mirror of
https://github.com/jdx/mise-action.git
synced 2026-06-13 18:54:52 +00:00
676 commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
renovate[bot]
|
f1eae89ff0
|
chore(deps): update dependency js-yaml to v4.2.0 (#515)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [js-yaml](https://redirect.github.com/nodeca/js-yaml) | [`4.1.1` β `4.2.0`](https://renovatebot.com/diffs/npm/js-yaml/4.1.1/4.2.0) |  |  | --- ### Release Notes <details> <summary>nodeca/js-yaml (js-yaml)</summary> ### [`v4.2.0`](https://redirect.github.com/nodeca/js-yaml/blob/HEAD/CHANGELOG.md#420---2026-06-01) [Compare Source](https://redirect.github.com/nodeca/js-yaml/compare/4.1.1...590dbabadd172b099c07654fab2eabec8c7a07b9) ##### Added - Added `docs/safety.md` with notes about processing untrusted YAML. - Added `maxDepth` (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow. - Added `maxMergeSeqLength` (20) loader option. Not a problem after `merge` fix, but an additional restriction for safety. - Added sourcemaps to `dist/` builds. ##### Changed - Stop resolving numbers with underscores as numeric scalars, [#​627](https://redirect.github.com/nodeca/js-yaml/issues/627). - Switched dev toolchains to Vite / neostandard. - Updated demo. - Reorganized tests. - `dist/` files are no longer kept in the repository. ##### Fixed - Fix parsing of properties on the first implicit block mapping key, [#​62](https://redirect.github.com/nodeca/js-yaml/issues/62). - Fix trailing whitespace handling when folding flow scalar lines, [#​307](https://redirect.github.com/nodeca/js-yaml/issues/307). - Reject top-level block scalars without content indentation, [#​280](https://redirect.github.com/nodeca/js-yaml/issues/280). - Ensure numbers survive round-trip, [#​737](https://redirect.github.com/nodeca/js-yaml/issues/737). - Fix test coverage for issue [#​221](https://redirect.github.com/nodeca/js-yaml/issues/221). - Fix flow scalar trailing whitespace folding, [#​307](https://redirect.github.com/nodeca/js-yaml/issues/307). - Fix digits in YAML named tag handles. ##### Security - Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K). </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
ab3e780cf6
|
chore(deps): update typescript-eslint monorepo to v8.60.1 (#514)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.60.0` β `8.60.1`](https://renovatebot.com/diffs/npm/typescript-eslint/8.60.0/8.60.1) |  |  | --- ### Release Notes <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.60.1`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8601-2026-06-01) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.60.0...v8.60.1) This was a version bump only for typescript-eslint to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.60.1) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
17d3aa0218
|
chore(deps): update github/codeql-action action to v4.36.2 (#513)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | patch | `v4.36.0` β `v4.36.2` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v4.36.2`](https://redirect.github.com/github/codeql-action/compare/v4.36.1...v4.36.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.36.1...v4.36.2) ### [`v4.36.1`](https://redirect.github.com/github/codeql-action/compare/v4.36.0...v4.36.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.36.0...v4.36.1) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated CodeQL analysis workflow dependencies to the latest patch versions for enhanced security scanning capabilities. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
4acea8dd7c
|
chore(deps): update actions/checkout action to v6.0.3 (#512)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://redirect.github.com/actions/checkout) | action | patch | `v6.0.2` β `v6.0.3` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v6.0.3`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v603) [Compare Source](https://redirect.github.com/actions/checkout/compare/v6.0.2...v6.0.3) - Fix checkout init for SHA-256 repositories by [@​yaananth](https://redirect.github.com/yaananth) in [#​2439](https://redirect.github.com/actions/checkout/pull/2439) - fix: expand merge commit SHA regex and add SHA-256 test cases by [@​yaananth](https://redirect.github.com/yaananth) in [#​2414](https://redirect.github.com/actions/checkout/pull/2414) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated GitHub Actions checkout dependencies across multiple CI/CD workflows to the latest version for improved stability and compatibility. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
Taku Kodama
|
b2321533f9
|
docs: link rust cache issue (#496)
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
|
||
|
renovate[bot]
|
6461503b3f
|
chore(deps): update eslint monorepo to v10.4.1 (#509)
Some checks are pending
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.4.0` β `10.4.1`](https://renovatebot.com/diffs/npm/eslint/10.4.0/10.4.1) |  |  | --- ### Release Notes <details> <summary>eslint/eslint (eslint)</summary> ### [`v10.4.1`](https://redirect.github.com/eslint/eslint/releases/tag/v10.4.1) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.4.0...v10.4.1) #### Bug Fixes - [`e557467`]( |
||
|
renovate[bot]
|
f4342fcf27
|
chore(deps): update dependency @rollup/plugin-commonjs to v29.0.3 (#508)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@rollup/plugin-commonjs](https://redirect.github.com/rollup/plugins/tree/master/packages/commonjs/#readme) ([source](https://redirect.github.com/rollup/plugins/tree/HEAD/packages/commonjs)) | [`29.0.2` β `29.0.3`](https://renovatebot.com/diffs/npm/@rollup%2fplugin-commonjs/29.0.2/29.0.3) |  |  | --- ### Release Notes <details> <summary>rollup/plugins (@​rollup/plugin-commonjs)</summary> ### [`v29.0.3`](https://redirect.github.com/rollup/plugins/blob/HEAD/packages/commonjs/CHANGELOG.md#v2903) *2026-05-29* ##### Bugfixes - commonjs: make [#​1868](https://redirect.github.com/rollup/plugins/issues/1868) es5-compatible ([#​1981](https://redirect.github.com/rollup/plugins/issues/1981)) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjIwOS40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
920c1fed1b
|
chore(deps): update typescript-eslint monorepo to v8.60.0 (#507)
Some checks are pending
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.59.4` β `8.60.0`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.4/8.60.0) |  |  | --- ### Release Notes <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.60.0`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8600-2026-05-25) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.4...v8.60.0) This was a version bump only for typescript-eslint to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.60.0) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjIwOS40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
jdx
|
26ff5b8173
|
chore(ci): use pr-closer action (#505)
Some checks failed
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
zizmor / zizmor (push) Has been cancelled
|
||
|
jdx
|
2b5874788d
|
chore(ci): fix zizmor version comments (#506) | ||
|
jdx
|
dba19683ed
|
chore: release v4.1.0 (#490)
Co-authored-by: mise-en-dev <123107610+mise-en-dev@users.noreply.github.com> |
||
|
jdx
|
f91a09d9ef
|
fix(ci): resolve zizmor findings (#503) | ||
|
renovate[bot]
|
a9d72a2ac5
|
chore(deps): update github/codeql-action action to v4.36.0 (#500) | ||
|
renovate[bot]
|
1f56d95323
|
chore(deps): update dependency @actions/cache to v6.0.1 (#497)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@actions/cache](https://redirect.github.com/actions/toolkit/tree/main/packages/cache) ([source](https://redirect.github.com/actions/toolkit/tree/HEAD/packages/cache)) | [`6.0.0` β `6.0.1`](https://renovatebot.com/diffs/npm/@actions%2fcache/6.0.0/6.0.1) |  |  | --- ### Release Notes <details> <summary>actions/toolkit (@​actions/cache)</summary> ### [`v6.0.1`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/cache/RELEASES.md#601) - Bump dependency versions ([#​2393](https://redirect.github.com/actions/toolkit/pull/2393)): - `@actions/core` to `^3.0.1` - `@actions/http-client` to `^4.0.1` - `@actions/io` to `^3.0.2` - `@azure/core-rest-pipeline` to `^1.23.0` - `@azure/storage-blob` to `^12.31.0` - `semver` to `^7.7.4` </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTguMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5OC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: default <216188+jdx@users.noreply.github.com> |
||
|
jdx
|
e47eed9a5f
|
chore: update aube tool version (#501)
Some checks failed
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
Check dist/ / Check dist/ (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
|
||
|
renovate[bot]
|
69c24ed920
|
chore(deps): update dependency aube to v1.15.0 (#498)
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.14.1` β `v1.15.0` | `v1.16.0` | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.15.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.15.0): : Yarn Berry portal/exec/patch + deny-build [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.14.1...v1.15.0) This release closes three Yarn Berry compatibility gaps (`portal:`, `exec:`, and `patch:` protocols), adds an `aube add --deny-build` flag for `strictDepBuilds=true` workflows, and fixes two install-correctness bugs around workspace updates and Bun patched dependencies. #### Added - *(yarn)* **Berry `portal:` and `exec:` protocols** ([#​729](https://redirect.github.com/endevco/aube/pull/729) by [@​jdx](https://redirect.github.com/jdx)) β Yarn Berry lockfile entries using `portal:` and `exec:` are now parsed instead of skipped, and round-trip cleanly when aube writes the lockfile back (`portal:` as `linkType: soft`, `exec:` as a generated hard-link package). `portal:` targets materialize as local packages whose dependencies are followed (matching Yarn's documented difference from `link:`); `exec:` generator scripts run into a temp build directory and the generated package is imported, with versions and dependencies locked at resolve time. `exec:` generators require Node.js on `PATH`, are blocked under `--ignore-scripts`, and are rejected if the generator path resolves outside the project root. - *(yarn)* **Berry `patch:` protocol** ([#​728](https://redirect.github.com/endevco/aube/pull/728) by [@​jdx](https://redirect.github.com/jdx)) β Berry `patch:` resolutions are now parsed into aube's patched-dependency map (builtin patches are skipped), preserved on lockfile write, and threaded through install/link so the referenced Yarn patch files are actually applied during materialization. Previously these entries were silently dropped, so Berry projects relying on `patch:` could install with unpatched package contents. - *(add)* **`aube add --deny-build=<pkg>`** ([#​730](https://redirect.github.com/endevco/aube/pull/730), closes [#​726](https://redirect.github.com/endevco/aube/discussions/726), by [@​jdx](https://redirect.github.com/jdx)) β Repeatable flag that records a dependency's lifecycle scripts as reviewed-and-denied by writing `allowBuilds.<pkg>=false` before install. This lets `strictDepBuilds=true` workflows explicitly skip selected package builds without failing the install, and is forwarded through global installs (`aube add -g --deny-build=<pkg>`). Specifying the same package in both `--allow-build` and `--deny-build` is rejected with the new `ERR_AUBE_CONFLICTING_BUILD_FLAGS`. ```sh # Mark esbuild's postinstall as reviewed-and-denied, then install aube add --deny-build=esbuild esbuild ``` #### Fixed - *(update)* **Workspace-member `aube update` writes to the root lockfile** ([#​732](https://redirect.github.com/endevco/aube/pull/732) by [@​jdx](https://redirect.github.com/jdx)) β `aube update` run inside a workspace member previously started from the nearest project root and produced `sub/aube-lock.yaml`, disagreeing with `aube install` (which already targets the workspace root). Plain member updates now merge into the shared workspace-root `aube-lock.yaml` via the same helper used by filtered/recursive updates, carrying per-importer `workspace_extra_fields` alongside dependency and skipped-optional metadata. - *(bun)* **Bun top-level `patchedDependencies` are applied at install** ([#​724](https://redirect.github.com/endevco/aube/pull/724) by [@​jdx](https://redirect.github.com/jdx)) β aube preserved Bun's `package.json#patchedDependencies` in `bun.lock`, but install-time patch loading only read `pnpm.patchedDependencies`, `aube.patchedDependencies`, and workspace YAML entries β so Bun-only projects could install successfully while materializing unpatched package contents. Bun's top-level field is now merged into the patch sources used by install (including for BOM-prefixed `package.json`), and is correctly removed when the map becomes empty. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.14.1...v1.15.0> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTguMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5OC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
76f84078a8
|
chore(deps): update zizmorcore/zizmor-action action to v0.5.4 (#488)
Some checks failed
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
zizmor / zizmor (push) Has been cancelled
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [zizmorcore/zizmor-action](https://redirect.github.com/zizmorcore/zizmor-action) | action | patch | `v0.5.3` β `v0.5.6` | --- ### Release Notes <details> <summary>zizmorcore/zizmor-action (zizmorcore/zizmor-action)</summary> ### [`v0.5.6`](https://redirect.github.com/zizmorcore/zizmor-action/releases/tag/v0.5.6) [Compare Source](https://redirect.github.com/zizmorcore/zizmor-action/compare/v0.5.5...v0.5.6) - 1.25.2 is now available via the action - 1.25.2 is now the default version of zizmor used by the action ### [`v0.5.5`](https://redirect.github.com/zizmorcore/zizmor-action/releases/tag/v0.5.5) [Compare Source](https://redirect.github.com/zizmorcore/zizmor-action/compare/v0.5.4...v0.5.5) This is a no-op release. ### [`v0.5.4`](https://redirect.github.com/zizmorcore/zizmor-action/releases/tag/v0.5.4) [Compare Source](https://redirect.github.com/zizmorcore/zizmor-action/compare/v0.5.3...v0.5.4) - 1.25.0 is now available via the action - 1.25.0 is now the default version of zizmor used by the action </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
4a84c91c82
|
chore(deps): update dependency eslint to v10.4.0 (#492)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.3.0` β `10.4.0`](https://renovatebot.com/diffs/npm/eslint/10.3.0/10.4.0) |  |  | --- ### Release Notes <details> <summary>eslint/eslint (eslint)</summary> ### [`v10.4.0`](https://redirect.github.com/eslint/eslint/compare/v10.3.0...452c4010c07dc2e36fe6ec6a8c48298878e86887) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.3.0...v10.4.0) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
4d5418b7ba
|
chore(deps): update dependency @types/node to v24.12.4 (#485)
This PR contains the following updates: | Package | Type | Update | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---|---|---| | [node](https://nodejs.org) ([source](https://redirect.github.com/nodejs/node)) | | minor | `24.15.0` β `v24.16.0` |  |  | | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | devDependencies | patch | [`24.12.3` β `24.12.4`](https://renovatebot.com/diffs/npm/@types%2fnode/24.12.3/24.12.4) |  |  | --- ### Release Notes <details> <summary>nodejs/node (node)</summary> ### [`v24.16.0`](https://redirect.github.com/nodejs/node/releases/tag/v24.16.0): 2026-05-21, Version 24.16.0 'Krypton' (LTS), @​aduh95 [Compare Source](https://redirect.github.com/nodejs/node/compare/v24.15.0...v24.16.0) ##### Notable Changes - \[[`b267f6bca3`]( |
||
|
renovate[bot]
|
e6760994f7
|
chore(deps): update dependency typescript-eslint to v8.59.3 (#487)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.59.2` β `8.59.4`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.2/8.59.4) |  |  | --- ### Release Notes <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.59.4`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8594-2026-05-18) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.3...v8.59.4) ##### π©Ή Fixes - **typescript-eslint:** export Compatible\* types from typescript-eslint to resolve pnpm TS error ([#​12340](https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12340)) ##### β€οΈ Thank You - Kirk Waiblinger [@​kirkwaiblinger](https://redirect.github.com/kirkwaiblinger) See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.4) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. ### [`v8.59.3`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8593-2026-05-11) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.2...v8.59.3) This was a version bump only for typescript-eslint to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.3) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
d09fda2023
|
chore(deps): update github/codeql-action action to v4.35.5 (#491)
This PR contains the following updates: | Package | Type | Update | Change | Pending | |---|---|---|---|---| | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | patch | `v4.35.4` β `v4.35.5` | `v4.36.0` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v4.35.5`](https://redirect.github.com/github/codeql-action/releases/tag/v4.35.5) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.35.4...v4.35.5) - We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. [#​3899](https://redirect.github.com/github/codeql-action/pull/3899) - For performance and accuracy reasons, [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#​3791](https://redirect.github.com/github/codeql-action/pull/3791) - If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#​3892](https://redirect.github.com/github/codeql-action/pull/3892) - Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#​3880](https://redirect.github.com/github/codeql-action/pull/3880) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
0db54f80ba
|
chore(deps): update dependency rollup to v4.60.4 (#486)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [rollup](https://rollupjs.org/) ([source](https://redirect.github.com/rollup/rollup)) | [`4.60.3` β `4.60.4`](https://renovatebot.com/diffs/npm/rollup/4.60.3/4.60.4) |  |  | --- ### Release Notes <details> <summary>rollup/rollup (rollup)</summary> ### [`v4.60.4`](https://redirect.github.com/rollup/rollup/blob/HEAD/CHANGELOG.md#4604) [Compare Source](https://redirect.github.com/rollup/rollup/compare/v4.60.3...v4.60.4) *2026-05-14* ##### Bug Fixes - Improve stability of chunk hashes ([#​6362](https://redirect.github.com/rollup/rollup/issues/6362)) ##### Pull Requests - [#​6362](https://redirect.github.com/rollup/rollup/pull/6362): fix: stabilize chunk assignment across parallel file reads ([@​sonukapoor](https://redirect.github.com/sonukapoor), [@​Sonu](https://redirect.github.com/Sonu) Kapoor, [@​TrickyPi](https://redirect.github.com/TrickyPi), [@​lukastaegert](https://redirect.github.com/lukastaegert)) - [#​6370](https://redirect.github.com/rollup/rollup/pull/6370): fix(deps): update minor/patch updates ([@​renovate](https://redirect.github.com/renovate)\[bot]) - [#​6371](https://redirect.github.com/rollup/rollup/pull/6371): chore(deps): update dependency lru-cache to v11 ([@​renovate](https://redirect.github.com/renovate)\[bot], [@​lukastaegert](https://redirect.github.com/lukastaegert)) - [#​6372](https://redirect.github.com/rollup/rollup/pull/6372): chore(deps): update react monorepo to v19 (major) ([@​renovate](https://redirect.github.com/renovate)\[bot]) - [#​6373](https://redirect.github.com/rollup/rollup/pull/6373): chore(deps): lock file maintenance ([@​renovate](https://redirect.github.com/renovate)\[bot], [@​lukastaegert](https://redirect.github.com/lukastaegert)) - [#​6375](https://redirect.github.com/rollup/rollup/pull/6375): Resolve vulnerabilities ([@​lukastaegert](https://redirect.github.com/lukastaegert)) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
Gregor Zeitlinger
|
8cb97b85f7
|
feat: lock install when mise.lock is present (#495)
Some checks are pending
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
|
||
|
renovate[bot]
|
5b45072a5e
|
chore(deps): update dependency aube to v1.14.1 (#489)
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.9.1` β `v1.14.1` | `v1.15.0` | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.14.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.14.1): : Install module split [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.14.0...v1.14.1) A maintenance release with no user-facing behavior changes. The install command's growing `commands/install/mod.rs` was split into focused submodules to keep the install pipeline easier to navigate. Install behavior, flags, and output are unchanged from v1.14.0. #### Changed - *(install)* Extracted the fetch/import pipeline (local source import, lockfile fetch wrapper, store-index classification, tarball fetch/import, contextualized-index remapping) into a new `commands/install/fetch.rs` module ([#​704](https://redirect.github.com/endevco/aube/pull/704) by [@​jdx](https://redirect.github.com/jdx)). - *(install)* Split the materializer, native-build critical-path heuristic, and workspace graph/lifecycle/per-project lockfile helpers into dedicated `materialize.rs`, `critical_path.rs`, and `workspace.rs` modules ([#​702](https://redirect.github.com/endevco/aube/pull/702) by [@​jdx](https://redirect.github.com/jdx)). - *(install)* Moved post-pipeline helpers β `--lockfile-dir` importer remapping, human install summary output, `.aube` cache invalidation/orphan cleanup, and skipped-build warning replay β into `lockfile_dir.rs`, `summary.rs`, `sweep.rs`, and `unreviewed_builds.rs` ([#​698](https://redirect.github.com/endevco/aube/pull/698) by [@​jdx](https://redirect.github.com/jdx)). **Full Changelog**: <https://github.com/endevco/aube/compare/v1.14.0...v1.14.1> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.14.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.14.0): : Bloom-filtered OSV checks and lifecycle-script content sniffing [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.13.1...v1.14.0) Two new opt-in supply-chain layers on top of the v1.13 gates: a \~380 KB bloom-filter prefilter that lets plain reinstalls cheaply probe the OSV `MAL-*` set without pulling the 200 MB mirror, and a regex-based content sniff that flags dangerous shapes in dependency `preinstall`/`install`/`postinstall` scripts before you click through `aube approve-builds`. #### Added - *(install)* **OSV bloom-filter prefilter for lockfile installs** ([#​680](https://redirect.github.com/endevco/aube/pull/680) by [@​jdx](https://redirect.github.com/jdx)) β New `advisoryBloomCheck` setting (`on` / `required` / `off`, default `off`) adds a fourth route to the post-resolve OSV decision table. Plain reinstalls probe the resolved transitive graph against a \~380 KB bloom filter fetched from [`endevco/osv-bloom`](https://redirect.github.com/endevco/osv-bloom) β regenerated upstream every 10 minutes from OSV's `MAL-*` archive β and only escalate bloom hits to the live `/querybatch` API for exact `(name, version)` confirmation. Bloom FPR is \~0.1%, so a typical 1000-package lockfile triggers zero or one extra live-API round trip per install. When both are configured, the bloom branch wins over the 200 MB `all.zip` mirror β under 1 MB on the wire, same live-API oracle, same `ERR_AUBE_MALICIOUS_PACKAGE` on a confirmed hit. Cached under `$XDG_CACHE_HOME/aube/osv-bloom/` and short-circuits the download when upstream's `set_digest_sha256` is unchanged. New warning `WARN_AUBE_OSV_BLOOM_REFRESH_FAILED`: under `on` install continues against the previously cached filter; under `required` it fails closed with `ERR_AUBE_ADVISORY_CHECK_FAILED`. - *(install)* **Content-sniff dependency lifecycle scripts before approve-builds** ([#​685](https://redirect.github.com/endevco/aube/pull/685) by [@​jdx](https://redirect.github.com/jdx)) β aube's existing supply-chain gates (OSV `MAL-*`, downloads floor, bun-compat scanner, `BuildPolicy` allowlist) are all name-based; none inspects what `postinstall` actually does, which leaves an OSV-ingest-lag window of 12β48h that the 2024β2026 wave of unobfuscated `curl β¦ | sh` postinstalls walked right through. New regex matcher fires advisory warnings for known-dangerous shapes in lifecycle script bodies: | Signal | Catches | | -------------------- | ---------------------------------------------------------------------------------------------------------------- | | `ShellPipe` | `curl β¦ \| sh`, `wget β¦ \| bash`, `β¦ \| node` | | `EvalDecode` | `eval(atob(β¦))`, `Function(atob(β¦))`, `eval(Buffer.from(β¦))` | | `CredentialFileRead` | `~/.ssh`, `~/.aws`, `~/.npmrc`, `~/.config/gh` reads | | `SecretEnvRead` | `process.env.*(TOKEN\|SECRET\|API_KEY\|PASSWORD\|ACCESS_KEY\|PRIVATE_KEY\|AUTH)` | | `ExfilEndpoint` | Discord/Telegram webhooks, OAST hosts (`oast.pro`, `interactsh`, `webhook.site`, `pipedream.net`, `ngrok.io`, β¦) | | `BareIpHttp` | Bare-IP HTTP fetch targets (literal IPv4 hosts over plain HTTP) | Sniff is advisory β `allowBuilds` still gates execution β and shows up in three places: end-of-install emits one `WARN_AUBE_SUSPICIOUS_LIFECYCLE_SCRIPT` per flagged package alongside the existing `WARN_AUBE_IGNORED_BUILD_SCRIPTS`; `aube approve-builds` annotates picker rows with `β suspicious: <category>` and prints a pre-picker summary of the matched hook+description; `aube ignored-builds` indents `β <hook> β <description>` lines under each `name@version`. Findings are re-derived per install rather than persisted, so the regex set can evolve without a state-file migration. Works offline, doesn't degrade to advisory in headless CI. #### Changed - Refreshed `benchmarks/results.json` against v1.13.1 and Bun 1.3.14 ([#​687](https://redirect.github.com/endevco/aube/pull/687)) β public ratios update to warm installs **3Γ Bun / 6Γ pnpm**, repeat test **6Γ Bun / 45Γ pnpm**. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.13.1...v1.14.0> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.13.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.13.1): : Version-aware transitive MAL-* gate [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.13.0...v1.13.1) A targeted fix for the transitive supply-chain gate added in v1.13.0: the post-resolve OSV check is now version-aware, so name-level `MAL-*` advisories stop blocking installs that resolve to clean versions of the same package. #### Fixed - *(install)* **Version-aware transitive `MAL-*` check** ([#​682](https://redirect.github.com/endevco/aube/pull/682) by [@​jdx](https://redirect.github.com/jdx)) β The post-resolve gate was reusing the pre-resolve name-only OSV query, so any name-level advisory hit every install that transitively pulled in *any* version of that package. Concretely, `aube add cowsay@1.6.0` refused with `ERR_AUBE_MALICIOUS_PACKAGE` because cowsay's tree includes `ansi-regex@3.0.1`, and `ansi-regex` carries the Sep 2025 shai-hulud advisory `MAL-2025-46966` against `6.2.1` β a version published years after `3.0.1`. The live-API and OSV-mirror lookups now send `(name, version)` pairs, refusal messages surface `name@version (MAL-β¦)`, and the local mirror index bumps to `format = 2` (storing per-advisory affected versions; v1 indexes rebuild on next refresh, and advisories with no enumerated versions still fail closed). The pre-resolve `aube add` name-gate keeps its versionless query β typosquats are malicious in every version. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.13.0...v1.13.1> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.13.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.13.0): : Supply-chain gates for `aube add` [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.12.0...v1.13.0) #### Added - *(install)* Bun-compatible pluggable security scanner β drop in any `securityScanner` package that follows the Bun Security Scanner API (oven-sh template, `@socketsecurity/bun-security-scanner`, etc.) and aube runs it post-resolve against the full graph via a `node` bridge ([#​657](https://redirect.github.com/endevco/aube/pull/657)) - *(add)* Supply-chain gates on `aube add`: OSV `MAL-*` advisory hard-block plus a weekly-downloads floor with TTY prompt / `--allow-low-downloads` bypass. New `advisoryCheck` and `lowDownloadThreshold` settings, both folded into `paranoid: true` ([#​656](https://redirect.github.com/endevco/aube/pull/656)) - *(install)* OSV checks now extend to the full resolved graph, routed live-API vs. local OSV mirror based on whether resolution produced fresh `(name, version)` picks; opt-in `advisoryCheckOnInstall` covers plain reinstalls, `advisoryCheckEveryInstall` forces live API every time ([#​678](https://redirect.github.com/endevco/aube/pull/678)) - *(add)* Auto-skip supply-chain gates for packages routed through a non-`registry.npmjs.org` registry, plus a new `allowedUnpopularPackages` glob allowlist to silence the downloads gate on known-internal names ([#​673](https://redirect.github.com/endevco/aube/pull/673)) #### Changed - *(install)* No longer rewrites `package.json` / workspace yaml to seed `allowBuilds: { <pkg>: "set this to true or false" }` placeholders for unreviewed build scripts ([#​662](https://redirect.github.com/endevco/aube/pull/662)) - *(install perf)* Deleted the pre-resolver direct-dep packument prefetch; 12β22% wall-time win across fixture size, bandwidth, and RTT ([#​672](https://redirect.github.com/endevco/aube/pull/672)) - *(add)* `--allow-build=<pkg>` now flips an existing deny instead of erroring, help renders correctly as `--allow-build=<PKG>`, and the no-op `--ignore-scripts` is hidden on `add` / `import` / `update` ([#​660](https://redirect.github.com/endevco/aube/pull/660)) #### Fixed - *(linker)* Windows bin shims for `aube add --global β¦ --allow-build=<dep>` no longer emit a duplicated install-root path segment when `.aube/<dep>/` sits behind a directory junction ([#​659](https://redirect.github.com/endevco/aube/pull/659)) - *(global)* `aube remove --global` on Windows no longer fails with `Access is denied (os error 5)` on the hash pointer when it's an NTFS directory junction ([#​658](https://redirect.github.com/endevco/aube/pull/658)) #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.12.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.12.0): : Tidier config, smarter installs from bun.lock [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.11.0...v1.12.0) A round of fixes driven by user reports β `bun.lock` imports now keep peer-only packages, the store layout is reorganized so one cache mount covers everything, and `aube config set` stops scribbling unknown keys into `.npmrc`. #### Added - **Smarter `aube config set` / `delete` routing** ([#​634](https://redirect.github.com/endevco/aube/pull/634) by [@​jdx](https://redirect.github.com/jdx)) β Writes only land in `.npmrc` for the npm-shared surface (per-host auth/cert templates, scoped registries, and a curated allowlist of npm-standard scalars like `registry`, `proxy`, `fetch-retries`, β¦). Aube-only and pnpm-only keys (`autoInstallPeers`, `dangerouslyAllowAllBuilds`, `pnpmfilePath`, β¦) plus unknown free-form keys now go to `~/.config/aube/config.toml`. Dotted writes for aube map settings β `aube config set --local allowBuilds.@​mongodb-js/zstd true`, `aube config set --local overrides.lodash 4.17.21` β edit a single entry of `pnpm-workspace.yaml` (or `package.json#<pnpm|aube>.<map>`) in place. `aube config delete` sweeps both files so legacy writes from older versions are still cleaned up. New error code `ERR_AUBE_CONFIG_NESTED_AUBE_KEY` covers invalid nested writes. - **Polished install progress display** ([#​616](https://redirect.github.com/endevco/aube/pull/616) by [@​jdx](https://redirect.github.com/jdx)) β The bar is now cyan across every phase (no more "completing twice" as the phase flips green), reserves the final slice so it never reads 100% while the linker is still running, and paints a full 100% from a new `done` phase on `finish()` / `stop()` so the last frame matches the `β` summary line. The displayed `~XX MB` total is now a dynamic blend of the static `unpackedSize Γ 0.20` fallback and a linear extrapolation from observed bytes-per-package β converging to the real total instead of overshooting by \~48%. `resolving` switched yellow β cyan, the `pkgs` counter is bold/uncolored mid-install, and `WARN_AUBE_SLOW_METADATA` drops redundant fields. #### Fixed - **Peer-only packages from `bun.lock` no longer silently dropped** ([#​639](https://redirect.github.com/endevco/aube/pull/639) by [@​jdx](https://redirect.github.com/jdx)) β `filter_graph`'s GC walk ran *before* `hoist_auto_installed_peers`, so peer-installed deps like `@mui/material` that weren't directly listed in workspace `dependencies:` got pruned as unreachable before the hoist could promote them. The pipeline now hoists first, then walks. On the linked repro, `aube install` goes from 6 packages (with broken `@mui/material` / `@emotion/*`) to 44 with everything resolved. - **`bun.lock` imports now run the peer-context pass** ([#​619](https://redirect.github.com/endevco/aube/pull/619) by [@​jdx](https://redirect.github.com/jdx)) β `LockfileKind::Bun` was missing from the `apply_peer_contexts` branch, so peer-dependent packages landed at `.aube/<pkg>@​<ver>/` without sibling peer links and walked up to whatever hoisted copy they found. Now they get peer-qualified `dep_paths` (e.g. `@cloudflare+vite-plugin@1.17.1_vite@8.0.10_β¦`) with correct sibling symlinks, matching the npm-lockfile import behavior. - **Stale cached indexes now self-heal at fetch time** ([#​635](https://redirect.github.com/endevco/aube/pull/635) by [@​jdx](https://redirect.github.com/jdx)) β Cached package indexes moved from `$XDG_CACHE_HOME/aube/index/` into the store at `<store>/v1/index/`, next to `v1/files/`. The install fast path swapped `load_index` for `load_index_verified`, so an index whose CAS shards have drifted out from under it is dropped at fetch classification and the tarball re-fetched cleanly β instead of the materializer dying mid-link with `ERR_AUBE_MISSING_STORE_FILE`. Fixes a BuildKit cache-mount footgun where only one of the two cache dirs would be persisted. - **`engines.pnpm` no longer triggers spurious version warnings** ([#​633](https://redirect.github.com/endevco/aube/pull/633) by [@​jdx](https://redirect.github.com/jdx)) β A project pinning `engines.pnpm: ">=10.11.1"` produced `warn: wanted pnpm >=10.11.1, got 1.x` on every install (or a hard failure under `engine-strict`). Aube and pnpm live in different version namespaces, so honoring this field was net-negative. `engines.pnpm` is now skipped entirely; `engines.aube` is still honored for projects that want to gate on the running tool, and `engines.node` is unchanged. - **`update -i` no longer reports phantom upgrade rows for catalog deps** ([#​636](https://redirect.github.com/endevco/aube/pull/636) by [@​jdx](https://redirect.github.com/jdx)) β When a `catalog:` dep resolved to a newer version while the same name was pulled in transitively at an older one (e.g. `jose@6.2.3` direct + `jose@5.10.0` via `@upstash/qstash`), `lookup_pkg`'s name-scan picked the transitive snapshot as "current" and offered a downgrade row the rewrite path then ignored. Lookup now goes through the importer's `DirectDep.dep_path`. The companion fix extends the `--latest` prerelease guard to the *locked* version, so `"^1.0.0-rc.1"` isn't silently rewritten to whatever the registry's `latest` dist-tag points at. - **`update` / `add` / `dedupe` / `remove` / `audit` preserve cross-platform optionals and `time:` entries** ([#​637](https://redirect.github.com/endevco/aube/pull/637) by [@​jdx](https://redirect.github.com/jdx)) β These commands now route through install's `configure_resolver`, inheriting the full settings pipeline (`supportedArchitectures`, `resolutionMode`, `minimumReleaseAge`, overrides, β¦). They opt out of the full-packument disk cache so an immediately-following re-resolve picks up registry `dist-tag` changes, and the resolver carries forward the prior lockfile's `time:` entry when a fresh corgi packument lacks publish time for a resolved version β so direct deps don't lose their `time:` line on update. - **`aube add --global --allow-build=<pkg>` actually pre-approves builds** ([#​620](https://redirect.github.com/endevco/aube/pull/620) by [@​jdx](https://redirect.github.com/jdx)) β The synthetic inner `AddArgs` was being built with `allow_build: Vec::new()`, silently dropping the outer flag and erroring with "must be reviewed before install" under `strictDepBuilds=true`. The flag is now plumbed through `run_global` / `run_global_inner` and approvals are written to the throwaway install dir's `package.json#aube.allowBuilds` before lifecycle scripts run. #### Changed - **`aube store path` now returns the `v1/` directory** ([#​635](https://redirect.github.com/endevco/aube/pull/635)) β One level above the previous `v1/files/` output, so a single Docker BuildKit cache mount or backup captures both the CAS and the new co-located index dir. Scripts consuming `aube store path` will now mount one level higher (the intended behavior). A lazy in-place migration from the legacy `$XDG_CACHE_HOME/aube/index/` location runs on the first store open after upgrade (rename fast path, recursive-copy fallback for cross-FS). #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.11.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.11.0): : Workspace-root flags, scoped config, and a 2Γ macOS CAS fast path [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.4...v1.11.0) #### Added - *(install)* Fill the resolving bar against a real denominator so the progress bar advances during dependency resolution ([#​611](https://redirect.github.com/endevco/aube/pull/611)) - *(outdated, update)* Wire `-w/--workspace-root` to retarget cwd at the workspace root from a sub-package ([#​614](https://redirect.github.com/endevco/aube/pull/614)) - *(config)* Scope-split settings precedence and project `<cwd>/.config/aube/config.toml` support ([#​608](https://redirect.github.com/endevco/aube/pull/608)) - *(deploy)* Accept `--offline` and `--prefer-offline`, forwarded into the deploy install ([#​606](https://redirect.github.com/endevco/aube/pull/606)) - *(store)* Direct-write CAS fast path on macOS under an exclusive install lock (\~2Γ per-file CAS write speedup) ([#​615](https://redirect.github.com/endevco/aube/pull/615)) #### Fixed - *(linker)* Bin shims now point `NODE_PATH` at the hidden modules dir, and the isolated linker defaults `preferSymlinkedExecutables` to shims so `extendNodePath` actually works ([#​613](https://redirect.github.com/endevco/aube/pull/613)) - *(install/lockfile/outdated/update)* Address several bugs reported in [#​602](https://redirect.github.com/endevco/aube/discussions/602): lockfile rewrites when a dep moves between `dependencies`/`devDependencies`, `outdated -r` includes the workspace root, semver-diff color in `Wanted`/`Latest`, smarter `update -i` picker, and `updateConfig.ignoreDependencies` is loaded from the workspace root ([#​610](https://redirect.github.com/endevco/aube/pull/610)) - *(install)* Probe link strategy against the actual destination dir so cross-FS installs with GVS enabled hardlink instead of falling back to per-file copy ([#​604](https://redirect.github.com/endevco/aube/pull/604)) - *(install)* Surface the underlying materializer error instead of a generic "channel closed" message ([#​607](https://redirect.github.com/endevco/aube/pull/607)) - *(progress)* Clamp `reused` on a downward `set_total` rebase so summaries stop reporting `reused > resolved` ([#​609](https://redirect.github.com/endevco/aube/pull/609)) - *(config)* Preserve a symlinked `~/.config/aube/config.toml` on write ([#​605](https://redirect.github.com/endevco/aube/pull/605)) - *(registry)* Coalesce slow-metadata warnings into a single resolve-end summary instead of one warning per slow packument ([#​592](https://redirect.github.com/endevco/aube/pull/592)) #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.4`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.4): : Streaming tarball retries + 32-bit Linux build fix [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.3...v1.10.4) Two targeted fixes: cold installs now retry transient registry failures on the streaming tarball path, and `aube-store` builds cleanly on 32-bit Linux again. #### Fixed - **Streaming tarball fetch retries transient failures** ([#​591](https://redirect.github.com/endevco/aube/pull/591) by [@​jdx](https://redirect.github.com/jdx)) β `start_tarball_stream` (the default install hot path for sha512-pinned lockfile entries) used to skip retry entirely to avoid unwinding partial CAS writes mid-stream. That reasoning is sound for mid-stream errors, but it also leaked into *pre-response* failures: a 503, 429, connection refused, or connection reset before any chunk had flowed would propagate straight back to the caller with no recovery, while the buffered path retried the same failures up to `fetchRetries` times. The initial `send().await` now retries on `is_retriable_status` (5xx + 429, honoring `Retry-After`) and on transport errors (bounded by `TIMEOUT_RETRY_CAP`), emitting the existing `WARN_AUBE_HTTP_RETRY_TRANSIENT` / `_TRANSPORT` logs. Once headers pass `error_for_status` and chunks start flowing, behavior is unchanged. Caught on a macOS PGO dry-run where Verdaccio / the throttle-proxy hiccupped and the install bailed without a single retry log line. - **`aube-store` builds on 32-bit Linux** ([#​587](https://redirect.github.com/endevco/aube/pull/587) by [@​jdx](https://redirect.github.com/jdx)) β The `posix_fallocate` wrapper hard-coded `len: i64`, which matches `libc::off_t` on every 64-bit target but breaks armhf, where the default (non-LFS) `off_t = i32`. The wrapper now takes `libc::off_t` directly and the single call site casts `bytes.len() as libc::off_t`, unblocking Launchpad's Ubuntu Resolute armhf build of aube and any downstream `armv7-unknown-linux-gnueabihf` consumer. #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.3`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.3) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.2...v1.10.3) > \[!NOTE] > No user-visible code changes since v1.10.2. Tagged so the release-plz / `cargo publish` cadence stays unbroken; entries below are CI and benchmark tooling. #### Fixed - *(ci)* Add native `aarch64-unknown-linux-gnu` PGO matrix row and bump macOS arm64 PGO to `macos-arm64-large` to work around the v1.10.1 instrumented-binary segfault ([#​582](https://redirect.github.com/endevco/aube/pull/582)) - *(bench)* Install yarn 4 via `npm:@​yarnpkg/cli-dist@latest` β the `yarn` npm package only publishes 1.x and 2.x ([#​583](https://redirect.github.com/endevco/aube/pull/583)) - *(bench)* Pass `--frozen-lockfile` to vlt install scenarios so vlt is measured on the same path as every other tool in the matrix ([#​581](https://redirect.github.com/endevco/aube/pull/581)) #### Binaries This release ships without prebuilt archives. Install via `cargo install aube`, `mise use aube`, or `npm i -g aube`. #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.2`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.2) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.1...v1.10.2) > \[!NOTE] > No user-visible code changes since v1.10.1. Tagged so the release-plz / `cargo publish` cadence stays unbroken; entries below are CI and benchmark tooling. #### Changed - *(ci)* Bump x86\_64 Linux PGO release runners to `linux-amd64-large` (32 GB) to fix OOM during the instrumented link step ([#​577](https://redirect.github.com/endevco/aube/pull/577)) - *(docs)* Benchmark matrix switches yarn to berry, adds **deno** and **vlt**, refreshes the landing-page chart ([#​578](https://redirect.github.com/endevco/aube/pull/578)) #### Binaries This release has a partial archive set. For a complete set of prebuilts, use a later release β or install via `cargo install aube`, `mise use aube`, or `npm i -g aube`. #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.1) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.0...v1.10.1) #### Added - *(install)* Post-install summary flags **deprecated** and **outdated** direct deps inline so you see what to upgrade without scrolling back through fetch output ([#​575](https://redirect.github.com/endevco/aube/pull/575)) #### Fixed - *(deploy)* `aube deploy` resolves `catalog:` references and accepts packages without an explicit `version` field ([#​574](https://redirect.github.com/endevco/aube/pull/574)) - *(install)* Pad package counts in the progress UI and drop the ETA placeholder when none is available ([#​570](https://redirect.github.com/endevco/aube/pull/570)) - *(release)* `npm publish` skips already-published versions so re-running the publish workflow is idempotent ([#​565](https://redirect.github.com/endevco/aube/pull/565)) #### Changed - *(release)* x86\_64 Linux GNU/musl and macOS arm64 binaries now ship as PGO-optimized artifacts. Linux x86\_64 uses `cross` for the glibc baseline; macOS arm64 builds natively ([#​572](https://redirect.github.com/endevco/aube/pull/572)) #### Performance - *(registry)* Swap `simd-json` for `sonic-rs` on the packument hot path ([#​569](https://redirect.github.com/endevco/aube/pull/569)) - *(registry)* Drop deep clone and `fsync` from packument cache writes ([#​568](https://redirect.github.com/endevco/aube/pull/568)) #### Binaries This release has a partial archive set. For a complete set of prebuilts, use a later release β or install via `cargo install aube`, `mise use aube`, or `npm i -g aube`. #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.0): : Recursive runs grow up, install gets a diagnostics microscope [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.9.1...v1.10.0) #### Added - *(cli)* Wire the recursive-run flags (`--sort`/`--no-sort`, `--reverse`, `--resume-from`, `--workspace-concurrency`, `--reporter-hide-prefix`) and add a per-package output multiplexer for parallel runs ([#​545](https://redirect.github.com/endevco/aube/pull/545)) - *(diag)* End-to-end install instrumentation and the `aube diag analyze` / `aube diag compare` subcommands behind a new `--diag <summary|trace|live|full>` flag ([#​547](https://redirect.github.com/endevco/aube/pull/547)) - *(install)* Post-install dependency summary grouped by dependency type ([#​559](https://redirect.github.com/endevco/aube/pull/559)) - *(update)* `--lockfile-only` flag to refresh `aube-lock.yaml` without touching `node_modules` ([#​560](https://redirect.github.com/endevco/aube/pull/560)) - *(add)* `linkWorkspacePackages` and `saveWorkspaceProtocol` settings plus `--save-workspace-protocol` / `--no-save-workspace-protocol` flags ([#​539](https://redirect.github.com/endevco/aube/pull/539)) #### Fixed - *(workspace)* Linker no longer substitutes a workspace sibling for a registry-pinned dep, lockfile drift flags orphan importers, recursive `remove` skips projects that don't declare the dep, and parent-relative `../**` globs in `pnpm-workspace.yaml` are honored ([#​564](https://redirect.github.com/endevco/aube/pull/564)) - *(workspace)* Filtered runs respect `--workspace-root` and `includeWorkspaceRoot: true` ([#​556](https://redirect.github.com/endevco/aube/pull/556)) - *(update)* Filtered workspace updates merge back into the shared root lockfile under `sharedWorkspaceLockfile=true` instead of leaving per-package `aube-lock.yaml` files behind ([#​558](https://redirect.github.com/endevco/aube/pull/558)) - *(update)* `--interactive` renders a multiselect picker, fails fast on non-TTY, and `--latest` preserves `catalog:` / `catalog:<name>` specifiers ([#​552](https://redirect.github.com/endevco/aube/pull/552)) - *(pnpmfile)* Hard-fail the install when a defined `readPackage` hook returns a non-object ([#​562](https://redirect.github.com/endevco/aube/pull/562)) - *(deploy)* Keep filtered workspace packages in the index when `package.json` has no `version` ([#​549](https://redirect.github.com/endevco/aube/pull/549)) - *(install)* Inherit top-level `pnpm.allowBuilds` approvals into the nested install used for git-dep `prepare` ([#​546](https://redirect.github.com/endevco/aube/pull/546)) - *(cli)* Skip `verifyDepsBeforeRun` checks when `npm_lifecycle_event` is set, fixing both the `error`-mode hard-fail and the `install`-mode lock deadlock from nested `aube run` inside lifecycle scripts ([#​538](https://redirect.github.com/endevco/aube/pull/538)) - *(install)* Interactive `aube approve-builds` requires at least one selection and the TTY guard checks both stdin and stderr ([#​537](https://redirect.github.com/endevco/aube/pull/537)) #### Changed - *(install)* New `aube_util::adaptive` limiter (slow-start, AIMD, CUSUM-gated shrink) wired at every previously magic-numbered concurrency site, with a separate http1-only reqwest client for tarball downloads ([#​548](https://redirect.github.com/endevco/aube/pull/548)) #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
jdx
|
5b3e4e007b
|
chore(ci): close failing or conflicted PRs sooner (#480)
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
zizmor / zizmor (push) Has been cancelled
build-test / final (push) Has been cancelled
## Summary
- close inactive PRs after 7 days only when they have failing checks or
merge conflicts
- include merge state in the PR closer query and close with the specific
reason
- keep existing exclusions for @jdx-authored and keep-open PRs
## Validation
- actionlint .github/workflows/pr-closer.yml
- git diff --check
- jq filter sample validation
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Automates PR closure based on CI/merge-state signals; a bug in the
query or jq logic could incorrectly close active or recoverable PRs.
Limited to GitHub Actions workflow changes but impacts contributor
workflow.
>
> **Overview**
> Updates the `pr-closer` GitHub Actions workflow to **close PRs much
sooner (7 days inactivity)**, but only when they have *failing checks
and/or merge conflicts*.
>
> The workflow now queries `mergeStateStatus` and expanded check
conclusions to generate a specific closure reason, skips βwarn-onlyβ
states (e.g., cancelled checks/unknown merge state), increases the
listing limit to 500, and adds `concurrency` plus additional read
permissions (`checks`, `statuses`) to support the new filtering.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
6e1ac6be91
|
fix(ci): pin codeql-action with exact version comment (#481)
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
renovate[bot]
|
43db152e9b
|
chore(deps): update dependency aube to v1.9.1 (#478)
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.6.2` β `v1.9.1` | `v1.14.1` (+10) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.9.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.9.1): : Cold install overhaul, HTTP prefetch, and workspace fixes [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.9.0...v1.9.1) A performance- and correctness-focused patch release. Cold installs get a streaming tarball pipeline, Linux gets an `O_TMPFILE`+`linkat` CAS fast path, and the resolver's cold path overlaps DNS, TLS, and packument prefetch with the manifest/workspace/lockfile work that used to serialize them. On the fix side, `aube run` once again finds `node-gyp` for package scripts, and `aube update` / `aube outdated` stop trying to fetch unpublished `workspace:` deps from the registry. #### Added - **Pre-resolver packument prefetch + shared HTTP utilities** ([#​529](https://redirect.github.com/endevco/aube/pull/529) by [@​imjustprism](https://redirect.github.com/imjustprism)) β a new `aube-util::http` module consolidates client-side primitives (`prewarm`, `priority`, `race`, `resolve`, `ticket_cache`) so leaf crates share one warm-pool surface with consistent killswitch semantics. On install entry, aube now reads `package.json` and fires fire-and-forget packument GETs for every registry-shaped direct dep before workspace yaml load, settings resolve, lockfile parse, and resolver construction β by the time the resolver pops its first task, the packument cache and reqwest pool are warm. `RegistryClient::prewarm_connection` now covers the default registry **plus** every scoped (`@org:registry=...`) and per-uri auth registry, with parallel DNS preresolve so DNS RTT hides behind the TLS handshake. Abbreviated packument GETs also send `Priority: u=0` (RFC 9218 Critical) so H2 schedulers prioritize resolver-blocking metadata over pending tarball frames. New killswitches: `AUBE_DISABLE_DNS_PRERESOLVE`, `AUBE_DISABLE_REQUEST_RACING`, `AUBE_DISABLE_PREFETCH`, `AUBE_DISABLE_TLS_TICKET_CACHE`. Prefetch is a no-op when offline or when any lockfile is present. - **Cold install pipeline overhaul** ([#​522](https://redirect.github.com/endevco/aube/pull/522) by [@​imjustprism](https://redirect.github.com/imjustprism)) β several overlapping wins on the cold-cache path: - **Streaming tarball pipeline** (opt-in via `AUBE_TARBALL_STREAM=1`, killswitch `AUBE_DISABLE_TARBALL_STREAM`) β HTTP body chunks pipe through SHA-512 + gz + tar + CAS via an mpsc bridge instead of buffering the whole tarball; non-SHA-512 SRI falls back to buffered. Bounded by the registry's `tarball_max_bytes` cap. - **Linux `O_TMPFILE` + `linkat` CAS publish** with `EOPNOTSUPP` fallback to the tempfile path, `posix_fallocate` to avoid ext4 fragmentation, and `posix_fadvise(DONTNEED)` to free page cache after publish. Killswitch: `AUBE_DISABLE_O_TMPFILE`. - **Materialize-stream into the lockfile fast path** β both lockfile and no-lockfile branches now share the GVS prewarm materializer, hiding 30-200ms of GVS reflinks behind the in-flight download tail. - **Resolver tuning** β foldhash on `graph_hash` hot maps, pre-sized resolver caches, thread-local `node_semver::Version` parse cache, `PARALLEL_IMPORT_THRESHOLD` lowered from 256 to 16 (median npm tarball is 7 files), and pinned tokio `worker_threads` (`cpu.min(8)`) / `max_blocking_threads(64)` (tunable via `AUBE_TOKIO_WORKERS` / `AUBE_TOKIO_BLOCKING`). - **Windows** gets `FILE_ATTRIBUTE_NOT_CONTENT_INDEXED` on the store root; cross-volume detection (drive letters on Windows, `dev` id on Unix) is gated per-platform. Reported same-volume Windows cold-install ratios: 1.80x-8.75x faster than Bun across svelte/vite/next/babylon. - **Per-project materialize pipelined into fetch** ([#​527](https://redirect.github.com/endevco/aube/pull/527) by [@​imjustprism](https://redirect.github.com/imjustprism)) β when GVS is off, each fetched `(canonical_key, PackageIndex)` triggers `materialize_into` against `.aube/<dep_path>/` immediately, so by the time fetch finishes the dedicated link phase only has to create top-level `node_modules/<name>` symlinks. The driver now uses `JoinSet` instead of `Vec<JoinHandle>`, so on early-return all in-flight tasks abort instead of detaching and racing install cleanup. \~10% improvement on warm fresh installs in the local benchmark matrix. #### Fixed - **`aube run` / `aube test` find `node-gyp`** ([#​518](https://redirect.github.com/endevco/aube/pull/518) by [@​jdx](https://redirect.github.com/jdx)) β package scripts only had `node_modules/.bin` prepended to `PATH`, so `aube test` would fail with `node-gyp: not found` on hosts that didn't already ship it. Script execution now reuses aube's existing node-gyp bootstrap (via a lazy shim bin dir + `AUBE_NODE_GYP_EXE` / `AUBE_NODE_GYP_PROJECT_DIR`), matching pnpm/npm behavior. Ports pnpm's `lifecycleScripts.ts:128` coverage into the offline node-gyp bootstrap bats suite. - **`workspace:` deps in `aube update` / `aube outdated`** ([#​523](https://redirect.github.com/endevco/aube/pull/523) by [@​jdx](https://redirect.github.com/jdx), fixes [#​520](https://redirect.github.com/endevco/aube/discussions/520)) β `aube update` now discovers workspace package `name`/`version` pairs and passes them into resolver workspace resolution so `workspace:` deps from `package.json#workspaces` resolve locally instead of triggering registry packument fetches. `aube outdated` filters out direct deps with `workspace:` specifiers and reports "no matching dependencies" rather than attempting a packument fetch. Adds a new `WARN_AUBE_WORKSPACE_PACKAGE_MISSING_NAME` warning code for workspace packages without a `name` field. - **Resolver peer-context divergence is fatal** ([#​522](https://redirect.github.com/endevco/aube/pull/522) by [@​imjustprism](https://redirect.github.com/imjustprism)) β `apply_peer_contexts` hitting `MAX_ITERATIONS` used to log a warning and ship a broken graph; it now returns a fatal `Error::PeerContextDivergence(usize)`. `state::remove_state` errors at `--force` and GVS-transition sites also propagate instead of being silently swallowed, so permission-denied or Windows-locked sidecars no longer defeat the freshness check. - **Tarball hardening** ([#​522](https://redirect.github.com/endevco/aube/pull/522) by [@​imjustprism](https://redirect.github.com/imjustprism)) β entries declared as 0 bytes with non-zero stream payload are now rejected (synthetic-entry injection guard), and GNU `LongName` / `LongLink` metadata records are correctly accepted. - **Patches loaded once per cwd** ([#​529](https://redirect.github.com/endevco/aube/pull/529) by [@​imjustprism](https://redirect.github.com/imjustprism)) β `load_patches_for_linker` walked `patches/` from disk 2-3 times per install (lockfile-prewarm, no-lockfile-prewarm, and link-phase sites). Now cached per cwd via `OnceLock<Mutex<HashMap<PathBuf, ...>>>`. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.9.0...v1.9.1> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.9.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.9.0): : Comment-preserving workspace edits, deploy bundling, and node --inspect [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.8.0...v1.9.0) A focused release: `aube deploy` learns to bundle workspace siblings and local-path deps into the deploy artifact, workspace-yaml writers stop eating user comments, aube-owned settings move out of `.npmrc`, and `aube run` forwards Node debugger flags. #### Added - **Aube settings move out of `.npmrc`** ([#​517](https://redirect.github.com/endevco/aube/pull/517) by [@​jdx](https://redirect.github.com/jdx)) β known aube-owned settings now live in `~/.config/aube/config.toml` (XDG-aware), while registry, auth, and unknown keys keep using `.npmrc`. `aube config get/set/list/delete` reads and writes the right file automatically, and migrating a known setting cleans up the stale `.npmrc` entry. `.npmrc` writes are also atomic against the **symlink target** now, so dotfile setups that symlink `~/.npmrc` into a managed config repo stop having the symlink replaced by a regular file. - **`aube run --inspect` / `--inspect-brk`** ([#​515](https://redirect.github.com/endevco/aube/pull/515) by [@​jdx](https://redirect.github.com/jdx)) β both flags accept an optional `[host:]port` (e.g. `--inspect=9229`, `--inspect-brk=0.0.0.0:9230`) and are forwarded as explicit Node argv when aube can identify a Node-backed target β direct `node ...` scripts in `package.json` and local `node_modules/.bin` fallbacks resolved through shims/symlinks. The flags are passed as argv rather than via `NODE_OPTIONS`, so the debugger doesn't attach to nested Node processes spawned by the script. - **`aube deploy --no-prod`** ([#​507](https://redirect.github.com/endevco/aube/pull/507) by [@​jdx](https://redirect.github.com/jdx)) β opt out of the default `--prod` filter for deploys that need devDependencies at runtime (test-harness staging, build-step artifacts). Mutually exclusive with `--prod` / `--dev`; combine with `--no-optional` to keep prod + dev but drop optionals. - **Comment-preserving workspace yaml writes** ([#​511](https://redirect.github.com/endevco/aube/pull/511) by [@​jdx](https://redirect.github.com/jdx)) β every workspace-yaml writer (`approve-builds`, `patch-commit`, `patch-remove`, the daily `cleanupUnusedCatalogs` install pass, and `aube config set --location workspace`) now routes through `yamlpatch` instead of round-tripping the file through a serializer. Keys, comments, and whitespace the edit didn't touch land back on disk byte-identical, so user annotations on adjacent entries survive. Empty/missing files still go through the regular serializer since there are no comments to preserve. #### Fixed - **`aube deploy` bundles local dependencies** ([#​507](https://redirect.github.com/endevco/aube/pull/507) by [@​jdx](https://redirect.github.com/jdx)) β fixes two real bugs reported in [#​345](https://redirect.github.com/endevco/aube/discussions/345): - **`workspace:*` siblings tried to fetch from the registry.** Deploy used to rewrite `workspace:*` to a concrete version and ask install to resolve it β fine for published siblings, broken for the (very common) unpublished case. Reachable workspace siblings are now copied into `<target>/.aube-deploy-injected/<id>/` and the manifest spec becomes a relative `file:` pointer. Recursion handles sibling chains where a sibling's own deps are workspace siblings. - **`file:` deps resolved relative to the deploy output dir.** A `file:../local-vendor` spec used to ride along unchanged in the deployed manifest, pointing at `<target>/../local-vendor` instead of the source workspace's `local-vendor`. Local-path deps now go through the same staging pipeline. When bundling occurs the lockfile-subset path is skipped, since the rewritten `file:` pointers don't appear in the source lockfile and would otherwise trip a frozen install. - **`aube remove` preserves dependency order** ([#​511](https://redirect.github.com/endevco/aube/pull/511) by [@​jdx](https://redirect.github.com/jdx)) β dropping one dep used to alphabetize the remaining entries in the affected `package.json` section as a side effect. Surviving entries now stay in their original on-disk order, matching pnpm/npm. (`aube add` is unaffected β sorted inserts there are intentional.) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.8.0...v1.9.0> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.8.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.8.0): : Stable error codes, smarter run/dlx, and a new install progress UI [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.7.0...v1.8.0) A polish-and-plumbing release: install progress gets a from-scratch redesign, errors and warnings now carry stable identifiers (with bespoke exit codes and dep-chain context), `aube run` / `aube dlx` prefer locally-installed binaries, and a handful of workspace-from-subpackage and `aube add` ergonomics get fixed. #### Added - **Redesigned install progress UI** ([#​501](https://redirect.github.com/endevco/aube/pull/501) by [@​jdx](https://redirect.github.com/jdx)) β fixed 15-char bar on the left, stats on the right, phase-aware label (`resolving` / `fetching` / `linking`), ETA, transfer rate, and an estimated install size derived from the resolve stream: ``` aube 1.8.0 by en.dev βββββββββββββββ 23/142 pkgs Β· 4.2 MB / ~13.8 MB Β· 1.4 MB/s Β· ETA 5s βββββββββββββββ 1230/1230 pkgs Β· linking β resolved 1230 Β· reused 98 Β· downloaded 1132 (54.6 MB) in 6.8s ``` Installs that finish before the first 2s heartbeat now print a single self-identifying summary line (`β installed 5 packages in 423ms`) instead of a partial bar. Also fixes two real bookkeeping bugs (a `2/1 packages` overflow on platform-mismatched non-optional deps, and the "stuck at 90%" undercount caused by `filter_graph` dropping packages after the denominator was inflated). - **Local bins for `aube run` and `aube dlx`** ([#​502](https://redirect.github.com/endevco/aube/pull/502) by [@​jdx](https://redirect.github.com/jdx)) β `aube run <name>` falls back to `node_modules/.bin/<name>` when no `package.json` script matches, and `aube dlx` / `aubx` will execute an already-installed local binary instead of doing a throwaway install. Pass `-p` / `--package` (or a versioned spec) to force the install path. - **Stable error and warning codes** ([#​492](https://redirect.github.com/endevco/aube/pull/492) by [@​jdx](https://redirect.github.com/jdx)) β every error and warning aube emits now carries an `ERR_AUBE_*` or `WARN_AUBE_*` identifier in a structured field, so CI scripts and ndjson consumers can branch on the code instead of substring-matching English messages. A curated subset maps to bespoke Unix exit codes (10β99 in 10-wide ranges by category) so shells can react to specific failures without parsing stderr β e.g. `aube install --frozen-lockfile` in an empty dir exits with `10` (`ERR_AUBE_NO_LOCKFILE`). Post-resolver errors that mention a specific package now also include the dependency chain back to the importer (`chain: a@1 > b@2 > leaf@3`) so a tarball-integrity or fetch failure tells you *why* your install pulled that transitive dep. The full code list lives at `docs/error-codes.md`. #### Fixed - **`aube why` / `list` / `query` from a workspace subpackage** ([#​504](https://redirect.github.com/endevco/aube/pull/504) by [@​jdx](https://redirect.github.com/jdx)) β these commands resolved cwd via the nearest `package.json`, so running them inside `packages/foo/` errored with `No lockfile found. Run aube install first.` even though the workspace lockfile sat one level up. They now walk up to the workspace root when one is present. - **Workspace lifecycle scripts and pnpm-lock npm aliases** ([#​500](https://redirect.github.com/endevco/aube/pull/500) by [@​jdx](https://redirect.github.com/jdx)) β recursive workspace installs now run `preinstall`/`install`/`postinstall`/`prepare` for each linked workspace importer in dependency order (not just the root), and the build-script policy merges `pnpm.allowBuilds` / `onlyBuiltDependencies` / `neverBuiltDependencies` across all participating manifests so a member can approve its own dep's builds. `pnpm-lock.yaml` now writes npm aliases in pnpm's native `<real>@​<version>` encoding instead of leaking aube's internal `aliasOf` field. - **`aube add` auto-detects local paths** ([#​499](https://redirect.github.com/endevco/aube/pull/499) by [@​jdx](https://redirect.github.com/jdx)) β `aube add /path/to/lib`, `./lib`, `~/lib`, `file:./lib`, and `link:./lib` no longer fall through to the registry path with a confusing `HTTP 405 Method Not Allowed`. Bare paths default to `link:` for directories and `file:` for tarballs (pnpm parity); explicit prefixes are preserved. Tarball-suffix paths emit a clear "not yet supported in `aube add`" hint instead of a 405. #### Changed - **Per-command `--help` is bucketed** ([#​505](https://redirect.github.com/endevco/aube/pull/505) by [@​jdx](https://redirect.github.com/jdx)) β `--frozen-lockfile` / `--prefer-frozen-lockfile`, `--registry` + `--fetch-*`, and `--disable/--enable-global-virtual-store` moved off the global flag set into per-command groups under `Lockfile` / `Network` / `Virtual store` headings, and now appear only on commands that consume them. Seven pnpm-compat no-op flags (`--workspace-packages`, `--ignore-workspace`, `--include-workspace-root`, `--aggregate-output`, `--stream`, `--use-stderr`, `--yes`) are still parsed but hidden from `--help`. Pre-subcommand placement still works (`aube --frozen-lockfile install`, `aube --registry=URL install`) via an argv pre-pass. One caveat: implicit-script invocations like `aube --frozen-lockfile dev` (where `dev` is a `package.json` script) no longer apply the flag β write `aube run --frozen-lockfile dev` instead. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.7.0...v1.8.0> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.7.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.7.0): : Local & git specs in aube add, faster cold installs [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.6.2...v1.7.0) A feature-heavy release: `aube add` learns git and local-path specs, workspace commands gain support for yaml-only "coordinator" monorepos, `aube update` and `aube rebuild` get pnpm-parity polish, and a deep performance pass speeds up cold installs by up to \~1.9Γ. #### Highlights - **`aube add` is now a one-stop shop** for git, GitHub-shorthand, and `link:` / `file:` local-path dependencies β not just registry packages. - **Performance pass on the install hot path** ([#​469](https://redirect.github.com/endevco/aube/pull/469)) lands streaming SHA-512, parallel CAS imports, TLS prewarm, fetch reordering, and a long tail of cold-path cleanups, with measured cold-install speedups up to \~1.9Γ vs v1.6.2. - **Workspace and pnpm parity polish** across `update`, `rebuild`, yaml-only roots, unversioned members, and nested `link:` / `file:` resolution. #### Added - **`aube add file:./pkg` / `link:../sibling`** ([#​487](https://redirect.github.com/endevco/aube/pull/487) by [@​jdx](https://redirect.github.com/jdx)) β local-path specs are routed through a non-registry branch, with the manifest key derived from the path basename (with `.tgz` / `.tar.gz` stripped) or from an explicit alias. `aube add my-bundle@file:./bundle.tgz` works too. - **`aube add` supports git specs** ([#​483](https://redirect.github.com/endevco/aube/pull/483) by [@​jdx](https://redirect.github.com/jdx)) β bare GitHub shorthand, `github:` / `gitlab:` / `bitbucket:` prefixes, full `git+ssh` / `git+https` URLs, and aliases. The verbatim spec is written to `package.json` and the resolver handles the rest: ```bash aube add kevva/is-negative aube add github:kevva/is-positive aube add my-alias@git+https://github.com/kevva/is-negative.git ``` - **Yaml-only workspace roots** ([#​486](https://redirect.github.com/endevco/aube/pull/486) by [@​jdx](https://redirect.github.com/jdx)) β `install`, `list`, `run -r`, `query`, and `why` now work in pure-coordinator monorepos that have `pnpm-workspace.yaml` / `aube-workspace.yaml` at the root but no root `package.json` (Turborepo-style layouts). Single-project commands like `add` / `remove` still hard-error without a manifest. - **`aube update <pkg>` rewrites manifest ranges by default** ([#​479](https://redirect.github.com/endevco/aube/pull/479) by [@​jdx](https://redirect.github.com/jdx)) β caret/tilde ranges (`^1.2.0`, `~1.2.0`) are rewritten to track the resolved in-range max, matching pnpm. Other shapes (`>=`, exact pins, dist-tags, git, `workspace:`) stay frozen. Set `update-rewrites-specifier=false` to keep the previous behavior. - **`aube rebuild <pkg>...`** ([#​477](https://redirect.github.com/endevco/aube/pull/477) by [@​jdx](https://redirect.github.com/jdx)) β runs lifecycle scripts only for the named deps, bypasses the `allowBuilds` / `onlyBuiltDependencies` policy, and skips root hooks. Composes with `--filter`. Bare `aube rebuild` continues to do a full policy-respecting rebuild. - **Persistent unreviewed-builds warning** ([#​476](https://redirect.github.com/endevco/aube/pull/476) by [@​jdx](https://redirect.github.com/jdx)) β repeat warm-path installs no longer swallow the "ignored build scripts for N package(s)" nudge; the spec keys are persisted in `.aube-state` and re-emitted on every install. - **`aube update --depth` no longer silently ignored** ([#​473](https://redirect.github.com/endevco/aube/pull/473) by [@​jdx](https://redirect.github.com/jdx)) β emits a one-line warning pointing at `rm aube-lock.yaml && aube install` for the only useful semantic case. #### Fixed - **Faster cold installs** ([#​469](https://redirect.github.com/endevco/aube/pull/469) by [@​imjustprism](https://redirect.github.com/imjustprism)) β a wide hot-path pass with measurable wins on real registries: | Project | v1.6.2 | v1.7.0 | Speedup | | ----------------- | --------: | ------: | ------: | | svelte (56 pkg) | 1393 ms | 1386 ms | 1.01Γ | | vue (117 pkg) | 1590 ms | 1360 ms | 1.17Γ | | next.js (336 pkg) | 14071 ms | 9160 ms | 1.54Γ | | babylon (21 pkg) | \~6000 ms | 3186 ms | \~1.9Γ | Highlights: streaming SHA-512 over the wire (no second buffered hash pass), two-phase parallel CAS tar import, speculative TLS/HTTP/2 prewarm behind manifest parse, native-build packages floated to the front of the fetch queue, `Accept-Encoding: gzip, br, zstd` on packuments, in-process DNS cache via `hickory-dns`, mmap+rayon BLAKE3 over 4 MiB, network concurrency default raised 64 β 128, and zero-copy packument parsing. Every change ships with an `AUBE_DISABLE_*` killswitch (`AUBE_DISABLE_STREAMING_SHA512`, `AUBE_DISABLE_SPECULATIVE_TLS`, `AUBE_DISABLE_CRITICAL_PATH`, `AUBE_DISABLE_PARALLEL_IMPORT`, `AUBE_DISABLE_MMAP_BLAKE3`, `AUBE_DISABLE_SNAPSHOTS`) plus an `AUBE_CONCURRENCY=N` clamp. - **Nested `link:` / `file:` resolution** ([#​470](https://redirect.github.com/endevco/aube/pull/470) by [@​jdx](https://redirect.github.com/jdx)) β fixes the `transitive local specifier link:./libs/foo cannot be resolved without the parent package source root` install error in two cases: a `file:` / `link:` parent declaring a transitive `link:`, and a root `pnpm.overrides` rewriting a registry dep to a local path. Override paths now anchor at the project root like pnpm does. - **Workspace members without `version`** ([#​480](https://redirect.github.com/endevco/aube/pull/480) by [@​jdx](https://redirect.github.com/jdx)) β fall back to `0.0.0` instead of hard-erroring. `workspace:*` / `^` / `~` siblings still link locally; specific ranges like `workspace:^2.0.0` still correctly fail to satisfy. Unblocks repos like [tuist/tuist#10584](https://redirect.github.com/tuist/tuist/pull/10584). - **Bare `user/repo` parsed as GitHub shorthand** ([#​472](https://redirect.github.com/endevco/aube/pull/472) by [@​jdx](https://redirect.github.com/jdx)) in lockfile/spec parsing, with `update --latest` now skipping git-spec deps so they can't be silently rewritten into registry pins. - **CLI short help wraps cleanly** ([#​478](https://redirect.github.com/endevco/aube/pull/478) by [@​jdx](https://redirect.github.com/jdx)) β many flags across `add`, `install`, `publish`, `update`, `view`, etc. had multi-line doc comments that clap merged into 120+ char paragraphs for `-h`. Now each flag has a one-line summary followed by the longer prose, restoring readable short help on standard terminals. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.6.2...v1.7.0> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzkuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE3OS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
Taku Kodama
|
93ca8a4cef
|
fix: install mise-shim.exe on Windows (#476)
Some checks failed
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
zizmor / zizmor (push) Has been cancelled
|
||
|
jdx
|
a0eaf7aa03
|
fix(ci): add gh auth setup-git to release-plz.sh (#473)
Some checks failed
release-plz / release-plz (push) Has been cancelled
build-test / build (push) Has been cancelled
zizmor / zizmor (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
Check dist/ / Check dist/ (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
## Summary
- Follow-up to [#471](https://github.com/jdx/mise-action/pull/471): the
release-plz checkout now uses `persist-credentials: false`, so the token
isn't written to `.git/config` and `git push origin release --force` in
[scripts/release-plz.sh](scripts/release-plz.sh) would 403.
- Mirror the workaround already applied to
[scripts/postversion.sh:9](scripts/postversion.sh:9) by calling `gh auth
setup-git` after the `git config user.{name,email}` block, before any
`git push`.
Flagged by Cursor Bugbot on
https://github.com/jdx/mise-action/pull/471#pullrequestreview-4275760577.
## Test plan
- [ ] Next scheduled release-plz run (or manual `workflow_dispatch`)
successfully pushes the `release` branch without a 403.
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk CI-only change that affects the release automation path; main
impact is whether the workflow can successfully push the `release`
branch.
>
> **Overview**
> Fixes the `scripts/release-plz.sh` release automation to run `gh auth
setup-git` after setting the git author, ensuring `git push` works when
`actions/checkout` uses `persist-credentials: false`.
>
> This prevents 403 failures when pushing the forced `release` branch
during automated version bump PR creation.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
46bb674500
|
chore(ci): add zizmor workflow for github actions security analysis (#471)
Adds [zizmor](https://github.com/zizmorcore/zizmor) to audit GitHub
Actions workflows for security issues. Runs on push to main and on PRs
that change `.github/workflows/**`. Fails CI on any finding.
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Mostly CI/workflow hardening, but it also changes release automation
(`postversion.sh`) and workflow permissions/credentials behavior, which
could break tagging/publishing if misconfigured.
>
> **Overview**
> Adds a new `zizmor` workflow that runs on PRs/pushes touching
`.github/workflows/**` to security-audit workflows.
>
> Hardens existing workflows by defaulting to least-privilege
`permissions`, setting `actions/checkout` to `persist-credentials:
false`, and adjusting related behavior (e.g., `scripts/postversion.sh`
now runs `gh auth setup-git` so `git push` still works; `ci.yml`
disables `mise-action` caching; `test.yml` avoids interpolating
`steps.bad.outcome` inside a shell string by passing it via env).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
ff58e14023
|
chore(ci): remove autofix.ci workflow (#470)
Removes the autofix.ci workflow.
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: deletes a standalone CI workflow with no runtime code
changes, but it will stop automatic fix commits on PRs and could
increase manual formatting churn.
>
> **Overview**
> Removes the `.github/workflows/autofix.yml` GitHub Actions workflow
that previously ran on `pull_request`/`main` pushes to install deps,
build/package, and invoke `autofix-ci/action` to push automated fixes
back to branches.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
3b3c8bb538
|
ci: remove pull_request_target workflow (#469)
## Summary
- Deletes the only workflow in this repo triggered by
`pull_request_target`.
- `pull_request_target` runs in the context of the base repo (with
secrets / write tokens) on PRs from forks, which is risky. The workflow
only validated PR titles; not worth the trust footprint.
## Test plan
- [ ] None β workflow file removal only.
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: deletes a GitHub Actions workflow only; no application code
or runtime behavior changes, and it reduces exposure from
`pull_request_target` workflows.
>
> **Overview**
> Removes the `semantic-pr-lint` GitHub Actions workflow that ran on
`pull_request_target` to validate PR titles.
>
> This eliminates the repoβs only `pull_request_target` workflow,
reducing the trust/secrets footprint for PRs (especially from forks).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
renovate[bot]
|
8d3b0ba20a
|
chore(deps): lock file maintenance (#468)
This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | π§ This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - "before 4am on monday" - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
590bfd78fa
|
chore(deps): update dependency aube to v1.6.2 (#466)
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.5.1` β `v1.6.2` | `v1.9.1` (+3) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.6.2`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.2): : Engines coverage catches up to pnpm [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.6.1...v1.6.2) A small patch release that closes engine-validation gaps with pnpm. #### Fixed - **Broader engines coverage** ([#​458](https://redirect.github.com/endevco/aube/pull/458) by [@​jdx](https://redirect.github.com/jdx)) β aube now honors engine constraints it previously skipped: - `engines.aube` and `engines.pnpm` on root and workspace project manifests are checked against the running aube version (aube positions itself as a pnpm-compatible drop-in, so `engines.pnpm` is honored as if aube were that pnpm). - `engines.node` is now enforced on workspace project manifests, not just the root. - Warning output labels which engine triggered the mismatch (e.g. `wanted node >=20`, `wanted aube >=99999`, `wanted pnpm >=8`), and the `engine-strict` error message stays compatible with existing assertions. - `engines.{aube,pnpm}` on transitive deps remain skipped on purpose, since wild packages routinely pin author toolchains. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.6.1...v1.6.2> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.6.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.1) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.6.0...v1.6.1) ##### Fixed - Unblocked the `v1.6.0` publishing path so missing Linux release assets and downstream package publishes could be backfilled ([#​460](https://redirect.github.com/endevco/aube/pull/460)). - Made the resolver build script tolerate environments where the primer generator exists but `node` is not installed, falling back to an empty primer with a Cargo warning instead of panicking ([#​460](https://redirect.github.com/endevco/aube/pull/460)). - Moved npm publishing and PPA upload jobs back to GitHub-hosted runners where npm provenance and Launchpad FTP uploads work correctly ([#​460](https://redirect.github.com/endevco/aube/pull/460)). ##### Other - Refreshed benchmarks for the 1.5.2 baseline ([#​459](https://redirect.github.com/endevco/aube/pull/459)). ### [`v1.6.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.0) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.5.1...v1.6.0) ##### Highlights - Added broader pnpm compatibility for `aube add`, `aube update`, pnpmfile hooks, catalog saves, workspace protocol parsing, and lockfile directory configuration. - Added generic `--config.<key>=<value>` overrides plus fetch timeout, retry, backoff, `--pnpmfile`, and `--global-pnpmfile` flags. - Improved install, resolver, registry, linker, manifest, settings, and state hot paths with shared caches, cheaper hashes, fewer repeated filesystem probes, and compressed packument fetches. - Expanded pnpm parity coverage across update, hooks, allow-build review, monorepo filter, prefer-offline, and misc install behavior. ##### Added - `aube update` now parses `<pkg>@​<spec>` arguments and can update indirect dependencies ([#​446](https://redirect.github.com/endevco/aube/pull/446)). - `aube add` can bootstrap a missing `package.json`, matching pnpm behavior covered by newly ported misc tests ([#​417](https://redirect.github.com/endevco/aube/pull/417)). - `--config.<key>=<value>` flags provide generic CLI config overrides ([#​447](https://redirect.github.com/endevco/aube/pull/447)). - `--lockfile-dir` / `lockfileDir` support allows commands to target a foreign lockfile directory when valid ([#​431](https://redirect.github.com/endevco/aube/pull/431)). - Fetch controls were added for timeout, retry count, and retry backoff behavior ([#​436](https://redirect.github.com/endevco/aube/pull/436)). - `--pnpmfile` and `--global-pnpmfile` flags were added, with pnpmfile hooks wired into update and `preResolution` support ([#​439](https://redirect.github.com/endevco/aube/pull/439), [#​423](https://redirect.github.com/endevco/aube/pull/423)). - pnpmfile `ctx.log` records now emit as `pnpm:hook` NDJSON on stdout ([#​440](https://redirect.github.com/endevco/aube/pull/440)). - `--save-catalog`, `workspace:*` parsing, and `sharedWorkspaceLockfile=false` support landed together ([#​418](https://redirect.github.com/endevco/aube/pull/418)). - Empty `--allow-build` values now use pnpm's verbatim error wording ([#​444](https://redirect.github.com/endevco/aube/pull/444)). ##### Fixed - `AUBE_VIRTUAL_STORE_DIR` is honored from the environment, with additional pnpm misc parity coverage ([#​456](https://redirect.github.com/endevco/aube/pull/456)). - `aube update --latest` preserves prerelease pins that are already higher than the latest stable version ([#​445](https://redirect.github.com/endevco/aube/pull/445)). - `.` is rejected as a foreign `--lockfile-dir` importer and the related docs were corrected ([#​442](https://redirect.github.com/endevco/aube/pull/442)). - npm `package-lock.json` workspace importers are preserved when parsing and writing lockfiles ([#​443](https://redirect.github.com/endevco/aube/pull/443)). - Lifecycle script behavior closed three pnpm parity gaps ([#​421](https://redirect.github.com/endevco/aube/pull/421)). - The resolver now ships an empty bundled metadata primer when the generator script cannot run, instead of failing the build ([#​425](https://redirect.github.com/endevco/aube/pull/425)). ##### Performance - Cached hot-path work across install, resolver, registry, linker, manifest parsing, settings lookup, and install state freshness checks ([#​453](https://redirect.github.com/endevco/aube/pull/453)). - Deduplicated and cached repeated install/resolver work, including graph hashing, patch fingerprints, lockfile parsing, env capture, script policy lookup, workspace-root scans, and registry auth token matching ([#​449](https://redirect.github.com/endevco/aube/pull/449)). - Refreshed benchmark results for the 1.5.2 baseline ([#​448](https://redirect.github.com/endevco/aube/pull/448), [#​452](https://redirect.github.com/endevco/aube/pull/452)). ##### Testing and Parity - Ported pnpm monorepo filter tests and wired `--fail-if-no-match` ([#​457](https://redirect.github.com/endevco/aube/pull/457)). - Ported additional pnpm hook, allowBuilds review, update, prefer-offline, circular peer, trust-policy, peer warning, top-level plugin, and registry fixture coverage ([#​455](https://redirect.github.com/endevco/aube/pull/455), [#​441](https://redirect.github.com/endevco/aube/pull/441), [#​438](https://redirect.github.com/endevco/aube/pull/438), [#​454](https://redirect.github.com/endevco/aube/pull/454), [#​434](https://redirect.github.com/endevco/aube/pull/434), [#​433](https://redirect.github.com/endevco/aube/pull/433), [#​424](https://redirect.github.com/endevco/aube/pull/424)). </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
c0cbd12180
|
chore(deps): update dependency globals to v17.6.0 (#465)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [globals](https://redirect.github.com/sindresorhus/globals) | [`17.5.0` β `17.6.0`](https://renovatebot.com/diffs/npm/globals/17.5.0/17.6.0) |  |  | --- ### Release Notes <details> <summary>sindresorhus/globals (globals)</summary> ### [`v17.6.0`](https://redirect.github.com/sindresorhus/globals/compare/v17.5.0...6b15870f1c08b60b5b57afe45a703d9ed0be39bc) [Compare Source](https://redirect.github.com/sindresorhus/globals/compare/v17.5.0...v17.6.0) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
34cccd8792
|
chore(deps): update dependency eslint to v10.3.0 (#464)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.2.1` β `10.3.0`](https://renovatebot.com/diffs/npm/eslint/10.2.1/10.3.0) |  |  | --- ### Release Notes <details> <summary>eslint/eslint (eslint)</summary> ### [`v10.3.0`](https://redirect.github.com/eslint/eslint/compare/v10.2.1...78892043a36da4aa7640b59c99344b00c181048a) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.2.1...v10.3.0) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
396ce9daa2
|
chore(deps): update dependency aube to v1.5.1 (#463)
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `1.4` β `v1.5.1` | `v1.9.1` (+6) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.5.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.1): : POSIX colon tarball filenames [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.5.0...v1.5.1) A small patch release fixing tarball installs that contain `:` in entry filenames on POSIX platforms (e.g. `redos-detector@6.1.4`'s `dist/__mocks__/package-json:version.d.ts`). #### Fixed - **POSIX colon tarball filenames** β the store tarball validator and the linker's `validate_index_key` previously rejected `:` on every platform to defend against Windows drive-prefix and NTFS alternate-data-stream ambiguity. That guard was too broad for POSIX, where colon is a valid filename character, and caused installs of packages like `redos-detector@6.1.4` to fail. Both guards are now platform-gated: `:` is still rejected on Windows, but accepted on Linux and macOS. ([#​386](https://redirect.github.com/endevco/aube/pull/386) by [@​jdx](https://redirect.github.com/jdx)) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.5.0...v1.5.1> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.5.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.0): : Dependency graph queries and patch/lockfile fixes [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.4.0...v1.5.0) This release adds `aube query` for selector-based dependency graph inspection, fixes patch application against CRLF tarball files, repairs npm-aliased catalog dependencies in pnpm-generated lockfiles, and unifies how aube decides where to write workspace settings. #### Added - **`aube query`** β a vlt-inspired dependency-graph query command. Supply a selector expression (attribute predicates plus pseudo-selectors like `:scripts`, `:bin`, `:peer`, `:type(...)`, `:license(...)`), optionally scope with workspace `--filter`/`--prod`/`--dev` roots, and emit human-readable, `--parseable`, or `--json` output. Reads only the local lockfile. ([#​380](https://redirect.github.com/endevco/aube/pull/380) by [@​jdx](https://redirect.github.com/jdx)) #### Fixed - **Patches against CRLF text files** β tarballs published from Windows editors (e.g. `gifuct-js@2.1.2/index.d.ts`) ship CRLF, but git/pnpm-style patches always emit LF, and diffy refused to match LF hunks against CRLF context. aube now normalizes the original to LF before applying and restores CRLF on write β matching pnpm's approach β with a `\r\r\n` collapse so a literal `\r` byte mid-line doesn't gain a second carriage return. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **`aube patch-commit` destination** β previously wrote unconditionally to `pnpm.patchedDependencies` in `package.json` even on projects already using the pnpm v10+ workspace-yaml home. A single rule now applies to every command that mutates a setting which can live in either the workspace yaml or `package.json#{pnpm,aube}.<key>`: 1. If a workspace yaml exists on disk β write there. 2. Otherwise, if `package.json#pnpm` is already declared β write `pnpm.<key>` (preserve the user's namespace). 3. Otherwise β write `aube.<key>`. `aube patch-remove` now strips entries from every place they could live and reports the files actually rewritten. The same rule covers `aube approve-builds` and install-time auto-deny seeding. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **npm-aliased catalog deps from pnpm lockfiles** β `aube install --frozen-lockfile` previously accepted a pnpm lockfile with `beamcoder: npm:beamcoder-prebuild@β¦` declared via `pnpm-workspace.yaml#catalog` and silently produced an empty `node_modules`, because the importer's specifier was `'catalog:'` and alias detection only fired on `specifier.starts_with("npm:")`. Aliases are now detected purely from the canonical `<real>@​<resolved>` `version:` shape, with a peer-suffix strip so `version: 18.2.0(react@18.2.0)` isn't misclassified. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **Bounded resolver stream** β the resolved-package stream is now a bounded Tokio channel sized from the same network concurrency used by fetch workers, with awaited sends so resolver/fetch overlap applies backpressure instead of accumulating an unbounded queue. ([#​377](https://redirect.github.com/endevco/aube/pull/377) by [@​jdx](https://redirect.github.com/jdx)) #### Changed - **`aube-workspace.yaml` is the default-write filename** β when neither `aube-workspace.yaml` nor `pnpm-workspace.yaml` exists, `aube approve-builds` (and the install-time auto-seed of unreviewed build scripts) now creates `aube-workspace.yaml` so it pairs with `aube-lock.yaml` instead of leaving mixed vendor namespaces side by side. Existing `pnpm-workspace.yaml` files keep being mutated in place. ([#​382](https://redirect.github.com/endevco/aube/pull/382) by [@​jdx](https://redirect.github.com/jdx)) - **Comment-preserving workspace-yaml writes** β yaml writes now skip the rewrite when the closure produces no structural change, so user comments survive every no-op update to `allowBuilds`, `patchedDependencies`, and catalog cleanup. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **Install phase timing sink** β set `AUBE_BENCH_PHASES_FILE` to append per-phase install timings (resolve/fetch/link/scripts/state/sweep) as JSONL, optionally tagged with `AUBE_BENCH_SCENARIO`. The benchmark harness samples aube install-shaped scenarios and `benchmarks/generate-phase-results.mjs` turns the JSONL into a Markdown table plus a structured JSON artifact. ([#​381](https://redirect.github.com/endevco/aube/pull/381) by [@​jdx](https://redirect.github.com/jdx)) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.4.0...v1.5.0> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
8720daa86c
|
chore(deps): update github/codeql-action digest to 68bde55 (#462)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](
|
||
|
jdx
|
c6a35e2d7d
|
chore(ci): use !cancelled() instead of always() for final job (#460)
## Summary
- Combined with the workflow's `cancel-in-progress` group, `if:
always()` overrides cancellation and runs the `final` aggregator even on
superseded commits.
- `!cancelled()` still runs on upstream success or failure but skips
when the workflow is cancelled β saves a runner and avoids confusing
error annotations on already-superseded shas.
- Caught by Cursor Bugbot on a sibling repo (endevco/pitchfork#413).
Same `final`-aggregator pattern + `cancel-in-progress: true` here, so
the same fix applies.
## Test plan
- [ ] CI passes on this PR
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk CI-only change that just adjusts when the `final` job runs;
main risk is slightly different status reporting when runs are
cancelled.
>
> **Overview**
> Updates the GitHub Actions `final` aggregator job to use `if: ${{
!cancelled() }}` instead of `always()`, so it still runs for upstream
success/failure but **does not** run for cancelled workflows (e.g.,
superseded runs under `cancel-in-progress`).
>
> Adds clarifying comments to document why cancellation should skip the
aggregator to avoid wasting runners and producing noise on cancelled
commits.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
renovate[bot]
|
b9e293457e
|
chore(deps): update github/codeql-action digest to e46ed2c (#459)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](
|
||
|
renovate[bot]
|
9839807d80
|
chore(deps): update dependency @types/handlebars to v4.1.0 (#457)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/handlebars](https://redirect.github.com/wycats/handlebars.js) | [`4.0.40` β `4.1.0`](https://renovatebot.com/diffs/npm/@types%2fhandlebars/4.0.40/4.1.0) |  |  | --- ### Release Notes <details> <summary>wycats/handlebars.js (@​types/handlebars)</summary> ### [`v4.1.0`](https://redirect.github.com/wycats/handlebars.js/blob/HEAD/release-notes.md#v410---February-7th-2019) New Features - import TypeScript typings - [`27ac1ee`]( |
||
|
renovate[bot]
|
1a7cfe9372
|
fix(deps): update dependency @actions/glob to ^0.7.0 (#458)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@actions/glob](https://redirect.github.com/actions/toolkit/tree/main/packages/glob) ([source](https://redirect.github.com/actions/toolkit/tree/HEAD/packages/glob)) | [`^0.6.0` β `^0.7.0`](https://renovatebot.com/diffs/npm/@actions%2fglob/0.6.1/0.7.0) |  |  | --- ### Release Notes <details> <summary>actions/toolkit (@​actions/glob)</summary> ### [`v0.7.0`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/glob/RELEASES.md#070) - Bump `minimatch` from `^3.0.4` to `^10.2.5` [#​2355](https://redirect.github.com/actions/toolkit/pull/2355) - Bump `undici` from `6.23.0` to `6.24.0` [#​2345](https://redirect.github.com/actions/toolkit/pull/2345) - Bump `brace-expansion` in `/packages/glob` [#​2369](https://redirect.github.com/actions/toolkit/pull/2369) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
jdx
|
b287efda3d
|
fix: include runner image in cache key to prevent cross-provider collisions (#456)
## Problem
The default cache key was `mise-v1-{os}-{arch}-{file_hash}` β no
runner-image discriminator. Any repo whose CI runs on multiple runner
providers with the same os/arch shares one cache slot:
- github-hosted `macos-latest`
- namespace.so `nscloud-macos-sequoia-arm64-*` /
`namespace-profile-*-macos-arm64`
- self-hosted M-series macs
- BuildJet, blacksmith, etc.
When a repo migrates from one provider to another, the new run restores
the previous provider's tool installs (~200 MB of
`~/.local/share/mise/installs/*`), and tools that loaded fine in the
original image break in the new one.
### Concrete failures observed
Discovered while migrating [jdx/hk](https://github.com/jdx/hk/pull/891)
from github-hosted to namespace.so. Same `mise-v1-macos-arm64-<hash>`
cache hit on namespace; tool resolution fails everywhere:
```
mise ERROR Tool 'ubi:koalaman/shellcheck' does not have an executable named 'shellcheck'
mise ERROR Tool 'gem:asciidoctor' does not have an executable named 'asciidoctor'
mise ERROR Tool 'aqua:betterleaks/betterleaks' does not have an executable named 'betterleaks'
mise ERROR Tool 'biome' does not have an executable named 'biome'
mise ERROR Tool 'buf' does not have an executable named 'buf'
mise ERROR Tool 'github:google/google-java-format' does not have an executable named 'google-java-format'
```
β installs are present (cache restored 185 MB) but the executable layout
from the github-hosted macOS-15 image doesn't match what mise expects on
namespace's macOS arm64 image.
On Linux, cached binaries built against the github-hosted ubuntu
glibc/CPU featureset SIGILL on namespace's image (e.g. `swiftlint` exit
code 132).
## Fix
Append the GitHub Actions hosted-runner `ImageOS` env var (e.g.
`macos15`, `ubuntu24`) to the platform segment of the default cache key.
Other runners pool under `self-hosted`.
```ts
const imageOS = process.env.ImageOS || 'self-hosted'
return `${base}-${imageOS}`
```
After this change:
- `mise-v1-macos-arm64-macos15-<hash>` (github-hosted)
- `mise-v1-macos-arm64-self-hosted-<hash>` (namespace, self-hosted,
etc.)
Users with multiple self-hosted profiles that need finer scoping can set
`cache_key_prefix` per workflow. The README's docs for `{{platform}}`
are updated to reflect the new format.
## Trade-offs
- One-time cache miss for everyone on the next run after upgrade. Cache
rebuilds and stays scoped per-image after that.
- Hosted-runner image rolls (e.g. `macos15` β `macos16`) will invalidate
cache, which is desirable β that's exactly when stale binaries cause
problems.
- Self-hosted users with mixed runner pools all share one `self-hosted`
slot. They'd need `cache_key_prefix` per pool, same as before. This PR
doesn't make that worse.
## Test plan
- [ ] Verify `dist/index.js` rebuilt cleanly (yes, `npm run package`
succeeded with the change visible at `getTarget()` callsite).
- [ ] Run on a github-hosted runner β confirm `ImageOS` is read from env
(e.g. `macos15`) and shows up in the `mise cache restored from key:` log
line.
- [ ] Run on a non-hosted runner β confirm fallback to `-self-hosted`.
- [ ] Verify a workflow that switched providers no longer pulls a
poisoned cache.
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Changes cache-key generation and will cause a one-time cache miss plus
different cache partitioning, which can affect build times and cache
reuse across runners.
>
> **Overview**
> Updates the default cache-key `{{platform}}` value to append a runner
image discriminator (`process.env.ImageOS` on GitHub-hosted runners,
otherwise `self-hosted`), reducing cross-provider/image cache collisions
that can restore incompatible tool installs.
>
> Implements this via a new `getRunnerImageId()` helper used during
cache-key template processing, and documents the new `{{platform}}`
format in the README; `dist/index.js` is rebuilt accordingly.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
ac8a6414ec
|
feat: add wings_enabled input (mise-wings cache integration) (#454)
## Summary
Adds two new inputs that gate the mise-wings asset cache for tool
installs. Existing workflows are unaffected: default `wings_enabled:
false` is a no-op.
| Input | Default | Description |
|---|---|---|
| `wings_enabled` | `false` | Route tool-install URLs through the wings
cache when `true` |
## How it works
When `wings_enabled: true`, the action exports `MISE_WINGS_ENABLED=1`.
Authentication is **fully automatic** β mise itself owns the GHA OIDC β
wings session exchange. No `mise wings login` step in workflow YAML, no
long-lived secrets to rotate.
When mise (built with wings support β see
[jdx/mise#9458](https://github.com/jdx/mise/pull/9458)) sees
`MISE_WINGS_ENABLED=1` and detects the GHA OIDC env vars
(`ACTIONS_ID_TOKEN_REQUEST_URL` + `ACTIONS_ID_TOKEN_REQUEST_TOKEN`), it:
1. Fetches the runner's OIDC token, scoped to the wings deployment
audience
2. POSTs it to `https://api.<host>/auth` to mint a wings CI session JWT
3. Caches the JWT in-process for the rest of the workflow run
4. Transparently rewrites `registry.npmjs.org` / `github.com` /
`api.github.com` URLs to the corresponding wings cache subdomains and
attaches the JWT as a Bearer header
## Why opt-in (not opt-out)
The default-off posture is deliberate. Many workflows already declare
`permissions: id-token: write` for unrelated reasons (SLSA provenance,
AWS OIDC, Sigstore, npm provenance, etc.). If `wings_enabled` defaulted
to `true`, those workflows would silently send the runner's OIDC
identity claims to a third-party cache without explicit consent. Cursor
Bugbot HIGH + Greptile P1+security correctly flagged the previous
"default true" iteration of this PR as a privacy regression.
Explicit opt-in keeps the gate visible in the workflow YAML.
## Workflow requirements
```yaml
permissions:
id-token: write # required for OIDC
jobs:
build:
steps:
- uses: jdx/mise-action@<sha>
with:
wings_enabled: true
```
The action emits a clear warning when `wings_enabled: true` but
`id-token: write` is missing β without that hint, the user would see
"wings configured but doing nothing" and have no clue why.
## Test plan
- [x] `npm run all` β format + lint + package, clean
- [x] `dist/index.js` rebuilt and contains the wings hook (greppable:
`MISE_WINGS_ENABLED`, `setupWings`)
- [ ] End-to-end: a workflow with `wings_enabled: true`, `permissions:
id-token: write`, an active wings subscription, and a recent enough
`mise` binary. The mise repo's own `docs.yml` will exercise this path
once [jdx/mise#9458](https://github.com/jdx/mise/pull/9458) is merged.
- [ ] Default-off path: a workflow without the `wings_enabled` input
behaves identically to today.
## Out of scope
- Older mise binaries will see `MISE_WINGS_ENABLED` and silently ignore
it (no wings client code) β that's intended; the action doesn't gate on
mise version.
- Self-hosted runners: `permissions: id-token: write` only does anything
on GitHub-hosted runners by default. Self-hosted runners need extra
config; the warning above is conservative enough for both cases.
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Introduces an opt-in path that can cause OIDC-based authentication to
a third-party cache and alters tool download routing when enabled.
Default-off behavior limits impact, but misconfiguration could create
confusing cache bypass or unexpected network/token exchange behavior.
>
> **Overview**
> Adds a new **experimental** `wings_enabled` action input (default
`false`) to opt workflows into the mise-wings asset cache by exporting
`MISE_WINGS_ENABLED=1`.
>
> When enabled, the action now runs `setupWings()` early to set the env
var and warn if GitHub OIDC env vars are missing (i.e., `permissions:
id-token: write` not configured), while leaving existing/default
behavior unchanged.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
0a780158e1
|
chore: migrate package manager from npm/pnpm/bun to aube (#455)
## Summary
Switches the project's package-manager surface from a mix of `npm` /
`pnpm` / `bun` (different commands in different files) to a single tool:
[aube](https://aube.en.dev), en.dev's pnpm-compat package manager
(native Rust, fast, drops cleanly into pnpm/npm-compatible workflows).
| | Before | After |
|---|---|---|
| Workflows install step | `npm ci` | `aube ci` |
| Workflows run scripts | `npm run X` | `aubr X` (`aubr` is the `aube
run` shorthand) |
| `mise.toml` tasks | mixed `npm run` / `bun run` | `aubr X` |
| Lockfile | `package-lock.json` | `package-lock.json` (unchanged β aube
reads it directly) |
The `aubr` binary ships alongside `aube` in the same install β it's the
script-runner shorthand (`aubr <script>` β‘ `aube run <script>`). Saves a
word in every workflow / mise.toml line.
## What didn't change
- **`package-lock.json`** stays as the canonical lockfile. aube reads it
directly; no `aube-lock.yaml` is generated. Running `npm install` still
works for any dev who hasn't switched to aube yet.
- **`package.json` scripts** still use `npm run X` for nested
invocations (e.g. `"all": "npm run format:write && β¦"`). The literal
`npm` works for both callers β aube's shell exec finds `npm` in PATH,
the inner invocation re-runs the same package.json script. Keeping these
PM-agnostic avoids a forced cutover for downstream contributors.
- **`dist/`** is byte-identical after `aubr all` β parity with the
npm-built bundle verified locally.
## New project files
- **`.npmrc`** β single line: `node-linker=hoisted`. Forces a flat,
npm-style `node_modules` layout instead of aube's default
symlink/virtual-store. Required because `rollup --configPlugin
@rollup/plugin-typescript` resolves the plugin from cwd's node_modules,
and the isolated layout puts rollup under `node_modules/.aube/...` where
standard module resolution can't reach back to the project root for the
plugin. npm reads `.npmrc` but ignores `node-linker` (npm always
installs flat), so the file is safe for both PMs.
- **`pnpm-workspace.yaml`** β generated by aube 1.4 to record
build-script approvals (`unrs-resolver: false`). Project-level config;
commits like a `package.json` companion.
Pinned `aube = '1.4'` in `mise.toml`'s tools so `mise install`
provisions the right binary locally.
## Why aube
Single tool replacing three. Less context-switching for contributors,
fewer places to run `npm audit` / `bun upgrade` / `pnpm dedupe`. aube's
cold-cache install for this repo's deps is ~3s vs `npm ci` at ~10s.
## Test plan
- [x] `aube install` from clean β succeeds, all 441 packages link
cleanly
- [x] `aubr all` (format + lint + package) β succeeds, `dist/`
byte-identical to checked-in version
- [x] `aubr format:check` β clean
- [x] `aubr lint` β clean
- [x] `aubr package` β produces `dist/index.js`, `dist/index.js.map`,
`dist/licenses.txt` matching what's checked in
- [ ] Workflows: `Continuous Integration` / `autofix.ci` / `Check dist/`
/ `test` all pass on this PR
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Mostly CI/build-system plumbing; risk is workflow or packaging
breakage (dependency install layout, rollup config) that could prevent
`dist/` from rebuilding or CI from running, but it doesnβt change
runtime action logic.
>
> **Overview**
> Switches GitHub Actions workflows to install tooling via
`jdx/mise-action` and run installs/scripts with `aube`/`aubr` instead of
`actions/setup-node` + `npm ci`/`npm run`.
>
> Pins `aube` (`1.4`) in `mise.toml`, updates `mise` tasks and developer
docs (`CLAUDE.md`) to use `aube`/`aubr`, and adds `.npmrc`
(`node-linker=hoisted`) plus a `.gitignore` entry to avoid committing
`aube`βs generated `pnpm-workspace.yaml`.
>
> Adjusts the packaging script to use `rollup.config.mjs` (replacing the
previous TS config invocation).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
renovate[bot]
|
3cd8ad48b8
|
chore(deps): lock file maintenance (#439)
This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | π§ This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - "before 4am on monday" - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
jdx
|
1c5f70fd40
|
chore(deps): bump communique to 1.1.2 (#453)
## Summary
- add a communique mise lock entry for v1.1.2
- include release asset URLs and checksums, including musl assets
## Validation
- monitored jdx/communique release workflow 24960017639 to success
- `mise install --locked communique`
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: adds an auto-generated tool lockfile entry only, affecting
developer tool installation but not runtime application behavior.
>
> **Overview**
> Pins the `communique` developer tool to **v1.1.2** by adding a
generated `mise.lock` entry.
>
> The lock includes **per-platform download URLs, asset API links, and
SHA-256 checksums**, including *musl* variants for Linux.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
renovate[bot]
|
5ad13376e3
|
chore(deps): update autofix-ci/action digest to c5b2d67 (#452)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [autofix-ci/action](https://redirect.github.com/autofix-ci/action)
([changelog](
|
||
|
renovate[bot]
|
6fa7302151
|
chore(deps): update actions/setup-node digest to 48b55a0 (#451)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-node](https://redirect.github.com/actions/setup-node)
([changelog](
|
||
|
renovate[bot]
|
db69447ab3
|
chore(deps): update dependency eslint to v10.2.1 (#445)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.2.0` β `10.2.1`](https://renovatebot.com/diffs/npm/eslint/10.2.0/10.2.1) |  |  | --- ### Release Notes <details> <summary>eslint/eslint (eslint)</summary> ### [`v10.2.1`](https://redirect.github.com/eslint/eslint/compare/v10.2.0...4d1d8f9737236603f64bbe83d5bb8001627b5611) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.2.0...v10.2.1) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |