([#​442](https://redirect.github.com/endevco/aube/pull/442)). - npm `package-lock.json` workspace importers are preserved when parsing and writing lockfiles ([#​443](https://redirect.github.com/endevco/aube/pull/443)). - Lifecycle script behavior closed three pnpm parity gaps ([#​421](https://redirect.github.com/endevco/aube/pull/421)). - The resolver now ships an empty bundled metadata primer when the generator script cannot run, instead of failing the build ([#​425](https://redirect.github.com/endevco/aube/pull/425)). ##### Performance - Cached hot-path work across install, resolver, registry, linker, manifest parsing, settings lookup, and install state freshness checks ([#​453](https://redirect.github.com/endevco/aube/pull/453)). - Deduplicated and cached repeated install/resolver work, including graph hashing, patch fingerprints, lockfile parsing, env capture, script policy lookup, workspace-root scans, and registry auth token matching ([#​449](https://redirect.github.com/endevco/aube/pull/449)). - Refreshed benchmark results for the 1.5.2 baseline ([#​448](https://redirect.github.com/endevco/aube/pull/448), [#​452](https://redirect.github.com/endevco/aube/pull/452)). ##### Testing and Parity - Ported pnpm monorepo filter tests and wired `--fail-if-no-match` ([#​457](https://redirect.github.com/endevco/aube/pull/457)). - Ported additional pnpm hook, allowBuilds review, update, prefer-offline, circular peer, trust-policy, peer warning, top-level plugin, and registry fixture coverage ([#​455](https://redirect.github.com/endevco/aube/pull/455), [#​441](https://redirect.github.com/endevco/aube/pull/441), [#​438](https://redirect.github.com/endevco/aube/pull/438), [#​454](https://redirect.github.com/endevco/aube/pull/454), [#​434](https://redirect.github.com/endevco/aube/pull/434), [#​433](https://redirect.github.com/endevco/aube/pull/433), [#​424](https://redirect.github.com/endevco/aube/pull/424)). </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
|
396ce9daa2
|
chore(deps): update dependency aube to v1.5.1 (#463)
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `1.4` → `v1.5.1` | `v1.9.1` (+6) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.5.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.1): : POSIX colon tarball filenames [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.5.0...v1.5.1) A small patch release fixing tarball installs that contain `:` in entry filenames on POSIX platforms (e.g. `redos-detector@6.1.4`'s `dist/__mocks__/package-json:version.d.ts`). #### Fixed - **POSIX colon tarball filenames** — the store tarball validator and the linker's `validate_index_key` previously rejected `:` on every platform to defend against Windows drive-prefix and NTFS alternate-data-stream ambiguity. That guard was too broad for POSIX, where colon is a valid filename character, and caused installs of packages like `redos-detector@6.1.4` to fail. Both guards are now platform-gated: `:` is still rejected on Windows, but accepted on Linux and macOS. ([#​386](https://redirect.github.com/endevco/aube/pull/386) by [@​jdx](https://redirect.github.com/jdx)) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.5.0...v1.5.1> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.5.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.0): : Dependency graph queries and patch/lockfile fixes [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.4.0...v1.5.0) This release adds `aube query` for selector-based dependency graph inspection, fixes patch application against CRLF tarball files, repairs npm-aliased catalog dependencies in pnpm-generated lockfiles, and unifies how aube decides where to write workspace settings. #### Added - **`aube query`** — a vlt-inspired dependency-graph query command. Supply a selector expression (attribute predicates plus pseudo-selectors like `:scripts`, `:bin`, `:peer`, `:type(...)`, `:license(...)`), optionally scope with workspace `--filter`/`--prod`/`--dev` roots, and emit human-readable, `--parseable`, or `--json` output. Reads only the local lockfile. ([#​380](https://redirect.github.com/endevco/aube/pull/380) by [@​jdx](https://redirect.github.com/jdx)) #### Fixed - **Patches against CRLF text files** — tarballs published from Windows editors (e.g. `gifuct-js@2.1.2/index.d.ts`) ship CRLF, but git/pnpm-style patches always emit LF, and diffy refused to match LF hunks against CRLF context. aube now normalizes the original to LF before applying and restores CRLF on write — matching pnpm's approach — with a `\r\r\n` collapse so a literal `\r` byte mid-line doesn't gain a second carriage return. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **`aube patch-commit` destination** — previously wrote unconditionally to `pnpm.patchedDependencies` in `package.json` even on projects already using the pnpm v10+ workspace-yaml home. A single rule now applies to every command that mutates a setting which can live in either the workspace yaml or `package.json#{pnpm,aube}.<key>`: 1. If a workspace yaml exists on disk → write there. 2. Otherwise, if `package.json#pnpm` is already declared → write `pnpm.<key>` (preserve the user's namespace). 3. Otherwise → write `aube.<key>`. `aube patch-remove` now strips entries from every place they could live and reports the files actually rewritten. The same rule covers `aube approve-builds` and install-time auto-deny seeding. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **npm-aliased catalog deps from pnpm lockfiles** — `aube install --frozen-lockfile` previously accepted a pnpm lockfile with `beamcoder: npm:beamcoder-prebuild@…` declared via `pnpm-workspace.yaml#catalog` and silently produced an empty `node_modules`, because the importer's specifier was `'catalog:'` and alias detection only fired on `specifier.starts_with("npm:")`. Aliases are now detected purely from the canonical `<real>@​<resolved>` `version:` shape, with a peer-suffix strip so `version: 18.2.0(react@18.2.0)` isn't misclassified. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **Bounded resolver stream** — the resolved-package stream is now a bounded Tokio channel sized from the same network concurrency used by fetch workers, with awaited sends so resolver/fetch overlap applies backpressure instead of accumulating an unbounded queue. ([#​377](https://redirect.github.com/endevco/aube/pull/377) by [@​jdx](https://redirect.github.com/jdx)) #### Changed - **`aube-workspace.yaml` is the default-write filename** — when neither `aube-workspace.yaml` nor `pnpm-workspace.yaml` exists, `aube approve-builds` (and the install-time auto-seed of unreviewed build scripts) now creates `aube-workspace.yaml` so it pairs with `aube-lock.yaml` instead of leaving mixed vendor namespaces side by side. Existing `pnpm-workspace.yaml` files keep being mutated in place. ([#​382](https://redirect.github.com/endevco/aube/pull/382) by [@​jdx](https://redirect.github.com/jdx)) - **Comment-preserving workspace-yaml writes** — yaml writes now skip the rewrite when the closure produces no structural change, so user comments survive every no-op update to `allowBuilds`, `patchedDependencies`, and catalog cleanup. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **Install phase timing sink** — set `AUBE_BENCH_PHASES_FILE` to append per-phase install timings (resolve/fetch/link/scripts/state/sweep) as JSONL, optionally tagged with `AUBE_BENCH_SCENARIO`. The benchmark harness samples aube install-shaped scenarios and `benchmarks/generate-phase-results.mjs` turns the JSONL into a Markdown table plus a structured JSON artifact. ([#​381](https://redirect.github.com/endevco/aube/pull/381) by [@​jdx](https://redirect.github.com/jdx)) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.4.0...v1.5.0> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
|
0a780158e1
|
chore: migrate package manager from npm/pnpm/bun to aube (#455)
## Summary
Switches the project's package-manager surface from a mix of `npm` /
`pnpm` / `bun` (different commands in different files) to a single tool:
[aube](https://aube.en.dev), en.dev's pnpm-compat package manager
(native Rust, fast, drops cleanly into pnpm/npm-compatible workflows).
| | Before | After |
|---|---|---|
| Workflows install step | `npm ci` | `aube ci` |
| Workflows run scripts | `npm run X` | `aubr X` (`aubr` is the `aube
run` shorthand) |
| `mise.toml` tasks | mixed `npm run` / `bun run` | `aubr X` |
| Lockfile | `package-lock.json` | `package-lock.json` (unchanged — aube
reads it directly) |
The `aubr` binary ships alongside `aube` in the same install — it's the
script-runner shorthand (`aubr <script>` ≡ `aube run <script>`). Saves a
word in every workflow / mise.toml line.
## What didn't change
- **`package-lock.json`** stays as the canonical lockfile. aube reads it
directly; no `aube-lock.yaml` is generated. Running `npm install` still
works for any dev who hasn't switched to aube yet.
- **`package.json` scripts** still use `npm run X` for nested
invocations (e.g. `"all": "npm run format:write && …"`). The literal
`npm` works for both callers — aube's shell exec finds `npm` in PATH,
the inner invocation re-runs the same package.json script. Keeping these
PM-agnostic avoids a forced cutover for downstream contributors.
- **`dist/`** is byte-identical after `aubr all` — parity with the
npm-built bundle verified locally.
## New project files
- **`.npmrc`** — single line: `node-linker=hoisted`. Forces a flat,
npm-style `node_modules` layout instead of aube's default
symlink/virtual-store. Required because `rollup --configPlugin
@rollup/plugin-typescript` resolves the plugin from cwd's node_modules,
and the isolated layout puts rollup under `node_modules/.aube/...` where
standard module resolution can't reach back to the project root for the
plugin. npm reads `.npmrc` but ignores `node-linker` (npm always
installs flat), so the file is safe for both PMs.
- **`pnpm-workspace.yaml`** — generated by aube 1.4 to record
build-script approvals (`unrs-resolver: false`). Project-level config;
commits like a `package.json` companion.
Pinned `aube = '1.4'` in `mise.toml`'s tools so `mise install`
provisions the right binary locally.
## Why aube
Single tool replacing three. Less context-switching for contributors,
fewer places to run `npm audit` / `bun upgrade` / `pnpm dedupe`. aube's
cold-cache install for this repo's deps is ~3s vs `npm ci` at ~10s.
## Test plan
- [x] `aube install` from clean — succeeds, all 441 packages link
cleanly
- [x] `aubr all` (format + lint + package) — succeeds, `dist/`
byte-identical to checked-in version
- [x] `aubr format:check` — clean
- [x] `aubr lint` — clean
- [x] `aubr package` — produces `dist/index.js`, `dist/index.js.map`,
`dist/licenses.txt` matching what's checked in
- [ ] Workflows: `Continuous Integration` / `autofix.ci` / `Check dist/`
/ `test` all pass on this PR
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Mostly CI/build-system plumbing; risk is workflow or packaging
breakage (dependency install layout, rollup config) that could prevent
`dist/` from rebuilding or CI from running, but it doesn’t change
runtime action logic.
>
> **Overview**
> Switches GitHub Actions workflows to install tooling via
`jdx/mise-action` and run installs/scripts with `aube`/`aubr` instead of
`actions/setup-node` + `npm ci`/`npm run`.
>
> Pins `aube` (`1.4`) in `mise.toml`, updates `mise` tasks and developer
docs (`CLAUDE.md`) to use `aube`/`aubr`, and adds `.npmrc`
(`node-linker=hoisted`) plus a `.gitignore` entry to avoid committing
`aube`’s generated `pnpm-workspace.yaml`.
>
> Adjusts the packaging script to use `rollup.config.mjs` (replacing the
previous TS config invocation).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
|
0b4dcb0c10
|
ci: add communique to enhance release notes (#411)
## Summary
- Add communique tool to mise.toml
- Add `enhance-release` job to release workflow that runs after release
creation to generate AI-enhanced release notes
## Test plan
- [ ] Verify next release triggers the enhance-release job
- [ ] Confirm ANTHROPIC_API_KEY secret is configured in repo settings
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Adds a new post-release GitHub Actions job that uses an external AI
API and an elevated token to modify GitHub release notes; failures or
misconfigured secrets can break the release workflow and token scope
matters.
>
> **Overview**
> After the `release` job completes, the workflow now runs a new
`enhance-release` job that computes the tag from `package.json` and
calls `communique generate ... --github-release` to update the GitHub
release notes.
>
> The PR also adds `communique` to `mise.toml` so the tool is available
in CI, and wires in `ANTHROPIC_API_KEY` plus a dedicated
`RELEASE_PLZ_GITHUB_TOKEN` for the release-note update step.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
|
||
|
|
bd8ba20c56
|
chore: added release-plz | ||
|
|
ec352a8916
|
chore: node-24 | ||
|
|
5f7b5f779d
|
chore: loosen node version | ||
|
|
3601336acb
|
chore: updated deps | ||
|
|
793f8df484
|
chore: added pre-commit task | ||
|
|
c34172bab2
|
chore(deps): update dependency node to v22 (#143)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
c1be5dfbbf
|
chore(deps): update dependency node to v20.18.0 (#126)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
9d00159afd
|
chore(deps): update dependency node to v20.17.0 (#112)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
|
5d3e058edf
|
feat: support windows (#122) |
Renamed from .mise.toml (Browse further)