mirror of
https://github.com/jdx/mise-action.git
synced 2026-06-19 21:06:31 +00:00
686 commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
renovate[bot]
|
f0f49aef77
|
chore(deps): update typescript-eslint monorepo to v8.61.0 (#527)
Some checks are pending
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
zizmor / zizmor (push) Waiting to run
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.60.1` β `8.61.0`](https://renovatebot.com/diffs/npm/typescript-eslint/8.60.1/8.61.0) |  |  | --- ### Release Notes <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.61.0`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8610-2026-06-08) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.60.1...v8.61.0) This was a version bump only for typescript-eslint to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.61.0) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzMS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
4423dc488b
|
chore(deps): update jdx/pr-closer action to v1.1.0 (#525)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [jdx/pr-closer](https://redirect.github.com/jdx/pr-closer) | action | minor | `v1.0.1` β `v1.1.0` | --- ### Release Notes <details> <summary>jdx/pr-closer (jdx/pr-closer)</summary> ### [`v1.1.0`](https://redirect.github.com/jdx/pr-closer/releases/tag/v1.1.0) [Compare Source](https://redirect.github.com/jdx/pr-closer/compare/v1.0.2...v1.1.0) #### What's Changed - feat: add configurable pull request exclusions by [@​jdx](https://redirect.github.com/jdx) in [#​5](https://redirect.github.com/jdx/pr-closer/pull/5) - chore: release v1.1.0 by [@​jdx](https://redirect.github.com/jdx) in [#​6](https://redirect.github.com/jdx/pr-closer/pull/6) **Full Changelog**: <https://github.com/jdx/pr-closer/compare/v1.0.2...v1.1.0> ### [`v1.0.2`](https://redirect.github.com/jdx/pr-closer/releases/tag/v1.0.2) [Compare Source](https://redirect.github.com/jdx/pr-closer/compare/v1.0.1...v1.0.2) #### What's Changed - chore: add max-age closing for stale pull requests by [@​jdx](https://redirect.github.com/jdx) in [#​1](https://redirect.github.com/jdx/pr-closer/pull/1) - chore: add release PR automation by [@​jdx](https://redirect.github.com/jdx) in [#​2](https://redirect.github.com/jdx/pr-closer/pull/2) - chore: run release-plz script with bash by [@​jdx](https://redirect.github.com/jdx) in [#​3](https://redirect.github.com/jdx/pr-closer/pull/3) - chore: release v1.0.2 by [@​jdx](https://redirect.github.com/jdx) in [#​4](https://redirect.github.com/jdx/pr-closer/pull/4) #### New Contributors - [@​jdx](https://redirect.github.com/jdx) made their first contribution in [#​1](https://redirect.github.com/jdx/pr-closer/pull/1) **Full Changelog**: <https://github.com/jdx/pr-closer/compare/v1.0.1...v1.0.2> </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzMS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
63d291ff1b
|
chore(deps): update dependency prettier to v3.8.4 (#524)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [prettier](https://prettier.io) ([source](https://redirect.github.com/prettier/prettier)) | [`3.8.3` β `3.8.4`](https://renovatebot.com/diffs/npm/prettier/3.8.3/3.8.4) |  |  | --- ### Release Notes <details> <summary>prettier/prettier (prettier)</summary> ### [`v3.8.4`](https://redirect.github.com/prettier/prettier/blob/HEAD/CHANGELOG.md#384) [Compare Source](https://redirect.github.com/prettier/prettier/compare/3.8.3...3.8.4) [diff](https://redirect.github.com/prettier/prettier/compare/3.8.3...3.8.4) ##### Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX ([#​17746](https://redirect.github.com/prettier/prettier/pull/17746) by [@​byplayer](https://redirect.github.com/byplayer)) Prettier was removing blank lines between list items and their nested sub-lists, converting loose lists into tight lists and changing their semantic meaning. <!-- prettier-ignore --> ```markdown <!-- Input --> - a - b - c - d <!-- Prettier 3.8.3 --> - a - b - c - d <!-- Prettier 3.8.4 --> - a - b - c - d ``` </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzMS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
jdx
|
e6a8b3978a
|
chore: release v4.2.0 (#504)
Some checks failed
Continuous Integration / TypeScript Tests (push) Has been cancelled
Check dist/ / Check dist/ (push) Has been cancelled
build-test / build (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
Co-authored-by: mise-en-dev <123107610+mise-en-dev@users.noreply.github.com> |
||
|
Taku Kodama
|
884d428693
|
fix: fall back to wget when curl is unavailable (#521) | ||
|
jdx
|
5f61b63aff
|
feat: support bootstrap mode (#522)
Some checks are pending
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
|
||
|
renovate[bot]
|
03d53910f9
|
chore(deps): update node.js to v24.16.0 (#519)
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
|
||
|
renovate[bot]
|
0f82543dab
|
chore(deps): update node.js to v24.16.0 (#518)
Some checks failed
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
zizmor / zizmor (push) Has been cancelled
|
||
|
renovate[bot]
|
5d76934c0b
|
chore(deps): update dependency rollup to v4.61.1 (#516)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [rollup](https://rollupjs.org/) ([source](https://redirect.github.com/rollup/rollup)) | [`4.60.4` β `4.61.1`](https://renovatebot.com/diffs/npm/rollup/4.60.4/4.61.1) |  |  | --- ### Release Notes <details> <summary>rollup/rollup (rollup)</summary> ### [`v4.61.1`](https://redirect.github.com/rollup/rollup/blob/HEAD/CHANGELOG.md#4611) [Compare Source](https://redirect.github.com/rollup/rollup/compare/v4.61.0...v4.61.1) *2026-06-04* ##### Bug Fixes - Avoid extraneous newlines when adding headers via plugins ([#​6403](https://redirect.github.com/rollup/rollup/issues/6403)) - Fix a rare issue where starting Rollup would hang on Windows ([#​6404](https://redirect.github.com/rollup/rollup/issues/6404)) ##### Pull Requests - [#​6402](https://redirect.github.com/rollup/rollup/pull/6402): Improve documentation for manualPureFunctions ([@​lukastaegert](https://redirect.github.com/lukastaegert)) - [#​6403](https://redirect.github.com/rollup/rollup/pull/6403): Does not add an extra leading line feed for addons ([@​TrickyPi](https://redirect.github.com/TrickyPi)) - [#​6404](https://redirect.github.com/rollup/rollup/pull/6404): fix: set report.excludeNetwork=true before getReport() to avoid blocking PTR lookups ([@​jdz321](https://redirect.github.com/jdz321), [@​lukastaegert](https://redirect.github.com/lukastaegert)) ### [`v4.61.0`](https://redirect.github.com/rollup/rollup/blob/HEAD/CHANGELOG.md#4610) [Compare Source](https://redirect.github.com/rollup/rollup/compare/v4.60.4...v4.61.0) *2026-06-01* ##### Features - Sort entry modules to make chunk hashes deterministic ([#​6391](https://redirect.github.com/rollup/rollup/issues/6391)) ##### Pull Requests - [#​6376](https://redirect.github.com/rollup/rollup/pull/6376): Eliminate AWS credential exposure on fork PRs in REPL artefact workflow ([@​lukastaegert](https://redirect.github.com/lukastaegert)) - [#​6378](https://redirect.github.com/rollup/rollup/pull/6378): fix(deps): update minor/patch updates ([@​renovate](https://redirect.github.com/renovate)\[bot]) - [#​6379](https://redirect.github.com/rollup/rollup/pull/6379): chore(deps): update dependency lint-staged to v17 ([@​renovate](https://redirect.github.com/renovate)\[bot], [@​lukastaegert](https://redirect.github.com/lukastaegert)) - [#​6380](https://redirect.github.com/rollup/rollup/pull/6380): chore(deps): update dependency lru-cache to v11 ([@​renovate](https://redirect.github.com/renovate)\[bot], [@​lukastaegert](https://redirect.github.com/lukastaegert)) - [#​6381](https://redirect.github.com/rollup/rollup/pull/6381): chore(deps): lock file maintenance ([@​renovate](https://redirect.github.com/renovate)\[bot], [@​lukastaegert](https://redirect.github.com/lukastaegert)) - [#​6382](https://redirect.github.com/rollup/rollup/pull/6382): chore(deps): update dependency [@​types/node](https://redirect.github.com/types/node) to ^20.19.41 ([@​renovate](https://redirect.github.com/renovate)\[bot]) - [#​6386](https://redirect.github.com/rollup/rollup/pull/6386): fix(deps): update minor/patch updates ([@​renovate](https://redirect.github.com/renovate)\[bot]) - [#​6387](https://redirect.github.com/rollup/rollup/pull/6387): chore(deps): update aws-actions/configure-aws-credentials action to v6 ([@​renovate](https://redirect.github.com/renovate)\[bot]) - [#​6388](https://redirect.github.com/rollup/rollup/pull/6388): fix(deps): update swc monorepo (major) ([@​renovate](https://redirect.github.com/renovate)\[bot], [@​lukastaegert](https://redirect.github.com/lukastaegert)) - [#​6389](https://redirect.github.com/rollup/rollup/pull/6389): chore(deps): lock file maintenance ([@​renovate](https://redirect.github.com/renovate)\[bot]) - [#​6391](https://redirect.github.com/rollup/rollup/pull/6391): Sort entry modules to make chunk hash names deterministic ([@​TrickyPi](https://redirect.github.com/TrickyPi)) - [#​6394](https://redirect.github.com/rollup/rollup/pull/6394): fix(deps): update minor/patch updates ([@​renovate](https://redirect.github.com/renovate)\[bot], [@​lukastaegert](https://redirect.github.com/lukastaegert)) - [#​6395](https://redirect.github.com/rollup/rollup/pull/6395): chore(deps): update react monorepo to v19 ([@​renovate](https://redirect.github.com/renovate)\[bot], [@​lukastaegert](https://redirect.github.com/lukastaegert)) - [#​6396](https://redirect.github.com/rollup/rollup/pull/6396): fix(deps): update rust crate swc\_compiler\_base to v57 ([@​renovate](https://redirect.github.com/renovate)\[bot], [@​lukastaegert](https://redirect.github.com/lukastaegert)) - [#​6397](https://redirect.github.com/rollup/rollup/pull/6397): chore(deps): lock file maintenance ([@​renovate](https://redirect.github.com/renovate)\[bot], [@​lukastaegert](https://redirect.github.com/lukastaegert)) - [#​6400](https://redirect.github.com/rollup/rollup/pull/6400): docs: fix broken links ([@​jiyujie2006](https://redirect.github.com/jiyujie2006)) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
80781a51e1
|
chore(deps): update jdx/mise-action action to v4.1.0 (#517)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [jdx/mise-action](https://redirect.github.com/jdx/mise-action) | action | minor | `v4.0.1` β `v4.1.0` | --- ### Release Notes <details> <summary>jdx/mise-action (jdx/mise-action)</summary> ### [`v4.1.0`](https://redirect.github.com/jdx/mise-action/releases/tag/v4.1.0): : automatic --locked installs [Compare Source](https://redirect.github.com/jdx/mise-action/compare/v4.0.1...v4.1.0) This release adds automatic locked installs when a `mise.lock` is present, and fixes a long-standing cache-key collision that could poison tool installs when workflows migrate between runner providers. #### Added ##### Automatic `--locked` install when `mise.lock` exists ([#​495](https://redirect.github.com/jdx/mise-action/pull/495)) by [@​zeitlinger](https://redirect.github.com/zeitlinger) When a repo contains `mise.lock`, the action now automatically passes `--locked` to `mise install` (on mise versions that support it). This removes the need to manually set `install_args: --locked` and prevents `mise install` from silently mutating the lockfile in CI. Explicit `install_args` and older mise versions are still respected. Note: workflows with a stale lockfile may now fail earlier and more explicitly instead of silently updating `mise.lock` mid-run β this surfaces lockfile drift rather than hiding it. #### Fixed - **Cache key collisions across runner providers** ([#​456](https://redirect.github.com/jdx/mise-action/pull/456)) β the default cache key now includes the runner image (e.g. `macos15`, `ubuntu24` for GitHub-hosted runners; `self-hosted` otherwise). Previously, repos migrating between providers like github-hosted, namespace.so, BuildJet, and self-hosted runners with the same OS/arch could restore a peer provider's `~/.local/share/mise/installs/*`, causing failures like `does not have an executable named 'β¦'` or SIGILL crashes from binaries built against a different glibc/CPU featureset. Expect a one-time cache miss after upgrading; thereafter the cache stays scoped per image. - **`mise-shim.exe` missing on Windows** ([#​476](https://redirect.github.com/jdx/mise-action/pull/476)) by [@​risu729](https://redirect.github.com/risu729) β the action now installs `mise-shim.exe` alongside `mise.exe` and repairs restored caches that lack the shim. Fixes [#​475](https://redirect.github.com/jdx/mise-action/issues/475). #### Changed - Migrated the bundled action build from ncc (CommonJS) to Rollup (ESM) ([#​436](https://redirect.github.com/jdx/mise-action/pull/436)). No user-facing behavior change. **Full Changelog**: <https://github.com/jdx/mise-action/compare/v4.0.1...v4.1.0> </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
f1eae89ff0
|
chore(deps): update dependency js-yaml to v4.2.0 (#515)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [js-yaml](https://redirect.github.com/nodeca/js-yaml) | [`4.1.1` β `4.2.0`](https://renovatebot.com/diffs/npm/js-yaml/4.1.1/4.2.0) |  |  | --- ### Release Notes <details> <summary>nodeca/js-yaml (js-yaml)</summary> ### [`v4.2.0`](https://redirect.github.com/nodeca/js-yaml/blob/HEAD/CHANGELOG.md#420---2026-06-01) [Compare Source](https://redirect.github.com/nodeca/js-yaml/compare/4.1.1...590dbabadd172b099c07654fab2eabec8c7a07b9) ##### Added - Added `docs/safety.md` with notes about processing untrusted YAML. - Added `maxDepth` (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow. - Added `maxMergeSeqLength` (20) loader option. Not a problem after `merge` fix, but an additional restriction for safety. - Added sourcemaps to `dist/` builds. ##### Changed - Stop resolving numbers with underscores as numeric scalars, [#​627](https://redirect.github.com/nodeca/js-yaml/issues/627). - Switched dev toolchains to Vite / neostandard. - Updated demo. - Reorganized tests. - `dist/` files are no longer kept in the repository. ##### Fixed - Fix parsing of properties on the first implicit block mapping key, [#​62](https://redirect.github.com/nodeca/js-yaml/issues/62). - Fix trailing whitespace handling when folding flow scalar lines, [#​307](https://redirect.github.com/nodeca/js-yaml/issues/307). - Reject top-level block scalars without content indentation, [#​280](https://redirect.github.com/nodeca/js-yaml/issues/280). - Ensure numbers survive round-trip, [#​737](https://redirect.github.com/nodeca/js-yaml/issues/737). - Fix test coverage for issue [#​221](https://redirect.github.com/nodeca/js-yaml/issues/221). - Fix flow scalar trailing whitespace folding, [#​307](https://redirect.github.com/nodeca/js-yaml/issues/307). - Fix digits in YAML named tag handles. ##### Security - Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K). </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
ab3e780cf6
|
chore(deps): update typescript-eslint monorepo to v8.60.1 (#514)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.60.0` β `8.60.1`](https://renovatebot.com/diffs/npm/typescript-eslint/8.60.0/8.60.1) |  |  | --- ### Release Notes <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.60.1`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8601-2026-06-01) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.60.0...v8.60.1) This was a version bump only for typescript-eslint to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.60.1) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
17d3aa0218
|
chore(deps): update github/codeql-action action to v4.36.2 (#513)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | patch | `v4.36.0` β `v4.36.2` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v4.36.2`](https://redirect.github.com/github/codeql-action/compare/v4.36.1...v4.36.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.36.1...v4.36.2) ### [`v4.36.1`](https://redirect.github.com/github/codeql-action/compare/v4.36.0...v4.36.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.36.0...v4.36.1) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated CodeQL analysis workflow dependencies to the latest patch versions for enhanced security scanning capabilities. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
4acea8dd7c
|
chore(deps): update actions/checkout action to v6.0.3 (#512)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://redirect.github.com/actions/checkout) | action | patch | `v6.0.2` β `v6.0.3` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v6.0.3`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v603) [Compare Source](https://redirect.github.com/actions/checkout/compare/v6.0.2...v6.0.3) - Fix checkout init for SHA-256 repositories by [@​yaananth](https://redirect.github.com/yaananth) in [#​2439](https://redirect.github.com/actions/checkout/pull/2439) - fix: expand merge commit SHA regex and add SHA-256 test cases by [@​yaananth](https://redirect.github.com/yaananth) in [#​2414](https://redirect.github.com/actions/checkout/pull/2414) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated GitHub Actions checkout dependencies across multiple CI/CD workflows to the latest version for improved stability and compatibility. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
Taku Kodama
|
b2321533f9
|
docs: link rust cache issue (#496)
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
|
||
|
renovate[bot]
|
6461503b3f
|
chore(deps): update eslint monorepo to v10.4.1 (#509)
Some checks are pending
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.4.0` β `10.4.1`](https://renovatebot.com/diffs/npm/eslint/10.4.0/10.4.1) |  |  | --- ### Release Notes <details> <summary>eslint/eslint (eslint)</summary> ### [`v10.4.1`](https://redirect.github.com/eslint/eslint/releases/tag/v10.4.1) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.4.0...v10.4.1) #### Bug Fixes - [`e557467`]( |
||
|
renovate[bot]
|
f4342fcf27
|
chore(deps): update dependency @rollup/plugin-commonjs to v29.0.3 (#508)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@rollup/plugin-commonjs](https://redirect.github.com/rollup/plugins/tree/master/packages/commonjs/#readme) ([source](https://redirect.github.com/rollup/plugins/tree/HEAD/packages/commonjs)) | [`29.0.2` β `29.0.3`](https://renovatebot.com/diffs/npm/@rollup%2fplugin-commonjs/29.0.2/29.0.3) |  |  | --- ### Release Notes <details> <summary>rollup/plugins (@​rollup/plugin-commonjs)</summary> ### [`v29.0.3`](https://redirect.github.com/rollup/plugins/blob/HEAD/packages/commonjs/CHANGELOG.md#v2903) *2026-05-29* ##### Bugfixes - commonjs: make [#​1868](https://redirect.github.com/rollup/plugins/issues/1868) es5-compatible ([#​1981](https://redirect.github.com/rollup/plugins/issues/1981)) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjIwOS40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
920c1fed1b
|
chore(deps): update typescript-eslint monorepo to v8.60.0 (#507)
Some checks are pending
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.59.4` β `8.60.0`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.4/8.60.0) |  |  | --- ### Release Notes <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.60.0`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8600-2026-05-25) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.4...v8.60.0) This was a version bump only for typescript-eslint to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.60.0) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjIwOS40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
jdx
|
26ff5b8173
|
chore(ci): use pr-closer action (#505)
Some checks failed
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
zizmor / zizmor (push) Has been cancelled
|
||
|
jdx
|
2b5874788d
|
chore(ci): fix zizmor version comments (#506) | ||
|
jdx
|
dba19683ed
|
chore: release v4.1.0 (#490)
Co-authored-by: mise-en-dev <123107610+mise-en-dev@users.noreply.github.com> |
||
|
jdx
|
f91a09d9ef
|
fix(ci): resolve zizmor findings (#503) | ||
|
renovate[bot]
|
a9d72a2ac5
|
chore(deps): update github/codeql-action action to v4.36.0 (#500) | ||
|
renovate[bot]
|
1f56d95323
|
chore(deps): update dependency @actions/cache to v6.0.1 (#497)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@actions/cache](https://redirect.github.com/actions/toolkit/tree/main/packages/cache) ([source](https://redirect.github.com/actions/toolkit/tree/HEAD/packages/cache)) | [`6.0.0` β `6.0.1`](https://renovatebot.com/diffs/npm/@actions%2fcache/6.0.0/6.0.1) |  |  | --- ### Release Notes <details> <summary>actions/toolkit (@​actions/cache)</summary> ### [`v6.0.1`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/cache/RELEASES.md#601) - Bump dependency versions ([#​2393](https://redirect.github.com/actions/toolkit/pull/2393)): - `@actions/core` to `^3.0.1` - `@actions/http-client` to `^4.0.1` - `@actions/io` to `^3.0.2` - `@azure/core-rest-pipeline` to `^1.23.0` - `@azure/storage-blob` to `^12.31.0` - `semver` to `^7.7.4` </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTguMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5OC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: default <216188+jdx@users.noreply.github.com> |
||
|
jdx
|
e47eed9a5f
|
chore: update aube tool version (#501)
Some checks failed
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
Check dist/ / Check dist/ (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
|
||
|
renovate[bot]
|
69c24ed920
|
chore(deps): update dependency aube to v1.15.0 (#498)
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.14.1` β `v1.15.0` | `v1.16.0` | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.15.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.15.0): : Yarn Berry portal/exec/patch + deny-build [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.14.1...v1.15.0) This release closes three Yarn Berry compatibility gaps (`portal:`, `exec:`, and `patch:` protocols), adds an `aube add --deny-build` flag for `strictDepBuilds=true` workflows, and fixes two install-correctness bugs around workspace updates and Bun patched dependencies. #### Added - *(yarn)* **Berry `portal:` and `exec:` protocols** ([#​729](https://redirect.github.com/endevco/aube/pull/729) by [@​jdx](https://redirect.github.com/jdx)) β Yarn Berry lockfile entries using `portal:` and `exec:` are now parsed instead of skipped, and round-trip cleanly when aube writes the lockfile back (`portal:` as `linkType: soft`, `exec:` as a generated hard-link package). `portal:` targets materialize as local packages whose dependencies are followed (matching Yarn's documented difference from `link:`); `exec:` generator scripts run into a temp build directory and the generated package is imported, with versions and dependencies locked at resolve time. `exec:` generators require Node.js on `PATH`, are blocked under `--ignore-scripts`, and are rejected if the generator path resolves outside the project root. - *(yarn)* **Berry `patch:` protocol** ([#​728](https://redirect.github.com/endevco/aube/pull/728) by [@​jdx](https://redirect.github.com/jdx)) β Berry `patch:` resolutions are now parsed into aube's patched-dependency map (builtin patches are skipped), preserved on lockfile write, and threaded through install/link so the referenced Yarn patch files are actually applied during materialization. Previously these entries were silently dropped, so Berry projects relying on `patch:` could install with unpatched package contents. - *(add)* **`aube add --deny-build=<pkg>`** ([#​730](https://redirect.github.com/endevco/aube/pull/730), closes [#​726](https://redirect.github.com/endevco/aube/discussions/726), by [@​jdx](https://redirect.github.com/jdx)) β Repeatable flag that records a dependency's lifecycle scripts as reviewed-and-denied by writing `allowBuilds.<pkg>=false` before install. This lets `strictDepBuilds=true` workflows explicitly skip selected package builds without failing the install, and is forwarded through global installs (`aube add -g --deny-build=<pkg>`). Specifying the same package in both `--allow-build` and `--deny-build` is rejected with the new `ERR_AUBE_CONFLICTING_BUILD_FLAGS`. ```sh # Mark esbuild's postinstall as reviewed-and-denied, then install aube add --deny-build=esbuild esbuild ``` #### Fixed - *(update)* **Workspace-member `aube update` writes to the root lockfile** ([#​732](https://redirect.github.com/endevco/aube/pull/732) by [@​jdx](https://redirect.github.com/jdx)) β `aube update` run inside a workspace member previously started from the nearest project root and produced `sub/aube-lock.yaml`, disagreeing with `aube install` (which already targets the workspace root). Plain member updates now merge into the shared workspace-root `aube-lock.yaml` via the same helper used by filtered/recursive updates, carrying per-importer `workspace_extra_fields` alongside dependency and skipped-optional metadata. - *(bun)* **Bun top-level `patchedDependencies` are applied at install** ([#​724](https://redirect.github.com/endevco/aube/pull/724) by [@​jdx](https://redirect.github.com/jdx)) β aube preserved Bun's `package.json#patchedDependencies` in `bun.lock`, but install-time patch loading only read `pnpm.patchedDependencies`, `aube.patchedDependencies`, and workspace YAML entries β so Bun-only projects could install successfully while materializing unpatched package contents. Bun's top-level field is now merged into the patch sources used by install (including for BOM-prefixed `package.json`), and is correctly removed when the map becomes empty. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.14.1...v1.15.0> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTguMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5OC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
76f84078a8
|
chore(deps): update zizmorcore/zizmor-action action to v0.5.4 (#488)
Some checks failed
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
zizmor / zizmor (push) Has been cancelled
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [zizmorcore/zizmor-action](https://redirect.github.com/zizmorcore/zizmor-action) | action | patch | `v0.5.3` β `v0.5.6` | --- ### Release Notes <details> <summary>zizmorcore/zizmor-action (zizmorcore/zizmor-action)</summary> ### [`v0.5.6`](https://redirect.github.com/zizmorcore/zizmor-action/releases/tag/v0.5.6) [Compare Source](https://redirect.github.com/zizmorcore/zizmor-action/compare/v0.5.5...v0.5.6) - 1.25.2 is now available via the action - 1.25.2 is now the default version of zizmor used by the action ### [`v0.5.5`](https://redirect.github.com/zizmorcore/zizmor-action/releases/tag/v0.5.5) [Compare Source](https://redirect.github.com/zizmorcore/zizmor-action/compare/v0.5.4...v0.5.5) This is a no-op release. ### [`v0.5.4`](https://redirect.github.com/zizmorcore/zizmor-action/releases/tag/v0.5.4) [Compare Source](https://redirect.github.com/zizmorcore/zizmor-action/compare/v0.5.3...v0.5.4) - 1.25.0 is now available via the action - 1.25.0 is now the default version of zizmor used by the action </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
4a84c91c82
|
chore(deps): update dependency eslint to v10.4.0 (#492)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.3.0` β `10.4.0`](https://renovatebot.com/diffs/npm/eslint/10.3.0/10.4.0) |  |  | --- ### Release Notes <details> <summary>eslint/eslint (eslint)</summary> ### [`v10.4.0`](https://redirect.github.com/eslint/eslint/compare/v10.3.0...452c4010c07dc2e36fe6ec6a8c48298878e86887) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.3.0...v10.4.0) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
4d5418b7ba
|
chore(deps): update dependency @types/node to v24.12.4 (#485)
This PR contains the following updates: | Package | Type | Update | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---|---|---| | [node](https://nodejs.org) ([source](https://redirect.github.com/nodejs/node)) | | minor | `24.15.0` β `v24.16.0` |  |  | | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | devDependencies | patch | [`24.12.3` β `24.12.4`](https://renovatebot.com/diffs/npm/@types%2fnode/24.12.3/24.12.4) |  |  | --- ### Release Notes <details> <summary>nodejs/node (node)</summary> ### [`v24.16.0`](https://redirect.github.com/nodejs/node/releases/tag/v24.16.0): 2026-05-21, Version 24.16.0 'Krypton' (LTS), @​aduh95 [Compare Source](https://redirect.github.com/nodejs/node/compare/v24.15.0...v24.16.0) ##### Notable Changes - \[[`b267f6bca3`]( |
||
|
renovate[bot]
|
e6760994f7
|
chore(deps): update dependency typescript-eslint to v8.59.3 (#487)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.59.2` β `8.59.4`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.2/8.59.4) |  |  | --- ### Release Notes <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.59.4`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8594-2026-05-18) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.3...v8.59.4) ##### π©Ή Fixes - **typescript-eslint:** export Compatible\* types from typescript-eslint to resolve pnpm TS error ([#​12340](https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12340)) ##### β€οΈ Thank You - Kirk Waiblinger [@​kirkwaiblinger](https://redirect.github.com/kirkwaiblinger) See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.4) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. ### [`v8.59.3`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8593-2026-05-11) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.2...v8.59.3) This was a version bump only for typescript-eslint to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.3) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
d09fda2023
|
chore(deps): update github/codeql-action action to v4.35.5 (#491)
This PR contains the following updates: | Package | Type | Update | Change | Pending | |---|---|---|---|---| | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | patch | `v4.35.4` β `v4.35.5` | `v4.36.0` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v4.35.5`](https://redirect.github.com/github/codeql-action/releases/tag/v4.35.5) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.35.4...v4.35.5) - We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. [#​3899](https://redirect.github.com/github/codeql-action/pull/3899) - For performance and accuracy reasons, [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#​3791](https://redirect.github.com/github/codeql-action/pull/3791) - If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#​3892](https://redirect.github.com/github/codeql-action/pull/3892) - Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#​3880](https://redirect.github.com/github/codeql-action/pull/3880) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
0db54f80ba
|
chore(deps): update dependency rollup to v4.60.4 (#486)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [rollup](https://rollupjs.org/) ([source](https://redirect.github.com/rollup/rollup)) | [`4.60.3` β `4.60.4`](https://renovatebot.com/diffs/npm/rollup/4.60.3/4.60.4) |  |  | --- ### Release Notes <details> <summary>rollup/rollup (rollup)</summary> ### [`v4.60.4`](https://redirect.github.com/rollup/rollup/blob/HEAD/CHANGELOG.md#4604) [Compare Source](https://redirect.github.com/rollup/rollup/compare/v4.60.3...v4.60.4) *2026-05-14* ##### Bug Fixes - Improve stability of chunk hashes ([#​6362](https://redirect.github.com/rollup/rollup/issues/6362)) ##### Pull Requests - [#​6362](https://redirect.github.com/rollup/rollup/pull/6362): fix: stabilize chunk assignment across parallel file reads ([@​sonukapoor](https://redirect.github.com/sonukapoor), [@​Sonu](https://redirect.github.com/Sonu) Kapoor, [@​TrickyPi](https://redirect.github.com/TrickyPi), [@​lukastaegert](https://redirect.github.com/lukastaegert)) - [#​6370](https://redirect.github.com/rollup/rollup/pull/6370): fix(deps): update minor/patch updates ([@​renovate](https://redirect.github.com/renovate)\[bot]) - [#​6371](https://redirect.github.com/rollup/rollup/pull/6371): chore(deps): update dependency lru-cache to v11 ([@​renovate](https://redirect.github.com/renovate)\[bot], [@​lukastaegert](https://redirect.github.com/lukastaegert)) - [#​6372](https://redirect.github.com/rollup/rollup/pull/6372): chore(deps): update react monorepo to v19 (major) ([@​renovate](https://redirect.github.com/renovate)\[bot]) - [#​6373](https://redirect.github.com/rollup/rollup/pull/6373): chore(deps): lock file maintenance ([@​renovate](https://redirect.github.com/renovate)\[bot], [@​lukastaegert](https://redirect.github.com/lukastaegert)) - [#​6375](https://redirect.github.com/rollup/rollup/pull/6375): Resolve vulnerabilities ([@​lukastaegert](https://redirect.github.com/lukastaegert)) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
Gregor Zeitlinger
|
8cb97b85f7
|
feat: lock install when mise.lock is present (#495)
Some checks are pending
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
|
||
|
renovate[bot]
|
5b45072a5e
|
chore(deps): update dependency aube to v1.14.1 (#489)
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.9.1` β `v1.14.1` | `v1.15.0` | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.14.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.14.1): : Install module split [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.14.0...v1.14.1) A maintenance release with no user-facing behavior changes. The install command's growing `commands/install/mod.rs` was split into focused submodules to keep the install pipeline easier to navigate. Install behavior, flags, and output are unchanged from v1.14.0. #### Changed - *(install)* Extracted the fetch/import pipeline (local source import, lockfile fetch wrapper, store-index classification, tarball fetch/import, contextualized-index remapping) into a new `commands/install/fetch.rs` module ([#​704](https://redirect.github.com/endevco/aube/pull/704) by [@​jdx](https://redirect.github.com/jdx)). - *(install)* Split the materializer, native-build critical-path heuristic, and workspace graph/lifecycle/per-project lockfile helpers into dedicated `materialize.rs`, `critical_path.rs`, and `workspace.rs` modules ([#​702](https://redirect.github.com/endevco/aube/pull/702) by [@​jdx](https://redirect.github.com/jdx)). - *(install)* Moved post-pipeline helpers β `--lockfile-dir` importer remapping, human install summary output, `.aube` cache invalidation/orphan cleanup, and skipped-build warning replay β into `lockfile_dir.rs`, `summary.rs`, `sweep.rs`, and `unreviewed_builds.rs` ([#​698](https://redirect.github.com/endevco/aube/pull/698) by [@​jdx](https://redirect.github.com/jdx)). **Full Changelog**: <https://github.com/endevco/aube/compare/v1.14.0...v1.14.1> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.14.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.14.0): : Bloom-filtered OSV checks and lifecycle-script content sniffing [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.13.1...v1.14.0) Two new opt-in supply-chain layers on top of the v1.13 gates: a \~380 KB bloom-filter prefilter that lets plain reinstalls cheaply probe the OSV `MAL-*` set without pulling the 200 MB mirror, and a regex-based content sniff that flags dangerous shapes in dependency `preinstall`/`install`/`postinstall` scripts before you click through `aube approve-builds`. #### Added - *(install)* **OSV bloom-filter prefilter for lockfile installs** ([#​680](https://redirect.github.com/endevco/aube/pull/680) by [@​jdx](https://redirect.github.com/jdx)) β New `advisoryBloomCheck` setting (`on` / `required` / `off`, default `off`) adds a fourth route to the post-resolve OSV decision table. Plain reinstalls probe the resolved transitive graph against a \~380 KB bloom filter fetched from [`endevco/osv-bloom`](https://redirect.github.com/endevco/osv-bloom) β regenerated upstream every 10 minutes from OSV's `MAL-*` archive β and only escalate bloom hits to the live `/querybatch` API for exact `(name, version)` confirmation. Bloom FPR is \~0.1%, so a typical 1000-package lockfile triggers zero or one extra live-API round trip per install. When both are configured, the bloom branch wins over the 200 MB `all.zip` mirror β under 1 MB on the wire, same live-API oracle, same `ERR_AUBE_MALICIOUS_PACKAGE` on a confirmed hit. Cached under `$XDG_CACHE_HOME/aube/osv-bloom/` and short-circuits the download when upstream's `set_digest_sha256` is unchanged. New warning `WARN_AUBE_OSV_BLOOM_REFRESH_FAILED`: under `on` install continues against the previously cached filter; under `required` it fails closed with `ERR_AUBE_ADVISORY_CHECK_FAILED`. - *(install)* **Content-sniff dependency lifecycle scripts before approve-builds** ([#​685](https://redirect.github.com/endevco/aube/pull/685) by [@​jdx](https://redirect.github.com/jdx)) β aube's existing supply-chain gates (OSV `MAL-*`, downloads floor, bun-compat scanner, `BuildPolicy` allowlist) are all name-based; none inspects what `postinstall` actually does, which leaves an OSV-ingest-lag window of 12β48h that the 2024β2026 wave of unobfuscated `curl β¦ | sh` postinstalls walked right through. New regex matcher fires advisory warnings for known-dangerous shapes in lifecycle script bodies: | Signal | Catches | | -------------------- | ---------------------------------------------------------------------------------------------------------------- | | `ShellPipe` | `curl β¦ \| sh`, `wget β¦ \| bash`, `β¦ \| node` | | `EvalDecode` | `eval(atob(β¦))`, `Function(atob(β¦))`, `eval(Buffer.from(β¦))` | | `CredentialFileRead` | `~/.ssh`, `~/.aws`, `~/.npmrc`, `~/.config/gh` reads | | `SecretEnvRead` | `process.env.*(TOKEN\|SECRET\|API_KEY\|PASSWORD\|ACCESS_KEY\|PRIVATE_KEY\|AUTH)` | | `ExfilEndpoint` | Discord/Telegram webhooks, OAST hosts (`oast.pro`, `interactsh`, `webhook.site`, `pipedream.net`, `ngrok.io`, β¦) | | `BareIpHttp` | Bare-IP HTTP fetch targets (literal IPv4 hosts over plain HTTP) | Sniff is advisory β `allowBuilds` still gates execution β and shows up in three places: end-of-install emits one `WARN_AUBE_SUSPICIOUS_LIFECYCLE_SCRIPT` per flagged package alongside the existing `WARN_AUBE_IGNORED_BUILD_SCRIPTS`; `aube approve-builds` annotates picker rows with `β suspicious: <category>` and prints a pre-picker summary of the matched hook+description; `aube ignored-builds` indents `β <hook> β <description>` lines under each `name@version`. Findings are re-derived per install rather than persisted, so the regex set can evolve without a state-file migration. Works offline, doesn't degrade to advisory in headless CI. #### Changed - Refreshed `benchmarks/results.json` against v1.13.1 and Bun 1.3.14 ([#​687](https://redirect.github.com/endevco/aube/pull/687)) β public ratios update to warm installs **3Γ Bun / 6Γ pnpm**, repeat test **6Γ Bun / 45Γ pnpm**. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.13.1...v1.14.0> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.13.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.13.1): : Version-aware transitive MAL-* gate [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.13.0...v1.13.1) A targeted fix for the transitive supply-chain gate added in v1.13.0: the post-resolve OSV check is now version-aware, so name-level `MAL-*` advisories stop blocking installs that resolve to clean versions of the same package. #### Fixed - *(install)* **Version-aware transitive `MAL-*` check** ([#​682](https://redirect.github.com/endevco/aube/pull/682) by [@​jdx](https://redirect.github.com/jdx)) β The post-resolve gate was reusing the pre-resolve name-only OSV query, so any name-level advisory hit every install that transitively pulled in *any* version of that package. Concretely, `aube add cowsay@1.6.0` refused with `ERR_AUBE_MALICIOUS_PACKAGE` because cowsay's tree includes `ansi-regex@3.0.1`, and `ansi-regex` carries the Sep 2025 shai-hulud advisory `MAL-2025-46966` against `6.2.1` β a version published years after `3.0.1`. The live-API and OSV-mirror lookups now send `(name, version)` pairs, refusal messages surface `name@version (MAL-β¦)`, and the local mirror index bumps to `format = 2` (storing per-advisory affected versions; v1 indexes rebuild on next refresh, and advisories with no enumerated versions still fail closed). The pre-resolve `aube add` name-gate keeps its versionless query β typosquats are malicious in every version. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.13.0...v1.13.1> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.13.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.13.0): : Supply-chain gates for `aube add` [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.12.0...v1.13.0) #### Added - *(install)* Bun-compatible pluggable security scanner β drop in any `securityScanner` package that follows the Bun Security Scanner API (oven-sh template, `@socketsecurity/bun-security-scanner`, etc.) and aube runs it post-resolve against the full graph via a `node` bridge ([#​657](https://redirect.github.com/endevco/aube/pull/657)) - *(add)* Supply-chain gates on `aube add`: OSV `MAL-*` advisory hard-block plus a weekly-downloads floor with TTY prompt / `--allow-low-downloads` bypass. New `advisoryCheck` and `lowDownloadThreshold` settings, both folded into `paranoid: true` ([#​656](https://redirect.github.com/endevco/aube/pull/656)) - *(install)* OSV checks now extend to the full resolved graph, routed live-API vs. local OSV mirror based on whether resolution produced fresh `(name, version)` picks; opt-in `advisoryCheckOnInstall` covers plain reinstalls, `advisoryCheckEveryInstall` forces live API every time ([#​678](https://redirect.github.com/endevco/aube/pull/678)) - *(add)* Auto-skip supply-chain gates for packages routed through a non-`registry.npmjs.org` registry, plus a new `allowedUnpopularPackages` glob allowlist to silence the downloads gate on known-internal names ([#​673](https://redirect.github.com/endevco/aube/pull/673)) #### Changed - *(install)* No longer rewrites `package.json` / workspace yaml to seed `allowBuilds: { <pkg>: "set this to true or false" }` placeholders for unreviewed build scripts ([#​662](https://redirect.github.com/endevco/aube/pull/662)) - *(install perf)* Deleted the pre-resolver direct-dep packument prefetch; 12β22% wall-time win across fixture size, bandwidth, and RTT ([#​672](https://redirect.github.com/endevco/aube/pull/672)) - *(add)* `--allow-build=<pkg>` now flips an existing deny instead of erroring, help renders correctly as `--allow-build=<PKG>`, and the no-op `--ignore-scripts` is hidden on `add` / `import` / `update` ([#​660](https://redirect.github.com/endevco/aube/pull/660)) #### Fixed - *(linker)* Windows bin shims for `aube add --global β¦ --allow-build=<dep>` no longer emit a duplicated install-root path segment when `.aube/<dep>/` sits behind a directory junction ([#​659](https://redirect.github.com/endevco/aube/pull/659)) - *(global)* `aube remove --global` on Windows no longer fails with `Access is denied (os error 5)` on the hash pointer when it's an NTFS directory junction ([#​658](https://redirect.github.com/endevco/aube/pull/658)) #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.12.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.12.0): : Tidier config, smarter installs from bun.lock [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.11.0...v1.12.0) A round of fixes driven by user reports β `bun.lock` imports now keep peer-only packages, the store layout is reorganized so one cache mount covers everything, and `aube config set` stops scribbling unknown keys into `.npmrc`. #### Added - **Smarter `aube config set` / `delete` routing** ([#​634](https://redirect.github.com/endevco/aube/pull/634) by [@​jdx](https://redirect.github.com/jdx)) β Writes only land in `.npmrc` for the npm-shared surface (per-host auth/cert templates, scoped registries, and a curated allowlist of npm-standard scalars like `registry`, `proxy`, `fetch-retries`, β¦). Aube-only and pnpm-only keys (`autoInstallPeers`, `dangerouslyAllowAllBuilds`, `pnpmfilePath`, β¦) plus unknown free-form keys now go to `~/.config/aube/config.toml`. Dotted writes for aube map settings β `aube config set --local allowBuilds.@​mongodb-js/zstd true`, `aube config set --local overrides.lodash 4.17.21` β edit a single entry of `pnpm-workspace.yaml` (or `package.json#<pnpm|aube>.<map>`) in place. `aube config delete` sweeps both files so legacy writes from older versions are still cleaned up. New error code `ERR_AUBE_CONFIG_NESTED_AUBE_KEY` covers invalid nested writes. - **Polished install progress display** ([#​616](https://redirect.github.com/endevco/aube/pull/616) by [@​jdx](https://redirect.github.com/jdx)) β The bar is now cyan across every phase (no more "completing twice" as the phase flips green), reserves the final slice so it never reads 100% while the linker is still running, and paints a full 100% from a new `done` phase on `finish()` / `stop()` so the last frame matches the `β` summary line. The displayed `~XX MB` total is now a dynamic blend of the static `unpackedSize Γ 0.20` fallback and a linear extrapolation from observed bytes-per-package β converging to the real total instead of overshooting by \~48%. `resolving` switched yellow β cyan, the `pkgs` counter is bold/uncolored mid-install, and `WARN_AUBE_SLOW_METADATA` drops redundant fields. #### Fixed - **Peer-only packages from `bun.lock` no longer silently dropped** ([#​639](https://redirect.github.com/endevco/aube/pull/639) by [@​jdx](https://redirect.github.com/jdx)) β `filter_graph`'s GC walk ran *before* `hoist_auto_installed_peers`, so peer-installed deps like `@mui/material` that weren't directly listed in workspace `dependencies:` got pruned as unreachable before the hoist could promote them. The pipeline now hoists first, then walks. On the linked repro, `aube install` goes from 6 packages (with broken `@mui/material` / `@emotion/*`) to 44 with everything resolved. - **`bun.lock` imports now run the peer-context pass** ([#​619](https://redirect.github.com/endevco/aube/pull/619) by [@​jdx](https://redirect.github.com/jdx)) β `LockfileKind::Bun` was missing from the `apply_peer_contexts` branch, so peer-dependent packages landed at `.aube/<pkg>@​<ver>/` without sibling peer links and walked up to whatever hoisted copy they found. Now they get peer-qualified `dep_paths` (e.g. `@cloudflare+vite-plugin@1.17.1_vite@8.0.10_β¦`) with correct sibling symlinks, matching the npm-lockfile import behavior. - **Stale cached indexes now self-heal at fetch time** ([#​635](https://redirect.github.com/endevco/aube/pull/635) by [@​jdx](https://redirect.github.com/jdx)) β Cached package indexes moved from `$XDG_CACHE_HOME/aube/index/` into the store at `<store>/v1/index/`, next to `v1/files/`. The install fast path swapped `load_index` for `load_index_verified`, so an index whose CAS shards have drifted out from under it is dropped at fetch classification and the tarball re-fetched cleanly β instead of the materializer dying mid-link with `ERR_AUBE_MISSING_STORE_FILE`. Fixes a BuildKit cache-mount footgun where only one of the two cache dirs would be persisted. - **`engines.pnpm` no longer triggers spurious version warnings** ([#​633](https://redirect.github.com/endevco/aube/pull/633) by [@​jdx](https://redirect.github.com/jdx)) β A project pinning `engines.pnpm: ">=10.11.1"` produced `warn: wanted pnpm >=10.11.1, got 1.x` on every install (or a hard failure under `engine-strict`). Aube and pnpm live in different version namespaces, so honoring this field was net-negative. `engines.pnpm` is now skipped entirely; `engines.aube` is still honored for projects that want to gate on the running tool, and `engines.node` is unchanged. - **`update -i` no longer reports phantom upgrade rows for catalog deps** ([#​636](https://redirect.github.com/endevco/aube/pull/636) by [@​jdx](https://redirect.github.com/jdx)) β When a `catalog:` dep resolved to a newer version while the same name was pulled in transitively at an older one (e.g. `jose@6.2.3` direct + `jose@5.10.0` via `@upstash/qstash`), `lookup_pkg`'s name-scan picked the transitive snapshot as "current" and offered a downgrade row the rewrite path then ignored. Lookup now goes through the importer's `DirectDep.dep_path`. The companion fix extends the `--latest` prerelease guard to the *locked* version, so `"^1.0.0-rc.1"` isn't silently rewritten to whatever the registry's `latest` dist-tag points at. - **`update` / `add` / `dedupe` / `remove` / `audit` preserve cross-platform optionals and `time:` entries** ([#​637](https://redirect.github.com/endevco/aube/pull/637) by [@​jdx](https://redirect.github.com/jdx)) β These commands now route through install's `configure_resolver`, inheriting the full settings pipeline (`supportedArchitectures`, `resolutionMode`, `minimumReleaseAge`, overrides, β¦). They opt out of the full-packument disk cache so an immediately-following re-resolve picks up registry `dist-tag` changes, and the resolver carries forward the prior lockfile's `time:` entry when a fresh corgi packument lacks publish time for a resolved version β so direct deps don't lose their `time:` line on update. - **`aube add --global --allow-build=<pkg>` actually pre-approves builds** ([#​620](https://redirect.github.com/endevco/aube/pull/620) by [@​jdx](https://redirect.github.com/jdx)) β The synthetic inner `AddArgs` was being built with `allow_build: Vec::new()`, silently dropping the outer flag and erroring with "must be reviewed before install" under `strictDepBuilds=true`. The flag is now plumbed through `run_global` / `run_global_inner` and approvals are written to the throwaway install dir's `package.json#aube.allowBuilds` before lifecycle scripts run. #### Changed - **`aube store path` now returns the `v1/` directory** ([#​635](https://redirect.github.com/endevco/aube/pull/635)) β One level above the previous `v1/files/` output, so a single Docker BuildKit cache mount or backup captures both the CAS and the new co-located index dir. Scripts consuming `aube store path` will now mount one level higher (the intended behavior). A lazy in-place migration from the legacy `$XDG_CACHE_HOME/aube/index/` location runs on the first store open after upgrade (rename fast path, recursive-copy fallback for cross-FS). #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.11.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.11.0): : Workspace-root flags, scoped config, and a 2Γ macOS CAS fast path [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.4...v1.11.0) #### Added - *(install)* Fill the resolving bar against a real denominator so the progress bar advances during dependency resolution ([#​611](https://redirect.github.com/endevco/aube/pull/611)) - *(outdated, update)* Wire `-w/--workspace-root` to retarget cwd at the workspace root from a sub-package ([#​614](https://redirect.github.com/endevco/aube/pull/614)) - *(config)* Scope-split settings precedence and project `<cwd>/.config/aube/config.toml` support ([#​608](https://redirect.github.com/endevco/aube/pull/608)) - *(deploy)* Accept `--offline` and `--prefer-offline`, forwarded into the deploy install ([#​606](https://redirect.github.com/endevco/aube/pull/606)) - *(store)* Direct-write CAS fast path on macOS under an exclusive install lock (\~2Γ per-file CAS write speedup) ([#​615](https://redirect.github.com/endevco/aube/pull/615)) #### Fixed - *(linker)* Bin shims now point `NODE_PATH` at the hidden modules dir, and the isolated linker defaults `preferSymlinkedExecutables` to shims so `extendNodePath` actually works ([#​613](https://redirect.github.com/endevco/aube/pull/613)) - *(install/lockfile/outdated/update)* Address several bugs reported in [#​602](https://redirect.github.com/endevco/aube/discussions/602): lockfile rewrites when a dep moves between `dependencies`/`devDependencies`, `outdated -r` includes the workspace root, semver-diff color in `Wanted`/`Latest`, smarter `update -i` picker, and `updateConfig.ignoreDependencies` is loaded from the workspace root ([#​610](https://redirect.github.com/endevco/aube/pull/610)) - *(install)* Probe link strategy against the actual destination dir so cross-FS installs with GVS enabled hardlink instead of falling back to per-file copy ([#​604](https://redirect.github.com/endevco/aube/pull/604)) - *(install)* Surface the underlying materializer error instead of a generic "channel closed" message ([#​607](https://redirect.github.com/endevco/aube/pull/607)) - *(progress)* Clamp `reused` on a downward `set_total` rebase so summaries stop reporting `reused > resolved` ([#​609](https://redirect.github.com/endevco/aube/pull/609)) - *(config)* Preserve a symlinked `~/.config/aube/config.toml` on write ([#​605](https://redirect.github.com/endevco/aube/pull/605)) - *(registry)* Coalesce slow-metadata warnings into a single resolve-end summary instead of one warning per slow packument ([#​592](https://redirect.github.com/endevco/aube/pull/592)) #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.4`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.4): : Streaming tarball retries + 32-bit Linux build fix [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.3...v1.10.4) Two targeted fixes: cold installs now retry transient registry failures on the streaming tarball path, and `aube-store` builds cleanly on 32-bit Linux again. #### Fixed - **Streaming tarball fetch retries transient failures** ([#​591](https://redirect.github.com/endevco/aube/pull/591) by [@​jdx](https://redirect.github.com/jdx)) β `start_tarball_stream` (the default install hot path for sha512-pinned lockfile entries) used to skip retry entirely to avoid unwinding partial CAS writes mid-stream. That reasoning is sound for mid-stream errors, but it also leaked into *pre-response* failures: a 503, 429, connection refused, or connection reset before any chunk had flowed would propagate straight back to the caller with no recovery, while the buffered path retried the same failures up to `fetchRetries` times. The initial `send().await` now retries on `is_retriable_status` (5xx + 429, honoring `Retry-After`) and on transport errors (bounded by `TIMEOUT_RETRY_CAP`), emitting the existing `WARN_AUBE_HTTP_RETRY_TRANSIENT` / `_TRANSPORT` logs. Once headers pass `error_for_status` and chunks start flowing, behavior is unchanged. Caught on a macOS PGO dry-run where Verdaccio / the throttle-proxy hiccupped and the install bailed without a single retry log line. - **`aube-store` builds on 32-bit Linux** ([#​587](https://redirect.github.com/endevco/aube/pull/587) by [@​jdx](https://redirect.github.com/jdx)) β The `posix_fallocate` wrapper hard-coded `len: i64`, which matches `libc::off_t` on every 64-bit target but breaks armhf, where the default (non-LFS) `off_t = i32`. The wrapper now takes `libc::off_t` directly and the single call site casts `bytes.len() as libc::off_t`, unblocking Launchpad's Ubuntu Resolute armhf build of aube and any downstream `armv7-unknown-linux-gnueabihf` consumer. #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.3`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.3) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.2...v1.10.3) > \[!NOTE] > No user-visible code changes since v1.10.2. Tagged so the release-plz / `cargo publish` cadence stays unbroken; entries below are CI and benchmark tooling. #### Fixed - *(ci)* Add native `aarch64-unknown-linux-gnu` PGO matrix row and bump macOS arm64 PGO to `macos-arm64-large` to work around the v1.10.1 instrumented-binary segfault ([#​582](https://redirect.github.com/endevco/aube/pull/582)) - *(bench)* Install yarn 4 via `npm:@​yarnpkg/cli-dist@latest` β the `yarn` npm package only publishes 1.x and 2.x ([#​583](https://redirect.github.com/endevco/aube/pull/583)) - *(bench)* Pass `--frozen-lockfile` to vlt install scenarios so vlt is measured on the same path as every other tool in the matrix ([#​581](https://redirect.github.com/endevco/aube/pull/581)) #### Binaries This release ships without prebuilt archives. Install via `cargo install aube`, `mise use aube`, or `npm i -g aube`. #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.2`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.2) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.1...v1.10.2) > \[!NOTE] > No user-visible code changes since v1.10.1. Tagged so the release-plz / `cargo publish` cadence stays unbroken; entries below are CI and benchmark tooling. #### Changed - *(ci)* Bump x86\_64 Linux PGO release runners to `linux-amd64-large` (32 GB) to fix OOM during the instrumented link step ([#​577](https://redirect.github.com/endevco/aube/pull/577)) - *(docs)* Benchmark matrix switches yarn to berry, adds **deno** and **vlt**, refreshes the landing-page chart ([#​578](https://redirect.github.com/endevco/aube/pull/578)) #### Binaries This release has a partial archive set. For a complete set of prebuilts, use a later release β or install via `cargo install aube`, `mise use aube`, or `npm i -g aube`. #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.1) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.0...v1.10.1) #### Added - *(install)* Post-install summary flags **deprecated** and **outdated** direct deps inline so you see what to upgrade without scrolling back through fetch output ([#​575](https://redirect.github.com/endevco/aube/pull/575)) #### Fixed - *(deploy)* `aube deploy` resolves `catalog:` references and accepts packages without an explicit `version` field ([#​574](https://redirect.github.com/endevco/aube/pull/574)) - *(install)* Pad package counts in the progress UI and drop the ETA placeholder when none is available ([#​570](https://redirect.github.com/endevco/aube/pull/570)) - *(release)* `npm publish` skips already-published versions so re-running the publish workflow is idempotent ([#​565](https://redirect.github.com/endevco/aube/pull/565)) #### Changed - *(release)* x86\_64 Linux GNU/musl and macOS arm64 binaries now ship as PGO-optimized artifacts. Linux x86\_64 uses `cross` for the glibc baseline; macOS arm64 builds natively ([#​572](https://redirect.github.com/endevco/aube/pull/572)) #### Performance - *(registry)* Swap `simd-json` for `sonic-rs` on the packument hot path ([#​569](https://redirect.github.com/endevco/aube/pull/569)) - *(registry)* Drop deep clone and `fsync` from packument cache writes ([#​568](https://redirect.github.com/endevco/aube/pull/568)) #### Binaries This release has a partial archive set. For a complete set of prebuilts, use a later release β or install via `cargo install aube`, `mise use aube`, or `npm i -g aube`. #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.0): : Recursive runs grow up, install gets a diagnostics microscope [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.9.1...v1.10.0) #### Added - *(cli)* Wire the recursive-run flags (`--sort`/`--no-sort`, `--reverse`, `--resume-from`, `--workspace-concurrency`, `--reporter-hide-prefix`) and add a per-package output multiplexer for parallel runs ([#​545](https://redirect.github.com/endevco/aube/pull/545)) - *(diag)* End-to-end install instrumentation and the `aube diag analyze` / `aube diag compare` subcommands behind a new `--diag <summary|trace|live|full>` flag ([#​547](https://redirect.github.com/endevco/aube/pull/547)) - *(install)* Post-install dependency summary grouped by dependency type ([#​559](https://redirect.github.com/endevco/aube/pull/559)) - *(update)* `--lockfile-only` flag to refresh `aube-lock.yaml` without touching `node_modules` ([#​560](https://redirect.github.com/endevco/aube/pull/560)) - *(add)* `linkWorkspacePackages` and `saveWorkspaceProtocol` settings plus `--save-workspace-protocol` / `--no-save-workspace-protocol` flags ([#​539](https://redirect.github.com/endevco/aube/pull/539)) #### Fixed - *(workspace)* Linker no longer substitutes a workspace sibling for a registry-pinned dep, lockfile drift flags orphan importers, recursive `remove` skips projects that don't declare the dep, and parent-relative `../**` globs in `pnpm-workspace.yaml` are honored ([#​564](https://redirect.github.com/endevco/aube/pull/564)) - *(workspace)* Filtered runs respect `--workspace-root` and `includeWorkspaceRoot: true` ([#​556](https://redirect.github.com/endevco/aube/pull/556)) - *(update)* Filtered workspace updates merge back into the shared root lockfile under `sharedWorkspaceLockfile=true` instead of leaving per-package `aube-lock.yaml` files behind ([#​558](https://redirect.github.com/endevco/aube/pull/558)) - *(update)* `--interactive` renders a multiselect picker, fails fast on non-TTY, and `--latest` preserves `catalog:` / `catalog:<name>` specifiers ([#​552](https://redirect.github.com/endevco/aube/pull/552)) - *(pnpmfile)* Hard-fail the install when a defined `readPackage` hook returns a non-object ([#​562](https://redirect.github.com/endevco/aube/pull/562)) - *(deploy)* Keep filtered workspace packages in the index when `package.json` has no `version` ([#​549](https://redirect.github.com/endevco/aube/pull/549)) - *(install)* Inherit top-level `pnpm.allowBuilds` approvals into the nested install used for git-dep `prepare` ([#​546](https://redirect.github.com/endevco/aube/pull/546)) - *(cli)* Skip `verifyDepsBeforeRun` checks when `npm_lifecycle_event` is set, fixing both the `error`-mode hard-fail and the `install`-mode lock deadlock from nested `aube run` inside lifecycle scripts ([#​538](https://redirect.github.com/endevco/aube/pull/538)) - *(install)* Interactive `aube approve-builds` requires at least one selection and the TTY guard checks both stdin and stderr ([#​537](https://redirect.github.com/endevco/aube/pull/537)) #### Changed - *(install)* New `aube_util::adaptive` limiter (slow-start, AIMD, CUSUM-gated shrink) wired at every previously magic-numbered concurrency site, with a separate http1-only reqwest client for tarball downloads ([#​548](https://redirect.github.com/endevco/aube/pull/548)) #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
jdx
|
5b3e4e007b
|
chore(ci): close failing or conflicted PRs sooner (#480)
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
zizmor / zizmor (push) Has been cancelled
build-test / final (push) Has been cancelled
## Summary
- close inactive PRs after 7 days only when they have failing checks or
merge conflicts
- include merge state in the PR closer query and close with the specific
reason
- keep existing exclusions for @jdx-authored and keep-open PRs
## Validation
- actionlint .github/workflows/pr-closer.yml
- git diff --check
- jq filter sample validation
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Automates PR closure based on CI/merge-state signals; a bug in the
query or jq logic could incorrectly close active or recoverable PRs.
Limited to GitHub Actions workflow changes but impacts contributor
workflow.
>
> **Overview**
> Updates the `pr-closer` GitHub Actions workflow to **close PRs much
sooner (7 days inactivity)**, but only when they have *failing checks
and/or merge conflicts*.
>
> The workflow now queries `mergeStateStatus` and expanded check
conclusions to generate a specific closure reason, skips βwarn-onlyβ
states (e.g., cancelled checks/unknown merge state), increases the
listing limit to 500, and adds `concurrency` plus additional read
permissions (`checks`, `statuses`) to support the new filtering.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
6e1ac6be91
|
fix(ci): pin codeql-action with exact version comment (#481)
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
renovate[bot]
|
43db152e9b
|
chore(deps): update dependency aube to v1.9.1 (#478)
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.6.2` β `v1.9.1` | `v1.14.1` (+10) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.9.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.9.1): : Cold install overhaul, HTTP prefetch, and workspace fixes [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.9.0...v1.9.1) A performance- and correctness-focused patch release. Cold installs get a streaming tarball pipeline, Linux gets an `O_TMPFILE`+`linkat` CAS fast path, and the resolver's cold path overlaps DNS, TLS, and packument prefetch with the manifest/workspace/lockfile work that used to serialize them. On the fix side, `aube run` once again finds `node-gyp` for package scripts, and `aube update` / `aube outdated` stop trying to fetch unpublished `workspace:` deps from the registry. #### Added - **Pre-resolver packument prefetch + shared HTTP utilities** ([#​529](https://redirect.github.com/endevco/aube/pull/529) by [@​imjustprism](https://redirect.github.com/imjustprism)) β a new `aube-util::http` module consolidates client-side primitives (`prewarm`, `priority`, `race`, `resolve`, `ticket_cache`) so leaf crates share one warm-pool surface with consistent killswitch semantics. On install entry, aube now reads `package.json` and fires fire-and-forget packument GETs for every registry-shaped direct dep before workspace yaml load, settings resolve, lockfile parse, and resolver construction β by the time the resolver pops its first task, the packument cache and reqwest pool are warm. `RegistryClient::prewarm_connection` now covers the default registry **plus** every scoped (`@org:registry=...`) and per-uri auth registry, with parallel DNS preresolve so DNS RTT hides behind the TLS handshake. Abbreviated packument GETs also send `Priority: u=0` (RFC 9218 Critical) so H2 schedulers prioritize resolver-blocking metadata over pending tarball frames. New killswitches: `AUBE_DISABLE_DNS_PRERESOLVE`, `AUBE_DISABLE_REQUEST_RACING`, `AUBE_DISABLE_PREFETCH`, `AUBE_DISABLE_TLS_TICKET_CACHE`. Prefetch is a no-op when offline or when any lockfile is present. - **Cold install pipeline overhaul** ([#​522](https://redirect.github.com/endevco/aube/pull/522) by [@​imjustprism](https://redirect.github.com/imjustprism)) β several overlapping wins on the cold-cache path: - **Streaming tarball pipeline** (opt-in via `AUBE_TARBALL_STREAM=1`, killswitch `AUBE_DISABLE_TARBALL_STREAM`) β HTTP body chunks pipe through SHA-512 + gz + tar + CAS via an mpsc bridge instead of buffering the whole tarball; non-SHA-512 SRI falls back to buffered. Bounded by the registry's `tarball_max_bytes` cap. - **Linux `O_TMPFILE` + `linkat` CAS publish** with `EOPNOTSUPP` fallback to the tempfile path, `posix_fallocate` to avoid ext4 fragmentation, and `posix_fadvise(DONTNEED)` to free page cache after publish. Killswitch: `AUBE_DISABLE_O_TMPFILE`. - **Materialize-stream into the lockfile fast path** β both lockfile and no-lockfile branches now share the GVS prewarm materializer, hiding 30-200ms of GVS reflinks behind the in-flight download tail. - **Resolver tuning** β foldhash on `graph_hash` hot maps, pre-sized resolver caches, thread-local `node_semver::Version` parse cache, `PARALLEL_IMPORT_THRESHOLD` lowered from 256 to 16 (median npm tarball is 7 files), and pinned tokio `worker_threads` (`cpu.min(8)`) / `max_blocking_threads(64)` (tunable via `AUBE_TOKIO_WORKERS` / `AUBE_TOKIO_BLOCKING`). - **Windows** gets `FILE_ATTRIBUTE_NOT_CONTENT_INDEXED` on the store root; cross-volume detection (drive letters on Windows, `dev` id on Unix) is gated per-platform. Reported same-volume Windows cold-install ratios: 1.80x-8.75x faster than Bun across svelte/vite/next/babylon. - **Per-project materialize pipelined into fetch** ([#​527](https://redirect.github.com/endevco/aube/pull/527) by [@​imjustprism](https://redirect.github.com/imjustprism)) β when GVS is off, each fetched `(canonical_key, PackageIndex)` triggers `materialize_into` against `.aube/<dep_path>/` immediately, so by the time fetch finishes the dedicated link phase only has to create top-level `node_modules/<name>` symlinks. The driver now uses `JoinSet` instead of `Vec<JoinHandle>`, so on early-return all in-flight tasks abort instead of detaching and racing install cleanup. \~10% improvement on warm fresh installs in the local benchmark matrix. #### Fixed - **`aube run` / `aube test` find `node-gyp`** ([#​518](https://redirect.github.com/endevco/aube/pull/518) by [@​jdx](https://redirect.github.com/jdx)) β package scripts only had `node_modules/.bin` prepended to `PATH`, so `aube test` would fail with `node-gyp: not found` on hosts that didn't already ship it. Script execution now reuses aube's existing node-gyp bootstrap (via a lazy shim bin dir + `AUBE_NODE_GYP_EXE` / `AUBE_NODE_GYP_PROJECT_DIR`), matching pnpm/npm behavior. Ports pnpm's `lifecycleScripts.ts:128` coverage into the offline node-gyp bootstrap bats suite. - **`workspace:` deps in `aube update` / `aube outdated`** ([#​523](https://redirect.github.com/endevco/aube/pull/523) by [@​jdx](https://redirect.github.com/jdx), fixes [#​520](https://redirect.github.com/endevco/aube/discussions/520)) β `aube update` now discovers workspace package `name`/`version` pairs and passes them into resolver workspace resolution so `workspace:` deps from `package.json#workspaces` resolve locally instead of triggering registry packument fetches. `aube outdated` filters out direct deps with `workspace:` specifiers and reports "no matching dependencies" rather than attempting a packument fetch. Adds a new `WARN_AUBE_WORKSPACE_PACKAGE_MISSING_NAME` warning code for workspace packages without a `name` field. - **Resolver peer-context divergence is fatal** ([#​522](https://redirect.github.com/endevco/aube/pull/522) by [@​imjustprism](https://redirect.github.com/imjustprism)) β `apply_peer_contexts` hitting `MAX_ITERATIONS` used to log a warning and ship a broken graph; it now returns a fatal `Error::PeerContextDivergence(usize)`. `state::remove_state` errors at `--force` and GVS-transition sites also propagate instead of being silently swallowed, so permission-denied or Windows-locked sidecars no longer defeat the freshness check. - **Tarball hardening** ([#​522](https://redirect.github.com/endevco/aube/pull/522) by [@​imjustprism](https://redirect.github.com/imjustprism)) β entries declared as 0 bytes with non-zero stream payload are now rejected (synthetic-entry injection guard), and GNU `LongName` / `LongLink` metadata records are correctly accepted. - **Patches loaded once per cwd** ([#​529](https://redirect.github.com/endevco/aube/pull/529) by [@​imjustprism](https://redirect.github.com/imjustprism)) β `load_patches_for_linker` walked `patches/` from disk 2-3 times per install (lockfile-prewarm, no-lockfile-prewarm, and link-phase sites). Now cached per cwd via `OnceLock<Mutex<HashMap<PathBuf, ...>>>`. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.9.0...v1.9.1> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.9.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.9.0): : Comment-preserving workspace edits, deploy bundling, and node --inspect [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.8.0...v1.9.0) A focused release: `aube deploy` learns to bundle workspace siblings and local-path deps into the deploy artifact, workspace-yaml writers stop eating user comments, aube-owned settings move out of `.npmrc`, and `aube run` forwards Node debugger flags. #### Added - **Aube settings move out of `.npmrc`** ([#​517](https://redirect.github.com/endevco/aube/pull/517) by [@​jdx](https://redirect.github.com/jdx)) β known aube-owned settings now live in `~/.config/aube/config.toml` (XDG-aware), while registry, auth, and unknown keys keep using `.npmrc`. `aube config get/set/list/delete` reads and writes the right file automatically, and migrating a known setting cleans up the stale `.npmrc` entry. `.npmrc` writes are also atomic against the **symlink target** now, so dotfile setups that symlink `~/.npmrc` into a managed config repo stop having the symlink replaced by a regular file. - **`aube run --inspect` / `--inspect-brk`** ([#​515](https://redirect.github.com/endevco/aube/pull/515) by [@​jdx](https://redirect.github.com/jdx)) β both flags accept an optional `[host:]port` (e.g. `--inspect=9229`, `--inspect-brk=0.0.0.0:9230`) and are forwarded as explicit Node argv when aube can identify a Node-backed target β direct `node ...` scripts in `package.json` and local `node_modules/.bin` fallbacks resolved through shims/symlinks. The flags are passed as argv rather than via `NODE_OPTIONS`, so the debugger doesn't attach to nested Node processes spawned by the script. - **`aube deploy --no-prod`** ([#​507](https://redirect.github.com/endevco/aube/pull/507) by [@​jdx](https://redirect.github.com/jdx)) β opt out of the default `--prod` filter for deploys that need devDependencies at runtime (test-harness staging, build-step artifacts). Mutually exclusive with `--prod` / `--dev`; combine with `--no-optional` to keep prod + dev but drop optionals. - **Comment-preserving workspace yaml writes** ([#​511](https://redirect.github.com/endevco/aube/pull/511) by [@​jdx](https://redirect.github.com/jdx)) β every workspace-yaml writer (`approve-builds`, `patch-commit`, `patch-remove`, the daily `cleanupUnusedCatalogs` install pass, and `aube config set --location workspace`) now routes through `yamlpatch` instead of round-tripping the file through a serializer. Keys, comments, and whitespace the edit didn't touch land back on disk byte-identical, so user annotations on adjacent entries survive. Empty/missing files still go through the regular serializer since there are no comments to preserve. #### Fixed - **`aube deploy` bundles local dependencies** ([#​507](https://redirect.github.com/endevco/aube/pull/507) by [@​jdx](https://redirect.github.com/jdx)) β fixes two real bugs reported in [#​345](https://redirect.github.com/endevco/aube/discussions/345): - **`workspace:*` siblings tried to fetch from the registry.** Deploy used to rewrite `workspace:*` to a concrete version and ask install to resolve it β fine for published siblings, broken for the (very common) unpublished case. Reachable workspace siblings are now copied into `<target>/.aube-deploy-injected/<id>/` and the manifest spec becomes a relative `file:` pointer. Recursion handles sibling chains where a sibling's own deps are workspace siblings. - **`file:` deps resolved relative to the deploy output dir.** A `file:../local-vendor` spec used to ride along unchanged in the deployed manifest, pointing at `<target>/../local-vendor` instead of the source workspace's `local-vendor`. Local-path deps now go through the same staging pipeline. When bundling occurs the lockfile-subset path is skipped, since the rewritten `file:` pointers don't appear in the source lockfile and would otherwise trip a frozen install. - **`aube remove` preserves dependency order** ([#​511](https://redirect.github.com/endevco/aube/pull/511) by [@​jdx](https://redirect.github.com/jdx)) β dropping one dep used to alphabetize the remaining entries in the affected `package.json` section as a side effect. Surviving entries now stay in their original on-disk order, matching pnpm/npm. (`aube add` is unaffected β sorted inserts there are intentional.) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.8.0...v1.9.0> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.8.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.8.0): : Stable error codes, smarter run/dlx, and a new install progress UI [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.7.0...v1.8.0) A polish-and-plumbing release: install progress gets a from-scratch redesign, errors and warnings now carry stable identifiers (with bespoke exit codes and dep-chain context), `aube run` / `aube dlx` prefer locally-installed binaries, and a handful of workspace-from-subpackage and `aube add` ergonomics get fixed. #### Added - **Redesigned install progress UI** ([#​501](https://redirect.github.com/endevco/aube/pull/501) by [@​jdx](https://redirect.github.com/jdx)) β fixed 15-char bar on the left, stats on the right, phase-aware label (`resolving` / `fetching` / `linking`), ETA, transfer rate, and an estimated install size derived from the resolve stream: ``` aube 1.8.0 by en.dev βββββββββββββββ 23/142 pkgs Β· 4.2 MB / ~13.8 MB Β· 1.4 MB/s Β· ETA 5s βββββββββββββββ 1230/1230 pkgs Β· linking β resolved 1230 Β· reused 98 Β· downloaded 1132 (54.6 MB) in 6.8s ``` Installs that finish before the first 2s heartbeat now print a single self-identifying summary line (`β installed 5 packages in 423ms`) instead of a partial bar. Also fixes two real bookkeeping bugs (a `2/1 packages` overflow on platform-mismatched non-optional deps, and the "stuck at 90%" undercount caused by `filter_graph` dropping packages after the denominator was inflated). - **Local bins for `aube run` and `aube dlx`** ([#​502](https://redirect.github.com/endevco/aube/pull/502) by [@​jdx](https://redirect.github.com/jdx)) β `aube run <name>` falls back to `node_modules/.bin/<name>` when no `package.json` script matches, and `aube dlx` / `aubx` will execute an already-installed local binary instead of doing a throwaway install. Pass `-p` / `--package` (or a versioned spec) to force the install path. - **Stable error and warning codes** ([#​492](https://redirect.github.com/endevco/aube/pull/492) by [@​jdx](https://redirect.github.com/jdx)) β every error and warning aube emits now carries an `ERR_AUBE_*` or `WARN_AUBE_*` identifier in a structured field, so CI scripts and ndjson consumers can branch on the code instead of substring-matching English messages. A curated subset maps to bespoke Unix exit codes (10β99 in 10-wide ranges by category) so shells can react to specific failures without parsing stderr β e.g. `aube install --frozen-lockfile` in an empty dir exits with `10` (`ERR_AUBE_NO_LOCKFILE`). Post-resolver errors that mention a specific package now also include the dependency chain back to the importer (`chain: a@1 > b@2 > leaf@3`) so a tarball-integrity or fetch failure tells you *why* your install pulled that transitive dep. The full code list lives at `docs/error-codes.md`. #### Fixed - **`aube why` / `list` / `query` from a workspace subpackage** ([#​504](https://redirect.github.com/endevco/aube/pull/504) by [@​jdx](https://redirect.github.com/jdx)) β these commands resolved cwd via the nearest `package.json`, so running them inside `packages/foo/` errored with `No lockfile found. Run aube install first.` even though the workspace lockfile sat one level up. They now walk up to the workspace root when one is present. - **Workspace lifecycle scripts and pnpm-lock npm aliases** ([#​500](https://redirect.github.com/endevco/aube/pull/500) by [@​jdx](https://redirect.github.com/jdx)) β recursive workspace installs now run `preinstall`/`install`/`postinstall`/`prepare` for each linked workspace importer in dependency order (not just the root), and the build-script policy merges `pnpm.allowBuilds` / `onlyBuiltDependencies` / `neverBuiltDependencies` across all participating manifests so a member can approve its own dep's builds. `pnpm-lock.yaml` now writes npm aliases in pnpm's native `<real>@​<version>` encoding instead of leaking aube's internal `aliasOf` field. - **`aube add` auto-detects local paths** ([#​499](https://redirect.github.com/endevco/aube/pull/499) by [@​jdx](https://redirect.github.com/jdx)) β `aube add /path/to/lib`, `./lib`, `~/lib`, `file:./lib`, and `link:./lib` no longer fall through to the registry path with a confusing `HTTP 405 Method Not Allowed`. Bare paths default to `link:` for directories and `file:` for tarballs (pnpm parity); explicit prefixes are preserved. Tarball-suffix paths emit a clear "not yet supported in `aube add`" hint instead of a 405. #### Changed - **Per-command `--help` is bucketed** ([#​505](https://redirect.github.com/endevco/aube/pull/505) by [@​jdx](https://redirect.github.com/jdx)) β `--frozen-lockfile` / `--prefer-frozen-lockfile`, `--registry` + `--fetch-*`, and `--disable/--enable-global-virtual-store` moved off the global flag set into per-command groups under `Lockfile` / `Network` / `Virtual store` headings, and now appear only on commands that consume them. Seven pnpm-compat no-op flags (`--workspace-packages`, `--ignore-workspace`, `--include-workspace-root`, `--aggregate-output`, `--stream`, `--use-stderr`, `--yes`) are still parsed but hidden from `--help`. Pre-subcommand placement still works (`aube --frozen-lockfile install`, `aube --registry=URL install`) via an argv pre-pass. One caveat: implicit-script invocations like `aube --frozen-lockfile dev` (where `dev` is a `package.json` script) no longer apply the flag β write `aube run --frozen-lockfile dev` instead. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.7.0...v1.8.0> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.7.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.7.0): : Local & git specs in aube add, faster cold installs [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.6.2...v1.7.0) A feature-heavy release: `aube add` learns git and local-path specs, workspace commands gain support for yaml-only "coordinator" monorepos, `aube update` and `aube rebuild` get pnpm-parity polish, and a deep performance pass speeds up cold installs by up to \~1.9Γ. #### Highlights - **`aube add` is now a one-stop shop** for git, GitHub-shorthand, and `link:` / `file:` local-path dependencies β not just registry packages. - **Performance pass on the install hot path** ([#​469](https://redirect.github.com/endevco/aube/pull/469)) lands streaming SHA-512, parallel CAS imports, TLS prewarm, fetch reordering, and a long tail of cold-path cleanups, with measured cold-install speedups up to \~1.9Γ vs v1.6.2. - **Workspace and pnpm parity polish** across `update`, `rebuild`, yaml-only roots, unversioned members, and nested `link:` / `file:` resolution. #### Added - **`aube add file:./pkg` / `link:../sibling`** ([#​487](https://redirect.github.com/endevco/aube/pull/487) by [@​jdx](https://redirect.github.com/jdx)) β local-path specs are routed through a non-registry branch, with the manifest key derived from the path basename (with `.tgz` / `.tar.gz` stripped) or from an explicit alias. `aube add my-bundle@file:./bundle.tgz` works too. - **`aube add` supports git specs** ([#​483](https://redirect.github.com/endevco/aube/pull/483) by [@​jdx](https://redirect.github.com/jdx)) β bare GitHub shorthand, `github:` / `gitlab:` / `bitbucket:` prefixes, full `git+ssh` / `git+https` URLs, and aliases. The verbatim spec is written to `package.json` and the resolver handles the rest: ```bash aube add kevva/is-negative aube add github:kevva/is-positive aube add my-alias@git+https://github.com/kevva/is-negative.git ``` - **Yaml-only workspace roots** ([#​486](https://redirect.github.com/endevco/aube/pull/486) by [@​jdx](https://redirect.github.com/jdx)) β `install`, `list`, `run -r`, `query`, and `why` now work in pure-coordinator monorepos that have `pnpm-workspace.yaml` / `aube-workspace.yaml` at the root but no root `package.json` (Turborepo-style layouts). Single-project commands like `add` / `remove` still hard-error without a manifest. - **`aube update <pkg>` rewrites manifest ranges by default** ([#​479](https://redirect.github.com/endevco/aube/pull/479) by [@​jdx](https://redirect.github.com/jdx)) β caret/tilde ranges (`^1.2.0`, `~1.2.0`) are rewritten to track the resolved in-range max, matching pnpm. Other shapes (`>=`, exact pins, dist-tags, git, `workspace:`) stay frozen. Set `update-rewrites-specifier=false` to keep the previous behavior. - **`aube rebuild <pkg>...`** ([#​477](https://redirect.github.com/endevco/aube/pull/477) by [@​jdx](https://redirect.github.com/jdx)) β runs lifecycle scripts only for the named deps, bypasses the `allowBuilds` / `onlyBuiltDependencies` policy, and skips root hooks. Composes with `--filter`. Bare `aube rebuild` continues to do a full policy-respecting rebuild. - **Persistent unreviewed-builds warning** ([#​476](https://redirect.github.com/endevco/aube/pull/476) by [@​jdx](https://redirect.github.com/jdx)) β repeat warm-path installs no longer swallow the "ignored build scripts for N package(s)" nudge; the spec keys are persisted in `.aube-state` and re-emitted on every install. - **`aube update --depth` no longer silently ignored** ([#​473](https://redirect.github.com/endevco/aube/pull/473) by [@​jdx](https://redirect.github.com/jdx)) β emits a one-line warning pointing at `rm aube-lock.yaml && aube install` for the only useful semantic case. #### Fixed - **Faster cold installs** ([#​469](https://redirect.github.com/endevco/aube/pull/469) by [@​imjustprism](https://redirect.github.com/imjustprism)) β a wide hot-path pass with measurable wins on real registries: | Project | v1.6.2 | v1.7.0 | Speedup | | ----------------- | --------: | ------: | ------: | | svelte (56 pkg) | 1393 ms | 1386 ms | 1.01Γ | | vue (117 pkg) | 1590 ms | 1360 ms | 1.17Γ | | next.js (336 pkg) | 14071 ms | 9160 ms | 1.54Γ | | babylon (21 pkg) | \~6000 ms | 3186 ms | \~1.9Γ | Highlights: streaming SHA-512 over the wire (no second buffered hash pass), two-phase parallel CAS tar import, speculative TLS/HTTP/2 prewarm behind manifest parse, native-build packages floated to the front of the fetch queue, `Accept-Encoding: gzip, br, zstd` on packuments, in-process DNS cache via `hickory-dns`, mmap+rayon BLAKE3 over 4 MiB, network concurrency default raised 64 β 128, and zero-copy packument parsing. Every change ships with an `AUBE_DISABLE_*` killswitch (`AUBE_DISABLE_STREAMING_SHA512`, `AUBE_DISABLE_SPECULATIVE_TLS`, `AUBE_DISABLE_CRITICAL_PATH`, `AUBE_DISABLE_PARALLEL_IMPORT`, `AUBE_DISABLE_MMAP_BLAKE3`, `AUBE_DISABLE_SNAPSHOTS`) plus an `AUBE_CONCURRENCY=N` clamp. - **Nested `link:` / `file:` resolution** ([#​470](https://redirect.github.com/endevco/aube/pull/470) by [@​jdx](https://redirect.github.com/jdx)) β fixes the `transitive local specifier link:./libs/foo cannot be resolved without the parent package source root` install error in two cases: a `file:` / `link:` parent declaring a transitive `link:`, and a root `pnpm.overrides` rewriting a registry dep to a local path. Override paths now anchor at the project root like pnpm does. - **Workspace members without `version`** ([#​480](https://redirect.github.com/endevco/aube/pull/480) by [@​jdx](https://redirect.github.com/jdx)) β fall back to `0.0.0` instead of hard-erroring. `workspace:*` / `^` / `~` siblings still link locally; specific ranges like `workspace:^2.0.0` still correctly fail to satisfy. Unblocks repos like [tuist/tuist#10584](https://redirect.github.com/tuist/tuist/pull/10584). - **Bare `user/repo` parsed as GitHub shorthand** ([#​472](https://redirect.github.com/endevco/aube/pull/472) by [@​jdx](https://redirect.github.com/jdx)) in lockfile/spec parsing, with `update --latest` now skipping git-spec deps so they can't be silently rewritten into registry pins. - **CLI short help wraps cleanly** ([#​478](https://redirect.github.com/endevco/aube/pull/478) by [@​jdx](https://redirect.github.com/jdx)) β many flags across `add`, `install`, `publish`, `update`, `view`, etc. had multi-line doc comments that clap merged into 120+ char paragraphs for `-h`. Now each flag has a one-line summary followed by the longer prose, restoring readable short help on standard terminals. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.6.2...v1.7.0> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzkuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE3OS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
Taku Kodama
|
93ca8a4cef
|
fix: install mise-shim.exe on Windows (#476)
Some checks failed
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
zizmor / zizmor (push) Has been cancelled
|
||
|
jdx
|
a0eaf7aa03
|
fix(ci): add gh auth setup-git to release-plz.sh (#473)
Some checks failed
release-plz / release-plz (push) Has been cancelled
build-test / build (push) Has been cancelled
zizmor / zizmor (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
Check dist/ / Check dist/ (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
## Summary
- Follow-up to [#471](https://github.com/jdx/mise-action/pull/471): the
release-plz checkout now uses `persist-credentials: false`, so the token
isn't written to `.git/config` and `git push origin release --force` in
[scripts/release-plz.sh](scripts/release-plz.sh) would 403.
- Mirror the workaround already applied to
[scripts/postversion.sh:9](scripts/postversion.sh:9) by calling `gh auth
setup-git` after the `git config user.{name,email}` block, before any
`git push`.
Flagged by Cursor Bugbot on
https://github.com/jdx/mise-action/pull/471#pullrequestreview-4275760577.
## Test plan
- [ ] Next scheduled release-plz run (or manual `workflow_dispatch`)
successfully pushes the `release` branch without a 403.
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk CI-only change that affects the release automation path; main
impact is whether the workflow can successfully push the `release`
branch.
>
> **Overview**
> Fixes the `scripts/release-plz.sh` release automation to run `gh auth
setup-git` after setting the git author, ensuring `git push` works when
`actions/checkout` uses `persist-credentials: false`.
>
> This prevents 403 failures when pushing the forced `release` branch
during automated version bump PR creation.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
46bb674500
|
chore(ci): add zizmor workflow for github actions security analysis (#471)
Adds [zizmor](https://github.com/zizmorcore/zizmor) to audit GitHub
Actions workflows for security issues. Runs on push to main and on PRs
that change `.github/workflows/**`. Fails CI on any finding.
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Mostly CI/workflow hardening, but it also changes release automation
(`postversion.sh`) and workflow permissions/credentials behavior, which
could break tagging/publishing if misconfigured.
>
> **Overview**
> Adds a new `zizmor` workflow that runs on PRs/pushes touching
`.github/workflows/**` to security-audit workflows.
>
> Hardens existing workflows by defaulting to least-privilege
`permissions`, setting `actions/checkout` to `persist-credentials:
false`, and adjusting related behavior (e.g., `scripts/postversion.sh`
now runs `gh auth setup-git` so `git push` still works; `ci.yml`
disables `mise-action` caching; `test.yml` avoids interpolating
`steps.bad.outcome` inside a shell string by passing it via env).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
ff58e14023
|
chore(ci): remove autofix.ci workflow (#470)
Removes the autofix.ci workflow.
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: deletes a standalone CI workflow with no runtime code
changes, but it will stop automatic fix commits on PRs and could
increase manual formatting churn.
>
> **Overview**
> Removes the `.github/workflows/autofix.yml` GitHub Actions workflow
that previously ran on `pull_request`/`main` pushes to install deps,
build/package, and invoke `autofix-ci/action` to push automated fixes
back to branches.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
3b3c8bb538
|
ci: remove pull_request_target workflow (#469)
## Summary
- Deletes the only workflow in this repo triggered by
`pull_request_target`.
- `pull_request_target` runs in the context of the base repo (with
secrets / write tokens) on PRs from forks, which is risky. The workflow
only validated PR titles; not worth the trust footprint.
## Test plan
- [ ] None β workflow file removal only.
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: deletes a GitHub Actions workflow only; no application code
or runtime behavior changes, and it reduces exposure from
`pull_request_target` workflows.
>
> **Overview**
> Removes the `semantic-pr-lint` GitHub Actions workflow that ran on
`pull_request_target` to validate PR titles.
>
> This eliminates the repoβs only `pull_request_target` workflow,
reducing the trust/secrets footprint for PRs (especially from forks).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
renovate[bot]
|
8d3b0ba20a
|
chore(deps): lock file maintenance (#468)
This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | π§ This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - "before 4am on monday" - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
590bfd78fa
|
chore(deps): update dependency aube to v1.6.2 (#466)
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.5.1` β `v1.6.2` | `v1.9.1` (+3) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.6.2`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.2): : Engines coverage catches up to pnpm [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.6.1...v1.6.2) A small patch release that closes engine-validation gaps with pnpm. #### Fixed - **Broader engines coverage** ([#​458](https://redirect.github.com/endevco/aube/pull/458) by [@​jdx](https://redirect.github.com/jdx)) β aube now honors engine constraints it previously skipped: - `engines.aube` and `engines.pnpm` on root and workspace project manifests are checked against the running aube version (aube positions itself as a pnpm-compatible drop-in, so `engines.pnpm` is honored as if aube were that pnpm). - `engines.node` is now enforced on workspace project manifests, not just the root. - Warning output labels which engine triggered the mismatch (e.g. `wanted node >=20`, `wanted aube >=99999`, `wanted pnpm >=8`), and the `engine-strict` error message stays compatible with existing assertions. - `engines.{aube,pnpm}` on transitive deps remain skipped on purpose, since wild packages routinely pin author toolchains. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.6.1...v1.6.2> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.6.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.1) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.6.0...v1.6.1) ##### Fixed - Unblocked the `v1.6.0` publishing path so missing Linux release assets and downstream package publishes could be backfilled ([#​460](https://redirect.github.com/endevco/aube/pull/460)). - Made the resolver build script tolerate environments where the primer generator exists but `node` is not installed, falling back to an empty primer with a Cargo warning instead of panicking ([#​460](https://redirect.github.com/endevco/aube/pull/460)). - Moved npm publishing and PPA upload jobs back to GitHub-hosted runners where npm provenance and Launchpad FTP uploads work correctly ([#​460](https://redirect.github.com/endevco/aube/pull/460)). ##### Other - Refreshed benchmarks for the 1.5.2 baseline ([#​459](https://redirect.github.com/endevco/aube/pull/459)). ### [`v1.6.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.0) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.5.1...v1.6.0) ##### Highlights - Added broader pnpm compatibility for `aube add`, `aube update`, pnpmfile hooks, catalog saves, workspace protocol parsing, and lockfile directory configuration. - Added generic `--config.<key>=<value>` overrides plus fetch timeout, retry, backoff, `--pnpmfile`, and `--global-pnpmfile` flags. - Improved install, resolver, registry, linker, manifest, settings, and state hot paths with shared caches, cheaper hashes, fewer repeated filesystem probes, and compressed packument fetches. - Expanded pnpm parity coverage across update, hooks, allow-build review, monorepo filter, prefer-offline, and misc install behavior. ##### Added - `aube update` now parses `<pkg>@​<spec>` arguments and can update indirect dependencies ([#​446](https://redirect.github.com/endevco/aube/pull/446)). - `aube add` can bootstrap a missing `package.json`, matching pnpm behavior covered by newly ported misc tests ([#​417](https://redirect.github.com/endevco/aube/pull/417)). - `--config.<key>=<value>` flags provide generic CLI config overrides ([#​447](https://redirect.github.com/endevco/aube/pull/447)). - `--lockfile-dir` / `lockfileDir` support allows commands to target a foreign lockfile directory when valid ([#​431](https://redirect.github.com/endevco/aube/pull/431)). - Fetch controls were added for timeout, retry count, and retry backoff behavior ([#​436](https://redirect.github.com/endevco/aube/pull/436)). - `--pnpmfile` and `--global-pnpmfile` flags were added, with pnpmfile hooks wired into update and `preResolution` support ([#​439](https://redirect.github.com/endevco/aube/pull/439), [#​423](https://redirect.github.com/endevco/aube/pull/423)). - pnpmfile `ctx.log` records now emit as `pnpm:hook` NDJSON on stdout ([#​440](https://redirect.github.com/endevco/aube/pull/440)). - `--save-catalog`, `workspace:*` parsing, and `sharedWorkspaceLockfile=false` support landed together ([#​418](https://redirect.github.com/endevco/aube/pull/418)). - Empty `--allow-build` values now use pnpm's verbatim error wording ([#​444](https://redirect.github.com/endevco/aube/pull/444)). ##### Fixed - `AUBE_VIRTUAL_STORE_DIR` is honored from the environment, with additional pnpm misc parity coverage ([#​456](https://redirect.github.com/endevco/aube/pull/456)). - `aube update --latest` preserves prerelease pins that are already higher than the latest stable version ([#​445](https://redirect.github.com/endevco/aube/pull/445)). - `.` is rejected as a foreign `--lockfile-dir` importer and the related docs were corrected ([#​442](https://redirect.github.com/endevco/aube/pull/442)). - npm `package-lock.json` workspace importers are preserved when parsing and writing lockfiles ([#​443](https://redirect.github.com/endevco/aube/pull/443)). - Lifecycle script behavior closed three pnpm parity gaps ([#​421](https://redirect.github.com/endevco/aube/pull/421)). - The resolver now ships an empty bundled metadata primer when the generator script cannot run, instead of failing the build ([#​425](https://redirect.github.com/endevco/aube/pull/425)). ##### Performance - Cached hot-path work across install, resolver, registry, linker, manifest parsing, settings lookup, and install state freshness checks ([#​453](https://redirect.github.com/endevco/aube/pull/453)). - Deduplicated and cached repeated install/resolver work, including graph hashing, patch fingerprints, lockfile parsing, env capture, script policy lookup, workspace-root scans, and registry auth token matching ([#​449](https://redirect.github.com/endevco/aube/pull/449)). - Refreshed benchmark results for the 1.5.2 baseline ([#​448](https://redirect.github.com/endevco/aube/pull/448), [#​452](https://redirect.github.com/endevco/aube/pull/452)). ##### Testing and Parity - Ported pnpm monorepo filter tests and wired `--fail-if-no-match` ([#​457](https://redirect.github.com/endevco/aube/pull/457)). - Ported additional pnpm hook, allowBuilds review, update, prefer-offline, circular peer, trust-policy, peer warning, top-level plugin, and registry fixture coverage ([#​455](https://redirect.github.com/endevco/aube/pull/455), [#​441](https://redirect.github.com/endevco/aube/pull/441), [#​438](https://redirect.github.com/endevco/aube/pull/438), [#​454](https://redirect.github.com/endevco/aube/pull/454), [#​434](https://redirect.github.com/endevco/aube/pull/434), [#​433](https://redirect.github.com/endevco/aube/pull/433), [#​424](https://redirect.github.com/endevco/aube/pull/424)). </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
c0cbd12180
|
chore(deps): update dependency globals to v17.6.0 (#465)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [globals](https://redirect.github.com/sindresorhus/globals) | [`17.5.0` β `17.6.0`](https://renovatebot.com/diffs/npm/globals/17.5.0/17.6.0) |  |  | --- ### Release Notes <details> <summary>sindresorhus/globals (globals)</summary> ### [`v17.6.0`](https://redirect.github.com/sindresorhus/globals/compare/v17.5.0...6b15870f1c08b60b5b57afe45a703d9ed0be39bc) [Compare Source](https://redirect.github.com/sindresorhus/globals/compare/v17.5.0...v17.6.0) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
34cccd8792
|
chore(deps): update dependency eslint to v10.3.0 (#464)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.2.1` β `10.3.0`](https://renovatebot.com/diffs/npm/eslint/10.2.1/10.3.0) |  |  | --- ### Release Notes <details> <summary>eslint/eslint (eslint)</summary> ### [`v10.3.0`](https://redirect.github.com/eslint/eslint/compare/v10.2.1...78892043a36da4aa7640b59c99344b00c181048a) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.2.1...v10.3.0) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
396ce9daa2
|
chore(deps): update dependency aube to v1.5.1 (#463)
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `1.4` β `v1.5.1` | `v1.9.1` (+6) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.5.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.1): : POSIX colon tarball filenames [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.5.0...v1.5.1) A small patch release fixing tarball installs that contain `:` in entry filenames on POSIX platforms (e.g. `redos-detector@6.1.4`'s `dist/__mocks__/package-json:version.d.ts`). #### Fixed - **POSIX colon tarball filenames** β the store tarball validator and the linker's `validate_index_key` previously rejected `:` on every platform to defend against Windows drive-prefix and NTFS alternate-data-stream ambiguity. That guard was too broad for POSIX, where colon is a valid filename character, and caused installs of packages like `redos-detector@6.1.4` to fail. Both guards are now platform-gated: `:` is still rejected on Windows, but accepted on Linux and macOS. ([#​386](https://redirect.github.com/endevco/aube/pull/386) by [@​jdx](https://redirect.github.com/jdx)) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.5.0...v1.5.1> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.5.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.0): : Dependency graph queries and patch/lockfile fixes [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.4.0...v1.5.0) This release adds `aube query` for selector-based dependency graph inspection, fixes patch application against CRLF tarball files, repairs npm-aliased catalog dependencies in pnpm-generated lockfiles, and unifies how aube decides where to write workspace settings. #### Added - **`aube query`** β a vlt-inspired dependency-graph query command. Supply a selector expression (attribute predicates plus pseudo-selectors like `:scripts`, `:bin`, `:peer`, `:type(...)`, `:license(...)`), optionally scope with workspace `--filter`/`--prod`/`--dev` roots, and emit human-readable, `--parseable`, or `--json` output. Reads only the local lockfile. ([#​380](https://redirect.github.com/endevco/aube/pull/380) by [@​jdx](https://redirect.github.com/jdx)) #### Fixed - **Patches against CRLF text files** β tarballs published from Windows editors (e.g. `gifuct-js@2.1.2/index.d.ts`) ship CRLF, but git/pnpm-style patches always emit LF, and diffy refused to match LF hunks against CRLF context. aube now normalizes the original to LF before applying and restores CRLF on write β matching pnpm's approach β with a `\r\r\n` collapse so a literal `\r` byte mid-line doesn't gain a second carriage return. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **`aube patch-commit` destination** β previously wrote unconditionally to `pnpm.patchedDependencies` in `package.json` even on projects already using the pnpm v10+ workspace-yaml home. A single rule now applies to every command that mutates a setting which can live in either the workspace yaml or `package.json#{pnpm,aube}.<key>`: 1. If a workspace yaml exists on disk β write there. 2. Otherwise, if `package.json#pnpm` is already declared β write `pnpm.<key>` (preserve the user's namespace). 3. Otherwise β write `aube.<key>`. `aube patch-remove` now strips entries from every place they could live and reports the files actually rewritten. The same rule covers `aube approve-builds` and install-time auto-deny seeding. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **npm-aliased catalog deps from pnpm lockfiles** β `aube install --frozen-lockfile` previously accepted a pnpm lockfile with `beamcoder: npm:beamcoder-prebuild@β¦` declared via `pnpm-workspace.yaml#catalog` and silently produced an empty `node_modules`, because the importer's specifier was `'catalog:'` and alias detection only fired on `specifier.starts_with("npm:")`. Aliases are now detected purely from the canonical `<real>@​<resolved>` `version:` shape, with a peer-suffix strip so `version: 18.2.0(react@18.2.0)` isn't misclassified. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **Bounded resolver stream** β the resolved-package stream is now a bounded Tokio channel sized from the same network concurrency used by fetch workers, with awaited sends so resolver/fetch overlap applies backpressure instead of accumulating an unbounded queue. ([#​377](https://redirect.github.com/endevco/aube/pull/377) by [@​jdx](https://redirect.github.com/jdx)) #### Changed - **`aube-workspace.yaml` is the default-write filename** β when neither `aube-workspace.yaml` nor `pnpm-workspace.yaml` exists, `aube approve-builds` (and the install-time auto-seed of unreviewed build scripts) now creates `aube-workspace.yaml` so it pairs with `aube-lock.yaml` instead of leaving mixed vendor namespaces side by side. Existing `pnpm-workspace.yaml` files keep being mutated in place. ([#​382](https://redirect.github.com/endevco/aube/pull/382) by [@​jdx](https://redirect.github.com/jdx)) - **Comment-preserving workspace-yaml writes** β yaml writes now skip the rewrite when the closure produces no structural change, so user comments survive every no-op update to `allowBuilds`, `patchedDependencies`, and catalog cleanup. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **Install phase timing sink** β set `AUBE_BENCH_PHASES_FILE` to append per-phase install timings (resolve/fetch/link/scripts/state/sweep) as JSONL, optionally tagged with `AUBE_BENCH_SCENARIO`. The benchmark harness samples aube install-shaped scenarios and `benchmarks/generate-phase-results.mjs` turns the JSONL into a Markdown table plus a structured JSON artifact. ([#​381](https://redirect.github.com/endevco/aube/pull/381) by [@​jdx](https://redirect.github.com/jdx)) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.4.0...v1.5.0> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
8720daa86c
|
chore(deps): update github/codeql-action digest to 68bde55 (#462)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](
|
||
|
jdx
|
c6a35e2d7d
|
chore(ci): use !cancelled() instead of always() for final job (#460)
## Summary
- Combined with the workflow's `cancel-in-progress` group, `if:
always()` overrides cancellation and runs the `final` aggregator even on
superseded commits.
- `!cancelled()` still runs on upstream success or failure but skips
when the workflow is cancelled β saves a runner and avoids confusing
error annotations on already-superseded shas.
- Caught by Cursor Bugbot on a sibling repo (endevco/pitchfork#413).
Same `final`-aggregator pattern + `cancel-in-progress: true` here, so
the same fix applies.
## Test plan
- [ ] CI passes on this PR
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk CI-only change that just adjusts when the `final` job runs;
main risk is slightly different status reporting when runs are
cancelled.
>
> **Overview**
> Updates the GitHub Actions `final` aggregator job to use `if: ${{
!cancelled() }}` instead of `always()`, so it still runs for upstream
success/failure but **does not** run for cancelled workflows (e.g.,
superseded runs under `cancel-in-progress`).
>
> Adds clarifying comments to document why cancellation should skip the
aggregator to avoid wasting runners and producing noise on cancelled
commits.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
renovate[bot]
|
b9e293457e
|
chore(deps): update github/codeql-action digest to e46ed2c (#459)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](
|