chore(deps): update dependency aube to v1.9.1 (#478)

This PR contains the following updates:

| Package | Update | Change | Pending |
|---|---|---|---|
| [aube](https://redirect.github.com/endevco/aube) | minor | `v1.6.2` →
`v1.9.1` | `v1.14.1` (+10) |

---

### Release Notes

<details>
<summary>endevco/aube (aube)</summary>

###
[`v1.9.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.9.1):
: Cold install overhaul, HTTP prefetch, and workspace fixes

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.9.0...v1.9.1)

A performance- and correctness-focused patch release. Cold installs get
a streaming tarball pipeline, Linux gets an `O_TMPFILE`+`linkat` CAS
fast path, and the resolver's cold path overlaps DNS, TLS, and packument
prefetch with the manifest/workspace/lockfile work that used to
serialize them. On the fix side, `aube run` once again finds `node-gyp`
for package scripts, and `aube update` / `aube outdated` stop trying to
fetch unpublished `workspace:` deps from the registry.

#### Added

- **Pre-resolver packument prefetch + shared HTTP utilities**
([#&#8203;529](https://redirect.github.com/endevco/aube/pull/529) by
[@&#8203;imjustprism](https://redirect.github.com/imjustprism)) — a new
`aube-util::http` module consolidates client-side primitives (`prewarm`,
`priority`, `race`, `resolve`, `ticket_cache`) so leaf crates share one
warm-pool surface with consistent killswitch semantics. On install
entry, aube now reads `package.json` and fires fire-and-forget packument
GETs for every registry-shaped direct dep before workspace yaml load,
settings resolve, lockfile parse, and resolver construction — by the
time the resolver pops its first task, the packument cache and reqwest
pool are warm. `RegistryClient::prewarm_connection` now covers the
default registry **plus** every scoped (`@org:registry=...`) and per-uri
auth registry, with parallel DNS preresolve so DNS RTT hides behind the
TLS handshake. Abbreviated packument GETs also send `Priority: u=0` (RFC
9218 Critical) so H2 schedulers prioritize resolver-blocking metadata
over pending tarball frames. New killswitches:
`AUBE_DISABLE_DNS_PRERESOLVE`, `AUBE_DISABLE_REQUEST_RACING`,
`AUBE_DISABLE_PREFETCH`, `AUBE_DISABLE_TLS_TICKET_CACHE`. Prefetch is a
no-op when offline or when any lockfile is present.

- **Cold install pipeline overhaul**
([#&#8203;522](https://redirect.github.com/endevco/aube/pull/522) by
[@&#8203;imjustprism](https://redirect.github.com/imjustprism)) —
several overlapping wins on the cold-cache path:

- **Streaming tarball pipeline** (opt-in via `AUBE_TARBALL_STREAM=1`,
killswitch `AUBE_DISABLE_TARBALL_STREAM`) — HTTP body chunks pipe
through SHA-512 + gz + tar + CAS via an mpsc bridge instead of buffering
the whole tarball; non-SHA-512 SRI falls back to buffered. Bounded by
the registry's `tarball_max_bytes` cap.
- **Linux `O_TMPFILE` + `linkat` CAS publish** with `EOPNOTSUPP`
fallback to the tempfile path, `posix_fallocate` to avoid ext4
fragmentation, and `posix_fadvise(DONTNEED)` to free page cache after
publish. Killswitch: `AUBE_DISABLE_O_TMPFILE`.
- **Materialize-stream into the lockfile fast path** — both lockfile and
no-lockfile branches now share the GVS prewarm materializer, hiding
30-200ms of GVS reflinks behind the in-flight download tail.
- **Resolver tuning** — foldhash on `graph_hash` hot maps, pre-sized
resolver caches, thread-local `node_semver::Version` parse cache,
`PARALLEL_IMPORT_THRESHOLD` lowered from 256 to 16 (median npm tarball
is 7 files), and pinned tokio `worker_threads` (`cpu.min(8)`) /
`max_blocking_threads(64)` (tunable via `AUBE_TOKIO_WORKERS` /
`AUBE_TOKIO_BLOCKING`).
- **Windows** gets `FILE_ATTRIBUTE_NOT_CONTENT_INDEXED` on the store
root; cross-volume detection (drive letters on Windows, `dev` id on
Unix) is gated per-platform.

Reported same-volume Windows cold-install ratios: 1.80x-8.75x faster
than Bun across svelte/vite/next/babylon.

- **Per-project materialize pipelined into fetch**
([#&#8203;527](https://redirect.github.com/endevco/aube/pull/527) by
[@&#8203;imjustprism](https://redirect.github.com/imjustprism)) — when
GVS is off, each fetched `(canonical_key, PackageIndex)` triggers
`materialize_into` against `.aube/<dep_path>/` immediately, so by the
time fetch finishes the dedicated link phase only has to create
top-level `node_modules/<name>` symlinks. The driver now uses `JoinSet`
instead of `Vec<JoinHandle>`, so on early-return all in-flight tasks
abort instead of detaching and racing install cleanup. \~10% improvement
on warm fresh installs in the local benchmark matrix.

#### Fixed

- **`aube run` / `aube test` find `node-gyp`**
([#&#8203;518](https://redirect.github.com/endevco/aube/pull/518) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — package scripts only
had `node_modules/.bin` prepended to `PATH`, so `aube test` would fail
with `node-gyp: not found` on hosts that didn't already ship it. Script
execution now reuses aube's existing node-gyp bootstrap (via a lazy shim
bin dir + `AUBE_NODE_GYP_EXE` / `AUBE_NODE_GYP_PROJECT_DIR`), matching
pnpm/npm behavior. Ports pnpm's `lifecycleScripts.ts:128` coverage into
the offline node-gyp bootstrap bats suite.

- **`workspace:` deps in `aube update` / `aube outdated`**
([#&#8203;523](https://redirect.github.com/endevco/aube/pull/523) by
[@&#8203;jdx](https://redirect.github.com/jdx), fixes
[#&#8203;520](https://redirect.github.com/endevco/aube/discussions/520))
— `aube update` now discovers workspace package `name`/`version` pairs
and passes them into resolver workspace resolution so `workspace:` deps
from `package.json#workspaces` resolve locally instead of triggering
registry packument fetches. `aube outdated` filters out direct deps with
`workspace:` specifiers and reports "no matching dependencies" rather
than attempting a packument fetch. Adds a new
`WARN_AUBE_WORKSPACE_PACKAGE_MISSING_NAME` warning code for workspace
packages without a `name` field.

- **Resolver peer-context divergence is fatal**
([#&#8203;522](https://redirect.github.com/endevco/aube/pull/522) by
[@&#8203;imjustprism](https://redirect.github.com/imjustprism)) —
`apply_peer_contexts` hitting `MAX_ITERATIONS` used to log a warning and
ship a broken graph; it now returns a fatal
`Error::PeerContextDivergence(usize)`. `state::remove_state` errors at
`--force` and GVS-transition sites also propagate instead of being
silently swallowed, so permission-denied or Windows-locked sidecars no
longer defeat the freshness check.

- **Tarball hardening**
([#&#8203;522](https://redirect.github.com/endevco/aube/pull/522) by
[@&#8203;imjustprism](https://redirect.github.com/imjustprism)) —
entries declared as 0 bytes with non-zero stream payload are now
rejected (synthetic-entry injection guard), and GNU `LongName` /
`LongLink` metadata records are correctly accepted.

- **Patches loaded once per cwd**
([#&#8203;529](https://redirect.github.com/endevco/aube/pull/529) by
[@&#8203;imjustprism](https://redirect.github.com/imjustprism)) —
`load_patches_for_linker` walked `patches/` from disk 2-3 times per
install (lockfile-prewarm, no-lockfile-prewarm, and link-phase sites).
Now cached per cwd via `OnceLock<Mutex<HashMap<PathBuf, ...>>>`.

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.9.0...v1.9.1>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.9.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.9.0):
: Comment-preserving workspace edits, deploy bundling, and node
--inspect

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.8.0...v1.9.0)

A focused release: `aube deploy` learns to bundle workspace siblings and
local-path deps into the deploy artifact, workspace-yaml writers stop
eating user comments, aube-owned settings move out of `.npmrc`, and
`aube run` forwards Node debugger flags.

#### Added

- **Aube settings move out of `.npmrc`**
([#&#8203;517](https://redirect.github.com/endevco/aube/pull/517) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — known aube-owned
settings now live in `~/.config/aube/config.toml` (XDG-aware), while
registry, auth, and unknown keys keep using `.npmrc`. `aube config
get/set/list/delete` reads and writes the right file automatically, and
migrating a known setting cleans up the stale `.npmrc` entry. `.npmrc`
writes are also atomic against the **symlink target** now, so dotfile
setups that symlink `~/.npmrc` into a managed config repo stop having
the symlink replaced by a regular file.

- **`aube run --inspect` / `--inspect-brk`**
([#&#8203;515](https://redirect.github.com/endevco/aube/pull/515) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — both flags accept an
optional `[host:]port` (e.g. `--inspect=9229`,
`--inspect-brk=0.0.0.0:9230`) and are forwarded as explicit Node argv
when aube can identify a Node-backed target — direct `node ...` scripts
in `package.json` and local `node_modules/.bin` fallbacks resolved
through shims/symlinks. The flags are passed as argv rather than via
`NODE_OPTIONS`, so the debugger doesn't attach to nested Node processes
spawned by the script.

- **`aube deploy --no-prod`**
([#&#8203;507](https://redirect.github.com/endevco/aube/pull/507) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — opt out of the default
`--prod` filter for deploys that need devDependencies at runtime
(test-harness staging, build-step artifacts). Mutually exclusive with
`--prod` / `--dev`; combine with `--no-optional` to keep prod + dev but
drop optionals.

- **Comment-preserving workspace yaml writes**
([#&#8203;511](https://redirect.github.com/endevco/aube/pull/511) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — every workspace-yaml
writer (`approve-builds`, `patch-commit`, `patch-remove`, the daily
`cleanupUnusedCatalogs` install pass, and `aube config set --location
workspace`) now routes through `yamlpatch` instead of round-tripping the
file through a serializer. Keys, comments, and whitespace the edit
didn't touch land back on disk byte-identical, so user annotations on
adjacent entries survive. Empty/missing files still go through the
regular serializer since there are no comments to preserve.

#### Fixed

- **`aube deploy` bundles local dependencies**
([#&#8203;507](https://redirect.github.com/endevco/aube/pull/507) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — fixes two real bugs
reported in
[#&#8203;345](https://redirect.github.com/endevco/aube/discussions/345):

- **`workspace:*` siblings tried to fetch from the registry.** Deploy
used to rewrite `workspace:*` to a concrete version and ask install to
resolve it — fine for published siblings, broken for the (very common)
unpublished case. Reachable workspace siblings are now copied into
`<target>/.aube-deploy-injected/<id>/` and the manifest spec becomes a
relative `file:` pointer. Recursion handles sibling chains where a
sibling's own deps are workspace siblings.
- **`file:` deps resolved relative to the deploy output dir.** A
`file:../local-vendor` spec used to ride along unchanged in the deployed
manifest, pointing at `<target>/../local-vendor` instead of the source
workspace's `local-vendor`. Local-path deps now go through the same
staging pipeline.

When bundling occurs the lockfile-subset path is skipped, since the
rewritten `file:` pointers don't appear in the source lockfile and would
otherwise trip a frozen install.

- **`aube remove` preserves dependency order**
([#&#8203;511](https://redirect.github.com/endevco/aube/pull/511) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — dropping one dep used
to alphabetize the remaining entries in the affected `package.json`
section as a side effect. Surviving entries now stay in their original
on-disk order, matching pnpm/npm. (`aube add` is unaffected — sorted
inserts there are intentional.)

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.8.0...v1.9.0>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.8.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.8.0):
: Stable error codes, smarter run/dlx, and a new install progress UI

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.7.0...v1.8.0)

A polish-and-plumbing release: install progress gets a from-scratch
redesign, errors and warnings now carry stable identifiers (with bespoke
exit codes and dep-chain context), `aube run` / `aube dlx` prefer
locally-installed binaries, and a handful of workspace-from-subpackage
and `aube add` ergonomics get fixed.

#### Added

- **Redesigned install progress UI**
([#&#8203;501](https://redirect.github.com/endevco/aube/pull/501) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — fixed 15-char bar on
the left, stats on the right, phase-aware label (`resolving` /
`fetching` / `linking`), ETA, transfer rate, and an estimated install
size derived from the resolve stream:

  ```
  aube 1.8.0 by en.dev
  █████░░░░░░░░░░ 23/142 pkgs · 4.2 MB / ~13.8 MB · 1.4 MB/s · ETA 5s
  ███████████████ 1230/1230 pkgs · linking
  ✓ resolved 1230 · reused 98 · downloaded 1132 (54.6 MB) in 6.8s
  ```

Installs that finish before the first 2s heartbeat now print a single
self-identifying summary line (`✓ installed 5 packages in 423ms`)
instead of a partial bar. Also fixes two real bookkeeping bugs (a `2/1
packages` overflow on platform-mismatched non-optional deps, and the
"stuck at 90%" undercount caused by `filter_graph` dropping packages
after the denominator was inflated).

- **Local bins for `aube run` and `aube dlx`**
([#&#8203;502](https://redirect.github.com/endevco/aube/pull/502) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — `aube run <name>`
falls back to `node_modules/.bin/<name>` when no `package.json` script
matches, and `aube dlx` / `aubx` will execute an already-installed local
binary instead of doing a throwaway install. Pass `-p` / `--package` (or
a versioned spec) to force the install path.

- **Stable error and warning codes**
([#&#8203;492](https://redirect.github.com/endevco/aube/pull/492) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — every error and
warning aube emits now carries an `ERR_AUBE_*` or `WARN_AUBE_*`
identifier in a structured field, so CI scripts and ndjson consumers can
branch on the code instead of substring-matching English messages. A
curated subset maps to bespoke Unix exit codes (10–99 in 10-wide ranges
by category) so shells can react to specific failures without parsing
stderr — e.g. `aube install --frozen-lockfile` in an empty dir exits
with `10` (`ERR_AUBE_NO_LOCKFILE`). Post-resolver errors that mention a
specific package now also include the dependency chain back to the
importer (`chain: a@1 > b@2 > leaf@3`) so a tarball-integrity or fetch
failure tells you *why* your install pulled that transitive dep. The
full code list lives at `docs/error-codes.md`.

#### Fixed

- **`aube why` / `list` / `query` from a workspace subpackage**
([#&#8203;504](https://redirect.github.com/endevco/aube/pull/504) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — these commands
resolved cwd via the nearest `package.json`, so running them inside
`packages/foo/` errored with `No lockfile found. Run aube install
first.` even though the workspace lockfile sat one level up. They now
walk up to the workspace root when one is present.

- **Workspace lifecycle scripts and pnpm-lock npm aliases**
([#&#8203;500](https://redirect.github.com/endevco/aube/pull/500) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — recursive workspace
installs now run `preinstall`/`install`/`postinstall`/`prepare` for each
linked workspace importer in dependency order (not just the root), and
the build-script policy merges `pnpm.allowBuilds` /
`onlyBuiltDependencies` / `neverBuiltDependencies` across all
participating manifests so a member can approve its own dep's builds.
`pnpm-lock.yaml` now writes npm aliases in pnpm's native
`<real>@&#8203;<version>` encoding instead of leaking aube's internal
`aliasOf` field.

- **`aube add` auto-detects local paths**
([#&#8203;499](https://redirect.github.com/endevco/aube/pull/499) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — `aube add
/path/to/lib`, `./lib`, `~/lib`, `file:./lib`, and `link:./lib` no
longer fall through to the registry path with a confusing `HTTP 405
Method Not Allowed`. Bare paths default to `link:` for directories and
`file:` for tarballs (pnpm parity); explicit prefixes are preserved.
Tarball-suffix paths emit a clear "not yet supported in `aube add`" hint
instead of a 405.

#### Changed

- **Per-command `--help` is bucketed**
([#&#8203;505](https://redirect.github.com/endevco/aube/pull/505) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — `--frozen-lockfile` /
`--prefer-frozen-lockfile`, `--registry` + `--fetch-*`, and
`--disable/--enable-global-virtual-store` moved off the global flag set
into per-command groups under `Lockfile` / `Network` / `Virtual store`
headings, and now appear only on commands that consume them. Seven
pnpm-compat no-op flags (`--workspace-packages`, `--ignore-workspace`,
`--include-workspace-root`, `--aggregate-output`, `--stream`,
`--use-stderr`, `--yes`) are still parsed but hidden from `--help`.
Pre-subcommand placement still works (`aube --frozen-lockfile install`,
`aube --registry=URL install`) via an argv pre-pass.

One caveat: implicit-script invocations like `aube --frozen-lockfile
dev` (where `dev` is a `package.json` script) no longer apply the flag —
write `aube run --frozen-lockfile dev` instead.

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.7.0...v1.8.0>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

###
[`v1.7.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.7.0):
: Local & git specs in aube add, faster cold installs

[Compare
Source](https://redirect.github.com/endevco/aube/compare/v1.6.2...v1.7.0)

A feature-heavy release: `aube add` learns git and local-path specs,
workspace commands gain support for yaml-only "coordinator" monorepos,
`aube update` and `aube rebuild` get pnpm-parity polish, and a deep
performance pass speeds up cold installs by up to \~1.9×.

#### Highlights

- **`aube add` is now a one-stop shop** for git, GitHub-shorthand, and
`link:` / `file:` local-path dependencies — not just registry packages.
- **Performance pass on the install hot path**
([#&#8203;469](https://redirect.github.com/endevco/aube/pull/469)) lands
streaming SHA-512, parallel CAS imports, TLS prewarm, fetch reordering,
and a long tail of cold-path cleanups, with measured cold-install
speedups up to \~1.9× vs v1.6.2.
- **Workspace and pnpm parity polish** across `update`, `rebuild`,
yaml-only roots, unversioned members, and nested `link:` / `file:`
resolution.

#### Added

- **`aube add file:./pkg` / `link:../sibling`**
([#&#8203;487](https://redirect.github.com/endevco/aube/pull/487) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — local-path specs are
routed through a non-registry branch, with the manifest key derived from
the path basename (with `.tgz` / `.tar.gz` stripped) or from an explicit
alias. `aube add my-bundle@file:./bundle.tgz` works too.

- **`aube add` supports git specs**
([#&#8203;483](https://redirect.github.com/endevco/aube/pull/483) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — bare GitHub shorthand,
`github:` / `gitlab:` / `bitbucket:` prefixes, full `git+ssh` /
`git+https` URLs, and aliases. The verbatim spec is written to
`package.json` and the resolver handles the rest:

  ```bash
  aube add kevva/is-negative
  aube add github:kevva/is-positive
  aube add my-alias@git+https://github.com/kevva/is-negative.git
  ```

- **Yaml-only workspace roots**
([#&#8203;486](https://redirect.github.com/endevco/aube/pull/486) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — `install`, `list`,
`run -r`, `query`, and `why` now work in pure-coordinator monorepos that
have `pnpm-workspace.yaml` / `aube-workspace.yaml` at the root but no
root `package.json` (Turborepo-style layouts). Single-project commands
like `add` / `remove` still hard-error without a manifest.

- **`aube update <pkg>` rewrites manifest ranges by default**
([#&#8203;479](https://redirect.github.com/endevco/aube/pull/479) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — caret/tilde ranges
(`^1.2.0`, `~1.2.0`) are rewritten to track the resolved in-range max,
matching pnpm. Other shapes (`>=`, exact pins, dist-tags, git,
`workspace:`) stay frozen. Set `update-rewrites-specifier=false` to keep
the previous behavior.

- **`aube rebuild <pkg>...`**
([#&#8203;477](https://redirect.github.com/endevco/aube/pull/477) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — runs lifecycle scripts
only for the named deps, bypasses the `allowBuilds` /
`onlyBuiltDependencies` policy, and skips root hooks. Composes with
`--filter`. Bare `aube rebuild` continues to do a full policy-respecting
rebuild.

- **Persistent unreviewed-builds warning**
([#&#8203;476](https://redirect.github.com/endevco/aube/pull/476) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — repeat warm-path
installs no longer swallow the "ignored build scripts for N package(s)"
nudge; the spec keys are persisted in `.aube-state` and re-emitted on
every install.

- **`aube update --depth` no longer silently ignored**
([#&#8203;473](https://redirect.github.com/endevco/aube/pull/473) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — emits a one-line
warning pointing at `rm aube-lock.yaml && aube install` for the only
useful semantic case.

#### Fixed

- **Faster cold installs**
([#&#8203;469](https://redirect.github.com/endevco/aube/pull/469) by
[@&#8203;imjustprism](https://redirect.github.com/imjustprism)) — a wide
hot-path pass with measurable wins on real registries:

  | Project           |    v1.6.2 |  v1.7.0 | Speedup |
  | ----------------- | --------: | ------: | ------: |
  | svelte (56 pkg)   |   1393 ms | 1386 ms |   1.01× |
  | vue (117 pkg)     |   1590 ms | 1360 ms |   1.17× |
  | next.js (336 pkg) |  14071 ms | 9160 ms |   1.54× |
  | babylon (21 pkg)  | \~6000 ms | 3186 ms |  \~1.9× |

Highlights: streaming SHA-512 over the wire (no second buffered hash
pass), two-phase parallel CAS tar import, speculative TLS/HTTP/2 prewarm
behind manifest parse, native-build packages floated to the front of the
fetch queue, `Accept-Encoding: gzip, br, zstd` on packuments, in-process
DNS cache via `hickory-dns`, mmap+rayon BLAKE3 over 4 MiB, network
concurrency default raised 64 → 128, and zero-copy packument parsing.
Every change ships with an `AUBE_DISABLE_*` killswitch
(`AUBE_DISABLE_STREAMING_SHA512`, `AUBE_DISABLE_SPECULATIVE_TLS`,
`AUBE_DISABLE_CRITICAL_PATH`, `AUBE_DISABLE_PARALLEL_IMPORT`,
`AUBE_DISABLE_MMAP_BLAKE3`, `AUBE_DISABLE_SNAPSHOTS`) plus an
`AUBE_CONCURRENCY=N` clamp.
- **Nested `link:` / `file:` resolution**
([#&#8203;470](https://redirect.github.com/endevco/aube/pull/470) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — fixes the `transitive
local specifier link:./libs/foo cannot be resolved without the parent
package source root` install error in two cases: a `file:` / `link:`
parent declaring a transitive `link:`, and a root `pnpm.overrides`
rewriting a registry dep to a local path. Override paths now anchor at
the project root like pnpm does.
- **Workspace members without `version`**
([#&#8203;480](https://redirect.github.com/endevco/aube/pull/480) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — fall back to `0.0.0`
instead of hard-erroring. `workspace:*` / `^` / `~` siblings still link
locally; specific ranges like `workspace:^2.0.0` still correctly fail to
satisfy. Unblocks repos like
[tuist/tuist#10584](https://redirect.github.com/tuist/tuist/pull/10584).
- **Bare `user/repo` parsed as GitHub shorthand**
([#&#8203;472](https://redirect.github.com/endevco/aube/pull/472) by
[@&#8203;jdx](https://redirect.github.com/jdx)) in lockfile/spec
parsing, with `update --latest` now skipping git-spec deps so they can't
be silently rewritten into registry pins.
- **CLI short help wraps cleanly**
([#&#8203;478](https://redirect.github.com/endevco/aube/pull/478) by
[@&#8203;jdx](https://redirect.github.com/jdx)) — many flags across
`add`, `install`, `publish`, `update`, `view`, etc. had multi-line doc
comments that clap merged into 120+ char paragraphs for `-h`. Now each
flag has a one-line summary followed by the longer prose, restoring
readable short help on standard terminals.

**Full Changelog**:
<https://github.com/endevco/aube/compare/v1.6.2...v1.7.0>

#### 💚 Sponsor aube

aube is part of [**en.dev**](https://en.dev) — an independent
developer-tooling studio run by
[@&#8203;jdx](https://redirect.github.com/jdx), also behind
[mise](https://mise.jdx.dev/). Work on aube is funded entirely by
sponsors.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

If aube is saving your team install time or CI minutes, please consider
[sponsoring at en.dev](https://en.dev). Individual and company
sponsorships are what keep the project fast, free, and independent.

</details>

---

### Configuration

📅 **Schedule**: (in timezone America/Chicago)

- Branch creation
  - Only on Friday (`* * * * 5`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzkuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE3OS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/workflows/autofix.yml

@@ -1,33 +0,0 @@
-name: autofix.ci
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-
-permissions:
-  contents: read
-
-jobs:
-  autofix:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout PR branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
-        with:
-          node-version: '24'
-          cache: 'npm'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Build and package
-        run: npm run all
-
-      - name: autofix.ci
-        uses: autofix-ci/action@7a166d7532b277f34e16238930461bf77f9d7ed8 # v1

.github/workflows/check-dist.yml

@@ -32,20 +32,18 @@ jobs:
       - name: Checkout
         id: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
-          node-version: 24
+          persist-credentials: false
-          cache: npm
+
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
 
       - name: Install Dependencies
         id: install
-        run: npm ci
+        run: aube ci
 
       - name: Build dist/ Directory
         id: build
-        run: npm run bundle
+        run: aubr bundle
 
       - name: Compare Expected and Actual Directories
         id: diff
@@ -58,7 +56,7 @@ jobs:
 
       # If index.js was different than expected, upload the expected version as
       # a workflow artifact.
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}
         with:
           name: dist

.github/workflows/ci.yml

@@ -7,6 +7,9 @@ on:
       - main
       - 'releases/*'
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
@@ -20,25 +23,30 @@ jobs:
       - name: Checkout
         id: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Setup Node.js
-        id: setup-node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
-          node-version: 24
+          persist-credentials: false
-          cache: npm
+
+      # `mise.toml` pins both Node and aube; mise-action installs
+      # whatever's listed there. Reads `package-lock.json`
+      # directly — no separate `aube-lock.yaml` to maintain.
+      # `.npmrc` pins `node-linker=hoisted` so the layout is
+      # npm-flat (rollup's `--configPlugin` resolution
+      # requires this).
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
+        with:
+          cache: false
 
       - name: Install Dependencies
-        id: npm-ci
+        id: aube-ci
-        run: npm ci
+        run: aube ci
 
       - name: Check Format
-        id: npm-format-check
+        id: aube-format-check
-        run: npm run format:check
+        run: aubr format:check
 
       - name: Lint
-        id: npm-lint
+        id: aube-lint
-        run: npm run lint
+        run: aubr lint
 
       # - name: Test
       #   id: npm-ci-test

.github/workflows/codeql-analysis.yml

@@ -35,18 +35,20 @@ jobs:
       - name: Checkout
         id: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         id: initialize
-        uses: github/codeql-action/init@603b797f8b14b413fe025cd935a91c16c4782713 # v3
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
         with:
           languages: ${{ matrix.language }}
           source-root: src
 
       - name: Autobuild
         id: autobuild
-        uses: github/codeql-action/autobuild@603b797f8b14b413fe025cd935a91c16c4782713 # v3
+        uses: github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
 
       - name: Perform CodeQL Analysis
         id: analyze
-        uses: github/codeql-action/analyze@603b797f8b14b413fe025cd935a91c16c4782713 # v3
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4

.github/workflows/release-plz.yml

@@ -26,7 +26,8 @@ jobs:
           fetch-depth: 0
           submodules: recursive
           token: ${{ secrets.RELEASE_PLZ_GITHUB_TOKEN }}
-      - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2
+          persist-credentials: false
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
       - run: mise run release-plz
         env:
           DRY_RUN: 0

.github/workflows/release.yml

@@ -5,24 +5,45 @@ on:
     types: [closed]
     branches: [main]
 
-permissions:
+permissions: {}
-  contents: write
 
 jobs:
   release:
     if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'release')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
 
       - name: Setup mise
-        uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2
+        uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
 
       - name: Release
         run: ./scripts/postversion.sh
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  enhance-release:
+    needs: [release]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
+      - name: Enhance release notes with communique
+        run: |
+          TAG_NAME="v$(jq -r .version package.json)"
+          communique generate "$TAG_NAME" --github-release
+        env:
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+          GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_GITHUB_TOKEN }}

.github/workflows/semantic-pr-lint.yml

@@ -1,19 +0,0 @@
-name: semantic-pr-lint
-
-on:
-  pull_request_target:
-    types:
-      - opened
-      - edited
-      - reopened
-
-jobs:
-  main:
-    name: Validate PR title
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: read
-    steps:
-      - uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test-redacted-env.yml

@@ -7,12 +7,17 @@ on:
     branches: [main]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test-redacted-env:
     runs-on: ubuntu-latest
     
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       
       - name: Create test mise config with sensitive values
         run: |

.github/workflows/test.yml

@@ -8,6 +8,9 @@ on: # rebuild any PRs and main branch changes
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
@@ -17,10 +20,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - run: |
+        with:
-          npm install
+          persist-credentials: false
-      - run: |
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
-          npm run all
+      - run: aube install
+      - run: aubr all
   test: # make sure the action works on a clean machine without building
     strategy:
       fail-fast: false
@@ -44,6 +48,8 @@ jobs:
         if: ${{ matrix.requirements }}
         run: ${{ matrix.requirements }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup mise
         uses: ./
         with:
@@ -59,6 +65,15 @@ jobs:
       - run: mise x jq -- jq --version
       - run: which jq
       - run: jq --version
+      - name: Check Windows shim binary
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          $miseBinDir = Split-Path -Parent (Get-Command mise).Source
+          $miseShim = Join-Path $miseBinDir "mise-shim.exe"
+          if (!(Test-Path -LiteralPath $miseShim)) {
+            throw "mise-shim.exe was not installed next to mise.exe"
+          }
       - run: . scripts/test.sh
         shell: bash
 
@@ -66,6 +81,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup mise
         uses: ./
         with:
@@ -91,6 +108,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup mise
         id: bad
         uses: ./
@@ -108,14 +127,18 @@ jobs:
         if: ${{ steps.bad.outcome == 'failure' }}
       - name: not failed as expected
         run: |
-          echo "Expected failure but the job was ${{ steps.bad.outcome }}"
+          echo "Expected failure but the job was ${STEPS_BAD_OUTCOME}"
           exit 1
         if: ${{ steps.bad.outcome != 'failure' }}
+        env:
+          STEPS_BAD_OUTCOME: ${{ steps.bad.outcome }}
 
   custom_cache_key:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup mise with custom cache key
         uses: ./
         with:
@@ -133,6 +156,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup mise from mise.jdx.dev
         uses: ./
         with:
@@ -146,3 +171,21 @@ jobs:
       - run: mise x jq -- jq --version
       - run: which jq
       - run: jq --version
+
+  final:
+    needs:
+      - build
+      - test
+      - specific_version
+      - checksum_failure
+      - custom_cache_key
+      - fetch_from_github
+    runs-on: ubuntu-latest
+    timeout-minutes: 1
+    # Run on success or upstream failure but skip when the workflow is cancelled
+    # — `always()` would override `cancel-in-progress` and waste a runner.
+    if: ${{ !cancelled() }}
+    steps:
+      - name: Check CI job results
+        if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') || contains(needs.*.result, 'skipped')
+        run: exit 1

.github/workflows/zizmor.yml

@@ -0,0 +1,22 @@
+name: zizmor
+on:
+  push:
+    branches: [main]
+    paths: ['.github/workflows/**']
+  pull_request:
+    paths: ['.github/workflows/**']
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          advanced-security: false

.gitignore

@@ -101,3 +101,10 @@ __tests__/runner/*
 .idea
 .vscode
 *.code-workspace
+
+# Generated by `aube install` to record build-script approvals.
+# We've chosen not to commit our approval state — the build doesn't
+# need any package's install scripts to run, and the file gets
+# regenerated each install anyway. The harmless "ignored build
+# scripts" warning in `aube install` output is the cost.
+pnpm-workspace.yaml

.npmrc

@@ -0,0 +1,11 @@
+# Forces a flat npm-style `node_modules/` layout instead of
+# aube's default symlink/virtual-store. Required for
+# deterministic `dist/index.js.map` source-map paths in CI:
+# without flat layout, rollup embeds absolute paths into
+# aube's per-user cache dir (`/home/runner/.cache/aube/...`),
+# which differ across machines and break the `check-dist`
+# workflow's byte-equality check.
+#
+# npm reads `.npmrc` too but ignores `node-linker` (npm
+# always installs flat), so the file is safe for both PMs.
+node-linker=hoisted

CLAUDE.md

@@ -8,20 +8,28 @@ This is a GitHub Action that installs and configures mise, a polyglot runtime ma
 
 ## Development Commands
 
+This project uses [aube](https://aube.en.dev) as its package
+manager (en.dev's pnpm-compat PM, native Rust). It reads
+`package-lock.json` directly — no separate `aube-lock.yaml`.
+`mise install` will install the pinned aube version
+automatically; you can also use `npm` if you prefer (the
+`.npmrc`'s `node-linker=hoisted` pin is aube-specific and
+ignored by npm).
+
 ```bash
 # Install dependencies
-npm install
+aube install
 
 # Build, format, lint, and package
-npm run all
+aubr all
 
 # Individual commands
-npm run format:write  # Format code with Prettier
+aubr format:write  # Format code with Prettier
-npm run lint         # Run ESLint and format check
+aubr lint         # Run ESLint and format check
-npm run package      # Bundle with ncc for distribution
+aubr package      # Bundle with rollup for distribution
 
 # Testing
-npm run all          # Run full build pipeline
+aubr all          # Run full build pipeline
 ./scripts/test.sh     # Integration test script
 ```
 
@@ -50,6 +58,6 @@ The action follows GitHub's standard TypeScript action structure:
 
 ## Important Notes
 
-- Always run `npm run all` before committing to ensure dist/ is updated
+- Always run `aubr all` before committing to ensure dist/ is updated
 - The dist/ folder must be committed as GitHub Actions runs the compiled code
 - Test changes using the action itself (uses: ./) in test workflows

README.md

@@ -68,7 +68,7 @@ When using `cache_key`, you can use template variables to reference internal val
 Available template variables:
 - `{{version}}` - The mise version (from the `version` input)
 - `{{cache_key_prefix}}` - The cache key prefix (from `cache_key_prefix` input or default)
-- `{{platform}}` - The target platform (e.g., "linux-x64", "macos-arm64")
+- `{{platform}}` - The target platform, including the runner image (e.g., "linux-x64-ubuntu24", "macos-arm64-macos15", "linux-x64-self-hosted"). The trailing segment is `process.env.ImageOS` on github-hosted runners and falls back to `"self-hosted"` elsewhere — preventing cache collisions when the same repo runs on different runner providers (github-hosted, namespace.so, self-hosted).
 - `{{file_hash}}` - Hash of all mise configuration files
 - `{{mise_env}}` - The MISE_ENV environment variable value
 - `{{install_args_hash}}` - SHA256 hash of the sorted tools from install args

action.yml

@@ -85,6 +85,36 @@ inputs:
     description: "Automatically load mise env vars into GITHUB_ENV. Note that PATH modifications are not part of this."
     required: false
     default: "true"
+  wings_enabled:
+    description: |
+      [experimental] Opt in to the mise-wings asset cache
+      (https://mise-wings.en.dev) for this action invocation.
+
+      When `true`, the action exports `MISE_WINGS_ENABLED=1` so
+      the installed mise binary routes tool-install URLs (npm
+      tarballs, GitHub release artifacts) through the per-org
+      wings cache subdomains.
+
+      Authentication is automatic via the runner's GitHub OIDC
+      identity — no `mise wings login` step, no long-lived
+      secret to rotate. The workflow must declare
+      `permissions: id-token: write` so the OIDC token-issuer
+      env vars are populated; without that, mise falls through
+      to direct-origin fetches transparently.
+
+      Default `false` is the conservative posture: a workflow
+      with `id-token: write` (used for SLSA / AWS-OIDC /
+      Sigstore / etc.) should not have its OIDC token sent to
+      a third-party cache without explicit opt-in. Older mise
+      binaries that don't speak wings ignore the env var
+      entirely, so this is forward-compatible.
+
+      Requires an active mise-wings subscription on the Clerk
+      org linked to the GitHub org running the workflow;
+      without one, the proxy 402s and mise leaves the cache
+      off without affecting the workflow's success.
+    required: false
+    default: "false"
 outputs:
   cache-hit:
     description: A boolean value to indicate if a cache was hit.

mise.lock

@@ -0,0 +1,166 @@
+# @generated - this file is auto-generated by `mise lock` https://mise.en.dev/dev-tools/mise-lock.html
+
+[[tools.aube]]
+version = "1.6.2"
+backend = "github:endevco/aube"
+
+[tools.aube."platforms.linux-arm64"]
+checksum = "sha256:1c47d2c0a50cf80f49aedcc2f58ce8abcbdf763092e772c8961c6e5b18916e8b"
+url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-aarch64-unknown-linux-gnu.tar.gz"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410164231"
+provenance = "github-attestations"
+
+[tools.aube."platforms.linux-arm64-musl"]
+checksum = "sha256:9780776921db3a54fc3237f50b9686489d93115e26584c7a85d54ce96a8e9b39"
+url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-aarch64-unknown-linux-musl.tar.gz"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410164229"
+provenance = "github-attestations"
+
+[tools.aube."platforms.linux-x64"]
+checksum = "sha256:16fcc40dfbaac110ce8f4e88728a440f2366094a45fd6c189bcbcc2b3ea31f06"
+url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-x86_64-unknown-linux-gnu.tar.gz"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410164107"
+provenance = "github-attestations"
+
+[tools.aube."platforms.linux-x64-musl"]
+checksum = "sha256:2ee3821fd62b56bb39cb2ceffe6ad38975e35f82311ca7f9ec6ee28bc6d284b8"
+url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-x86_64-unknown-linux-musl.tar.gz"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410164199"
+provenance = "github-attestations"
+
+[tools.aube."platforms.macos-arm64"]
+checksum = "sha256:4ce92482500f77f0779f288328cb7411f7ae2441b8618eae36a2ab5ea7591a32"
+url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-aarch64-apple-darwin.tar.gz"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410166750"
+provenance = "github-attestations"
+
+[tools.aube."platforms.windows-x64"]
+checksum = "sha256:916594efae8f8b59fc898913f96d199a21d212c7037043853ee04df7264611d0"
+url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-x86_64-pc-windows-msvc.zip"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410174742"
+provenance = "github-attestations"
+
+[[tools.communique]]
+version = "1.1.2"
+backend = "github:jdx/communique"
+
+[tools.communique."platforms.linux-arm64"]
+checksum = "sha256:7bb0843207fc3d7b5df2a5c0198bb10539cf13a6b247b4adfbf6b302a68f03de"
+url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-aarch64-unknown-linux-gnu.tar.gz"
+url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964161"
+
+[tools.communique."platforms.linux-arm64-musl"]
+checksum = "sha256:b663407be77a370c209df40307b82e436f56a6bc23d4e423510d62ac6e1fedf4"
+url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-aarch64-unknown-linux-musl.tar.gz"
+url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964743"
+
+[tools.communique."platforms.linux-x64"]
+checksum = "sha256:5e74ead7037f42940c7dba4f6aa4ed968920cbb55a047aa0d291b0c675c65676"
+url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-x86_64-unknown-linux-gnu.tar.gz"
+url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405963914"
+provenance = "github-attestations"
+
+[tools.communique."platforms.linux-x64-musl"]
+checksum = "sha256:01a6a8b49e635a5a209fdaf6c7b2e976374debc2db1c846c033f567fdba0d86c"
+url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-x86_64-unknown-linux-musl.tar.gz"
+url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964691"
+
+[tools.communique."platforms.macos-arm64"]
+checksum = "sha256:459993e31a6c4ccbd09882f5679a2bc1ea5d9068701ecefc411a00fb69ce82e6"
+url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-aarch64-apple-darwin.tar.gz"
+url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964098"
+
+[tools.communique."platforms.windows-x64"]
+checksum = "sha256:3cc0e880ac2168aed3163223627bbd1eee62e07a9901cb85cb507c6c8927bc93"
+url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-x86_64-pc-windows-msvc.zip"
+url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964430"
+
+[[tools.gh]]
+version = "2.92.0"
+backend = "aqua:cli/cli"
+
+[tools.gh."platforms.linux-arm64"]
+checksum = "sha256:c2248526dd0160c08d3fccca2332c3c1a07c15a78b23978e77735f1b5a18cfee"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_linux_arm64.tar.gz"
+provenance = "github-attestations"
+
+[tools.gh."platforms.linux-arm64-musl"]
+checksum = "sha256:c2248526dd0160c08d3fccca2332c3c1a07c15a78b23978e77735f1b5a18cfee"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_linux_arm64.tar.gz"
+provenance = "github-attestations"
+
+[tools.gh."platforms.linux-x64"]
+checksum = "sha256:b57848131bdf0c229cd35e1f2a51aa718199858b2e728410b37e89a428943ec4"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_linux_amd64.tar.gz"
+provenance = "github-attestations"
+
+[tools.gh."platforms.linux-x64-musl"]
+checksum = "sha256:b57848131bdf0c229cd35e1f2a51aa718199858b2e728410b37e89a428943ec4"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_linux_amd64.tar.gz"
+provenance = "github-attestations"
+
+[tools.gh."platforms.macos-arm64"]
+checksum = "sha256:b11c54f6bd7d15ed6590475079e5b2fcf36f45d3991a80041b29c9d0cc1f1d07"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_macOS_arm64.zip"
+provenance = "github-attestations"
+
+[tools.gh."platforms.windows-x64"]
+checksum = "sha256:b6a8df3c8c6b9c80f290906387673bc4d272840f3789c5650e0e4e6e75522785"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_windows_amd64.zip"
+provenance = "github-attestations"
+
+[[tools.git-cliff]]
+version = "2.13.1"
+backend = "aqua:orhun/git-cliff"
+
+[tools.git-cliff."platforms.linux-arm64"]
+checksum = "sha256:4054c124b926c117f3fa048939bc8be0a954f29f3b6f367627e8cb22c1971882"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-aarch64-unknown-linux-musl.tar.gz"
+
+[tools.git-cliff."platforms.linux-arm64-musl"]
+checksum = "sha256:4054c124b926c117f3fa048939bc8be0a954f29f3b6f367627e8cb22c1971882"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-aarch64-unknown-linux-musl.tar.gz"
+
+[tools.git-cliff."platforms.linux-x64"]
+checksum = "sha256:200d2535da6d9703f3bcc8a4d159c3b55eacdb01cf2148c55b3eee9dd04d5249"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-x86_64-unknown-linux-musl.tar.gz"
+
+[tools.git-cliff."platforms.linux-x64-musl"]
+checksum = "sha256:200d2535da6d9703f3bcc8a4d159c3b55eacdb01cf2148c55b3eee9dd04d5249"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-x86_64-unknown-linux-musl.tar.gz"
+
+[tools.git-cliff."platforms.macos-arm64"]
+checksum = "sha256:21547ae4a0421164070ab75c2522864ea5565858a011fabc5f583061b20f1226"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-aarch64-apple-darwin.tar.gz"
+
+[tools.git-cliff."platforms.windows-x64"]
+checksum = "sha256:3ae3a5549e85c7ad5b20192ebcfee4371269deca51255f6f2f2e051c6541f5ca"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-x86_64-pc-windows-msvc.zip"
+
+[[tools.node]]
+version = "24.15.0"
+backend = "core:node"
+
+[tools.node."platforms.linux-arm64"]
+checksum = "sha256:73afc234d558c24919875f51c2d1ea002a2ada4ea6f83601a383869fefa64eed"
+url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-linux-arm64.tar.gz"
+
+[tools.node."platforms.linux-arm64-musl"]
+checksum = "sha256:31e98aa960a067da91edffd5d93bc46657b5d2a8029612c359f5f2ac0060152a"
+url = "https://unofficial-builds.nodejs.org/download/release/v24.15.0/node-v24.15.0-linux-arm64-musl.tar.gz"
+
+[tools.node."platforms.linux-x64"]
+checksum = "sha256:44836872d9aec49f1e6b52a9a922872db9a2b02d235a616a5681b6a85fec8d89"
+url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-linux-x64.tar.gz"
+
+[tools.node."platforms.linux-x64-musl"]
+checksum = "sha256:f55af5bd489c5347b113ca6594cae00a54b30ba57ac5875324311bfc6f4762e3"
+url = "https://unofficial-builds.nodejs.org/download/release/v24.15.0/node-v24.15.0-linux-x64-musl.tar.gz"
+
+[tools.node."platforms.macos-arm64"]
+checksum = "sha256:372331b969779ab5d15b949884fc6eaf88d5afe87bde8ba881d6400b9100ffc4"
+url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-darwin-arm64.tar.gz"
+
+[tools.node."platforms.windows-x64"]
+checksum = "sha256:cc5149eabd53779ce1e7bdc5401643622d0c7e6800ade18928a767e940bb0e62"
+url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-win-x64.zip"

mise.toml

@@ -1,12 +1,14 @@
-tasks.pre-commit = ["npm run all", "git add dist"]
+tasks.pre-commit = ["aubr all", "git add dist"]
 tasks.test.alias = ["t"]
-tasks.test.run = ["npm run all"]
+tasks.test.run = ["aubr all"]
-tasks.lint = "bun run lint"
+tasks.lint = "aubr lint"
-tasks."lint:fix" = "bun run format:write"
+tasks."lint:fix" = "aubr format:write"
-tasks.version = "npm version"
+tasks.version = "aube version"
 tasks.release-plz = "./scripts/release-plz.sh"
 
 [tools]
 node = '24'
+aube = 'v1.9.1'
 git-cliff = 'latest'
 gh = 'latest'
+communique = 'latest'

package.json

@@ -3,6 +3,7 @@
   "description": "mise tool setup action",
   "version": "4.0.1",
   "author": "jdx",
+  "type": "module",
   "private": true,
   "repository": {
     "type": "git",
@@ -21,34 +22,46 @@
     "bundle": "npm run format:write && npm run package",
     "format:check": "prettier --check **/*.ts",
     "format:write": "prettier --write **/*.ts",
-    "lint": "npx eslint . && npm run format:check",
+    "lint": "eslint . && npm run format:check",
-    "package": "ncc build -s src/index.ts --license licenses.txt",
+    "package": "rimraf ./dist && rollup --config rollup.config.mjs",
     "package:watch": "npm run package -- --watch",
     "version": "./scripts/version.sh",
     "prepare": "husky"
   },
   "license": "MIT",
   "dependencies": {
-    "@actions/cache": "^4.0.0",
+    "@actions/cache": "^6.0.0",
-    "@actions/core": "^1.11.1",
+    "@actions/core": "^3.0.0",
-    "@actions/exec": "^1.1.1",
+    "@actions/exec": "^3.0.0",
-    "@actions/glob": "^0.5.0",
+    "@actions/glob": "^0.7.0",
+    "@actions/io": "^3.0.0",
     "@types/handlebars": "^4.0.40",
     "handlebars": "^4.7.8"
   },
   "devDependencies": {
     "@eslint/eslintrc": "^3.2.0",
-    "@eslint/js": "^9.15.0",
+    "@eslint/js": "^10.0.0",
+    "@rollup/plugin-commonjs": "^29.0.0",
+    "@rollup/plugin-json": "^6.1.0",
+    "@rollup/plugin-node-resolve": "^16.0.0",
+    "@rollup/plugin-typescript": "^12.0.0",
     "@types/eslint__js": "^8.42.3",
     "@types/node": "^24",
-    "@vercel/ncc": "^0.38.3",
+    "eslint": "^10.0.0",
-    "eslint": "^9.15.0",
+    "globals": "^17.0.0",
-    "globals": "^16.0.0",
     "husky": "^9.1.7",
     "jest": "^30",
     "js-yaml": "^4.1.0",
     "prettier": "^3.4.1",
-    "typescript": "^5.7.2",
+    "rimraf": "^6.0.0",
+    "rollup": "^4.0.0",
+    "rollup-plugin-license": "^3.7.1",
+    "typescript": "^6.0.0",
     "typescript-eslint": "^8.16.0"
+  },
+  "aube": {
+    "allowBuilds": {
+      "unrs-resolver": false
+    }
   }
 }

rollup.config.mjs

@@ -0,0 +1,29 @@
+import commonjs from '@rollup/plugin-commonjs'
+import json from '@rollup/plugin-json'
+import nodeResolve from '@rollup/plugin-node-resolve'
+import typescript from '@rollup/plugin-typescript'
+import license from 'rollup-plugin-license'
+import path from 'path'
+
+const config = {
+  input: 'src/index.ts',
+  output: {
+    esModule: true,
+    file: 'dist/index.js',
+    format: 'es',
+    sourcemap: true
+  },
+  plugins: [
+    typescript(),
+    nodeResolve({ preferBuiltins: true }),
+    commonjs({ ignoreTryCatch: false }),
+    json(),
+    license({
+      thirdParty: {
+        output: path.resolve('dist', 'licenses.txt')
+      }
+    })
+  ]
+}
+
+export default config

scripts/postversion.sh

@@ -4,6 +4,11 @@ set -euxo pipefail
 VERSION=$(jq -r .version package.json)
 MAJOR_VERSION=$(echo "$VERSION" | cut -d. -f1)
 
+# Configure git to use gh's credential helper. The checkout step uses
+# persist-credentials: false (per zizmor's artipacked audit), so the
+# token isn't written to .git/config and raw `git push` would 403.
+gh auth setup-git
+
 # create the version tag (allow it to fail if it already exists)
 git tag "v$VERSION" || echo "Tag v$VERSION already exists locally"
 

scripts/release-plz.sh

@@ -47,6 +47,11 @@ if [ -n "$latest_release_version" ] && [ "$cur_pkg_version" = "$latest_release_v
 	git config user.name mise-en-dev
 	git config user.email 123107610+mise-en-dev@users.noreply.github.com
 
+	# Configure git to use gh's credential helper. The checkout step uses
+	# persist-credentials: false (per zizmor's artipacked audit), so the
+	# token isn't written to .git/config and raw `git push` would 403.
+	gh auth setup-git
+
 	# Create a PR with the version bump
 	npm version "${version#v}" --no-git-tag-version
 

src/index.ts

@@ -54,6 +54,25 @@ async function run(): Promise<void> {
       core.setOutput('cache-hit', false)
     }
 
+    // Wings opt-in hook (experimental). When
+    // `wings_enabled: true` is set, this exports
+    // `MISE_WINGS_ENABLED=1` so subsequent `mise install`
+    // commands in this workflow route through the wings
+    // cache. Default `false` so workflows with
+    // `id-token: write` (used for SLSA / AWS-OIDC / Sigstore /
+    // etc.) don't silently send the runner's OIDC token to
+    // a third-party cache without explicit consent.
+    //
+    // Note: `setupMise` fetches the mise binary itself with
+    // `curl`, which doesn't go through mise's HTTP layer —
+    // the wings rewriter only kicks in once the resulting
+    // mise binary runs `mise install` and friends. Ordering
+    // here is irrelevant for binary acceleration; we just
+    // want the env var set before any `mise` subcommand
+    // runs. Greptile + Gemini both flagged the previous
+    // comment as overstating what the early call accelerates.
+    setupWings()
+
     const version = core.getInput('version')
     const fetchFromGitHub = core.getBooleanInput('fetch_from_github')
     await setupMise(version, fetchFromGitHub)
@@ -79,6 +98,49 @@ async function run(): Promise<void> {
   }
 }
 
+/**
+ * Opt in to mise-wings caching for this workflow run. When
+ * `wings_enabled: true`, exports `MISE_WINGS_ENABLED=1` so
+ * subsequent `mise install` commands route through the
+ * cache.
+ *
+ * Mise itself owns the OIDC → wings session exchange — when
+ * it sees `MISE_WINGS_ENABLED=1` and the GHA OIDC env vars
+ * (`ACTIONS_ID_TOKEN_REQUEST_URL` +
+ * `ACTIONS_ID_TOKEN_REQUEST_TOKEN`), it fetches the runner's
+ * OIDC token, exchanges it at the proxy's `POST /auth`
+ * route, and caches the resulting session JWT for the rest
+ * of the process.
+ *
+ * Pre-flight check: `id-token: write` permission must be
+ * declared at the workflow or job level for the OIDC env
+ * vars to be present. We log a warning when wings is
+ * enabled but the env vars are absent — without this hint,
+ * the user sees a transparent "wings configured but doing
+ * nothing" which is hard to debug.
+ */
+function setupWings(): void {
+  if (!core.getBooleanInput('wings_enabled')) {
+    return
+  }
+  core.exportVariable('MISE_WINGS_ENABLED', '1')
+  core.info(
+    "mise-wings: enabled. mise will exchange the runner's OIDC token for a wings session on first use."
+  )
+
+  const oidcUrl = process.env.ACTIONS_ID_TOKEN_REQUEST_URL
+  const oidcToken = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN
+  if (!oidcUrl || !oidcToken) {
+    core.warning(
+      'mise-wings: GHA OIDC env vars are missing. Add ' +
+        '`permissions: id-token: write` at the workflow or job ' +
+        'level so the runner can mint OIDC tokens. Without this, ' +
+        'mise falls through to direct-origin fetches and the cache ' +
+        'is bypassed.'
+    )
+  }
+}
+
 async function exportMiseEnv(): Promise<void> {
   core.startGroup('Exporting mise environment variables')
 
@@ -234,6 +296,8 @@ async function setupMise(
     miseBinDir,
     process.platform === 'win32' ? 'mise.exe' : 'mise'
   )
+  const miseShimPath = path.join(miseBinDir, 'mise-shim.exe')
+  let installedVersion: string | undefined
   if (!fs.existsSync(path.join(miseBinPath))) {
     core.startGroup(version ? `Download mise@${version}` : 'Setup mise')
     await fs.promises.mkdir(miseBinDir, { recursive: true })
@@ -254,13 +318,16 @@ async function setupMise(
     } else {
       url = `https://github.com/jdx/mise/releases/download/v${resolvedVersion}/mise-v${resolvedVersion}-${await getTarget()}${ext}`
     }
-    const archivePath = path.join(os.tmpdir(), `mise${ext}`)
+    installedVersion = resolvedVersion
     switch (ext) {
-      case '.zip':
+      case '.zip': {
-        await exec.exec('curl', ['-fsSL', url, '--output', archivePath])
+        await withExtractedZip(url, 'mise.zip', async extractDir => {
-        await exec.exec('unzip', [archivePath, '-d', os.tmpdir()])
+          const extractedMiseBinDir = path.join(extractDir, 'mise', 'bin')
-        await io.mv(path.join(os.tmpdir(), 'mise/bin/mise.exe'), miseBinPath)
+          await io.mv(path.join(extractedMiseBinDir, 'mise.exe'), miseBinPath)
+          await installWindowsMiseShim(extractedMiseBinDir, miseShimPath)
+        })
         break
+      }
       case '.tar.zst':
         await exec.exec('sh', [
           '-c',
@@ -281,24 +348,20 @@ async function setupMise(
   } else {
     const requestedVersion = cleanVersion(core.getInput('version'))
     if (requestedVersion !== '') {
-      const versionOutput = await exec.getExecOutput(
+      installedVersion = await getInstalledMiseVersion(miseBinPath)
-        miseBinPath,
+      if (requestedVersion === installedVersion) {
-        ['version', '--json'],
-        { silent: true }
-      )
-      const versionJson = JSON.parse(versionOutput.stdout)
-      const version = cleanVersion(versionJson.version.split(' ')[0])
-      if (requestedVersion === version) {
         core.info(`mise already installed`)
       } else {
         core.info(
-          `mise already installed (${version}), but different version requested (${requestedVersion})`
+          `mise already installed (${installedVersion}), but different version requested (${requestedVersion})`
         )
         await exec.exec(miseBinPath, ['self-update', requestedVersion, '-y'])
         core.info(`mise updated to version ${requestedVersion}`)
+        installedVersion = requestedVersion
       }
     }
   }
+  await ensureWindowsMiseShim(miseBinPath, miseShimPath, installedVersion)
   // compare with provided hash
   const want = core.getInput('sha256')
   if (want) {
@@ -315,6 +378,86 @@ async function setupMise(
   core.addPath(miseBinDir)
 }
 
+async function withExtractedZip(
+  url: string,
+  archiveName: string,
+  fn: (extractDir: string) => Promise<void>
+): Promise<void> {
+  const tempDir = await fs.promises.mkdtemp(
+    path.join(os.tmpdir(), 'mise-action-')
+  )
+  try {
+    const archivePath = path.join(tempDir, archiveName)
+    const extractDir = path.join(tempDir, 'extract')
+
+    await exec.exec('curl', ['-fsSL', url, '--output', archivePath])
+    await exec.exec('unzip', [archivePath, '-d', extractDir])
+    await fn(extractDir)
+  } finally {
+    await io.rmRF(tempDir)
+  }
+}
+
+async function installWindowsMiseShim(
+  extractedMiseBinDir: string,
+  miseShimPath: string
+): Promise<void> {
+  if (process.platform !== 'win32') return
+
+  const extractedMiseShimPath = path.join(extractedMiseBinDir, 'mise-shim.exe')
+  if (!fs.existsSync(extractedMiseShimPath)) {
+    core.info('mise-shim.exe not found in the mise archive; skipping')
+    return
+  }
+
+  await io.mv(extractedMiseShimPath, miseShimPath)
+}
+
+async function ensureWindowsMiseShim(
+  miseBinPath: string,
+  miseShimPath: string,
+  version?: string
+): Promise<void> {
+  if (process.platform !== 'win32') return
+  if (fs.existsSync(miseShimPath)) return
+
+  core.info(
+    'mise-shim.exe not found next to mise.exe; installing it from the matching release archive'
+  )
+
+  try {
+    const installedVersion =
+      version || (await getInstalledMiseVersion(miseBinPath))
+    const archiveName = `mise-v${installedVersion}-${await getTarget()}.zip`
+    const url = `https://github.com/jdx/mise/releases/download/v${installedVersion}/${archiveName}`
+
+    await withExtractedZip(url, archiveName, async extractDir => {
+      await installWindowsMiseShim(
+        path.join(extractDir, 'mise', 'bin'),
+        miseShimPath
+      )
+    })
+  } catch (err) {
+    core.warning(
+      `Failed to install mise-shim.exe: ${errorMessage(err)}. Continuing because mise can fall back to file shim mode on Windows.`
+    )
+  }
+}
+
+async function getInstalledMiseVersion(miseBinPath: string): Promise<string> {
+  const versionOutput = await exec.getExecOutput(
+    miseBinPath,
+    ['version', '--json'],
+    { silent: true }
+  )
+  const versionJson = JSON.parse(versionOutput.stdout) as { version: string }
+  return cleanVersion(versionJson.version.split(' ')[0])
+}
+
+function errorMessage(err: unknown): string {
+  return err instanceof Error ? err.message : String(err)
+}
+
 async function zstdInstalled(): Promise<boolean> {
   try {
     await exec.exec('zstd', ['--version'])
@@ -421,11 +564,7 @@ async function saveCache(cacheKey: string): Promise<void> {
 }
 
 async function getTarget(): Promise<string> {
-  let { arch } = process
+  const arch = process.arch === 'arm' ? 'armv7' : process.arch
-
-  // quick overwrite to abide by release format
-  if (arch === 'arm') arch = 'armv7' as NodeJS.Architecture
-
   switch (process.platform) {
     case 'darwin':
       return `macos-${arch}`
@@ -438,13 +577,25 @@ async function getTarget(): Promise<string> {
   }
 }
 
+/**
+ * Identifies the runner image so cached binaries from one provider
+ * (github-hosted, namespace.so, BuildJet, self-hosted) aren't restored
+ * onto another provider's image where their compiled-in paths and libc
+ * versions don't match. GitHub-hosted images export `ImageOS`
+ * (e.g. "macos15", "ubuntu24"); other runners leave it unset and pool
+ * under "self-hosted".
+ */
+function getRunnerImageId(): string {
+  return process.env.ImageOS || 'self-hosted'
+}
+
 async function processCacheKeyTemplate(template: string): Promise<string> {
   // Get all available variables
   const version = core.getInput('version')
   const installArgs = core.getInput('install_args')
   const cacheKeyPrefix = core.getInput('cache_key_prefix') || 'mise-v1'
   const miseEnv = process.env.MISE_ENV?.replace(/,/g, '-')
-  const platform = await getTarget()
+  const platform = `${await getTarget()}-${getRunnerImageId()}`
 
   // Calculate file hash
   const fileHash = await glob.hashFiles(MISE_CONFIG_FILE_PATTERNS.join('\n'))

tsconfig.json

@@ -13,7 +13,9 @@
     "forceConsistentCasingInFileNames": true,
     "strict": true,
     "skipLibCheck": true,
-    "newLine": "lf"
+    "newLine": "lf",
+    "isolatedModules": true,
+    "allowSyntheticDefaultImports": true
   },
   "exclude": ["./dist", "./node_modules", "./__tests__", "./coverage"]
 }