A pnpm-parity polish release: lockfiles now carry the two top-level integrity checksums pnpm writes, root projects under sharedWorkspaceLockfile: false get their own lockfile back, and a handful of install correctness/UX bugs around peer-suffixed source deps and the progress bar are squared away.

Added

• packageExtensionsChecksum and pnpmfileChecksum in pnpm-lock.yaml (#883 by @rubnogueira) — aube now computes and emits the two top-level integrity keys pnpm uses to guard the effective packageExtensions map and the active .pnpmfile.cjs/.pnpmfile.mjs. The implementation is a faithful Rust port of the object-hash npm package with pnpm's exact options (respectType: false, sha256, base64, unordered arrays/objects/sets), placed immediately after overrides: and before importers: with the right blank-line separation. The result is byte-identical to pnpm on real workspaces, so round-tripping a lockfile between pnpm and aube no longer produces a gratuitous diff. aube-lock.yaml output is unchanged, and workspaces without packageExtensions or a pnpmfile omit the keys entirely. A new WARN_AUBE_PNPMFILE_CHECKSUM_FAILED covers the best-effort case where a pnpmfile can't be read for hashing.

Fixed

• Source deps with peer context no longer crash linking (#885 by @rubnogueira) — Fresh aube install --force runs that pulled a git or remote-tarball dependency which acquired a peer-context suffix (e.g. some-pkg@git+<sha>(react@18.2.0)) could fail with ERR_AUBE_MISSING_PACKAGE_INDEX. The streaming fetch keys those indices under the canonical source coordinate, but the resolver's peer-context post-pass rewrites the dep_path to include (peer@ver) or a hashed _<10hex> marker; remap_indices_to_contextualized never stripped the suffix back off, so the index was dropped. It now strips both suffix forms to recover the canonical key.

• Root workspace lockfile written under sharedWorkspaceLockfile: false (#882 by @rubnogueira) — The per-project lockfile writer explicitly skipped the . importer, so the root's own pnpm-lock.yaml (containing the root package's dependencies) silently disappeared after install. The root is now written like any other project, resolving to the workspace root directory, with existing-format preservation intact — no surprise aube-lock.yaml next to a pnpm-lock.yaml. Filtered installs additionally only rewrite lockfiles for the selected project(s). This brings the per-project path in line with pnpm's shared-workspace-lockfile=false behavior.

• Progress bar no longer overshoots on workspace:/link: deps (#884 by @rubnogueira) — A monorepo install (most visibly after aube clean) could finish with reused > resolved and emit WARN_AUBE_PROGRESS_OVERFLOW. Link deps were credited to reused once in the streaming pass and then a second time by the post-filter_graph catch-up fetch, which selected work purely by absence from indices — and link deps never populate indices. The catch-up is now scoped to non-local packages (where it belongs), and the CI summary clamps reused + downloaded <= resolved as a guard against future counter races.

• @endevco/aube npm scope restored (#887 by @jdx) — The npm publish identity was inadvertently renamed to @jdx/aube in the v1.18.2 path, but that package isn't published, breaking publish-npm. The root package, generated platform sub-packages (@endevco/aube-<os>-<arch>), the preinstall lookup, and install docs are all back on @endevco, matching what users actually install.

Full Changelog: v1.20.0...v1.21.0

💚 Sponsor aube

aube is part of jdx.dev — an independent developer-tooling studio run by @jdx, also behind mise. Work on aube is funded entirely by sponsors.

If aube is saving your team install time or CI minutes, please consider sponsoring at jdx.dev. Individual and company sponsorships are what keep the project fast, free, and independent.

Contributors

• @jdx
• @rubnogueira

A tighter pnpm-parity release: scripts now see the full npm_* environment pnpm exports, git/tarball deps materialize correctly under the global virtual store, and per-project lockfiles in workspaces keep their original format. Plus a new Embedder profile that lets downstream tools drive aube's command layer as their own package-manager engine.

Added

• Full pnpm npm_* env parity for lifecycle & aube run scripts (#879 by @rubnogueira) — Scripts now receive npm_execpath, npm_node_execpath, npm_package_json, npm_command, npm_config_node_gyp, npm_lifecycle_script, and the full deep-flattened npm_package_* set (including engines, config, and bin), envified with pnpm's exact allowlist and casing. PM-detection bridges and build tooling that branch on these vars now behave identically under aube.

  • npm_command is stamped per command family (run-script, install, rebuild, pack) and re-asserted at the spawn site so a preceding auto-install can't clobber it.
  • npm_config_node_gyp points at a lazy, dependency-free node-gyp stand-in in aube's cache that bootstraps the real node-gyp only when a tool actually invokes it.
  • npm_node_execpath/NODE fall back to the ambient node on PATH when no runtime switch is active, so they're always populated.
  • Manifest-derived vars are applied after the build jail's env_clear, so jailed dependency builds see them too. Diffed byte-for-byte against pnpm 11.5.

• Embeddable Embedder profile (#862 by @colinhacks) — A compile-time pluggability foundation that exposes aube's command layer as a library and lets downstream tools register a &'static Embedder profile controlling aube's name, version, lockfile filename, cache/data namespaces, env-var prefix, user-agent, and workspace-yaml name — plus host-owned behavior toggles and embedder-supplied setting defaults. Standalone aube is unchanged: the default const AUBE profile reproduces every prior constant verbatim. Direct-command embedders call set_embedder once at startup; cli_main handles registration automatically.

Fixed

• Preserve per-member lockfile format under sharedWorkspaceLockfile: false (#880 by @rubnogueira) — aube install previously wrote a redundant aube-lock.yaml next to a member's existing pnpm-lock.yaml because the per-project writer applied a single format detected at the workspace root to every member. Each member's existing lockfile format is now detected individually; only members with no lockfile fall back to the workspace default. This brings the per-project path in line with add/remove/update and with pnpm's shared-workspace-lockfile=false behavior.

• Resolve git & remote-tarball deps in the global virtual store (#857 by @rubnogueira) — With enableGlobalVirtualStore: true, a registry package depending on a git or remote-tarball dependency previously got a dangling sibling symlink, surfacing as runtime errors like TypeError: Cannot read properties of undefined (reading 'prototype') for the canonical request-promise → request-promise-core chain. Two defects were fixed:

  • Shareable local sources (git, remote tarball) are now materialized into the shared store like registry packages, not just into the per-project .aube/.
  • Sibling lookups now canonicalize git/tarball specs to the same dep_path the package itself is keyed under (promoting #committish → resolved, stripping pnpm's (peer@ver) suffix), so the symlink resolves.

  Self-healing: the install clears stale per-project entries left by older aube versions. Non-GVS installs are unaffected.

Full Changelog: v1.19.0...v1.20.0

💚 Sponsor aube

aube is part of jdx.dev — an independent developer-tooling studio run by @jdx, also behind mise. Work on aube is funded entirely by sponsors.

If aube is saving your team install time or CI minutes, please consider sponsoring at jdx.dev. Individual and company sponsorships are what keep the project fast, free, and independent.

Contributors

• @colinhacks
• @rubnogueira

The headline feature: aube now manages your project's Node.js version and aube's own version directly — no shims, no shell activation, no corepack dance. Pin Node via devEngines.runtime, .node-version, or .nvmrc and aube injects the right binary at every script and binary spawn. Pin aube via packageManager and aube re-execs itself under the requested version. Plus three install/scripts fixes around build approvals and override warnings.

Added

• Node runtime switching (#861 by @jdx) — Projects can pin Node through devEngines.runtime (pnpm 10.14+/11 compatible OpenJS spec), .node-version, or .nvmrc (searched upward, stopping at $HOME). Exact versions, ranges, lts, latest, and codenames like lts/jod all resolve. Resolution is zero-network on the hot path: PATH node → installed versions (mise installs at ~/.local/share/mise/installs/ reused read-only, plus aube's own ~/.local/share/aube/nodejs/) → download per the new runtimeInstaller setting (auto|mise|aube; auto delegates to mise install node@<exact> when mise is on PATH, falling back to a SHASUMS256-verified nodejs.org download honoring nodeDownloadMirrors.release). The switched Node is injected into aube run/aubr, aube exec (including node env shebangs), aubx/dlx (resolved from the original cwd), root + dep lifecycle scripts, and the build jail — and exported as npm_node_execpath/NODE. Projects with no pin behave exactly as before, with no node --version probe.

  // package.json
  {
   "devEngines": {
   "runtime": { "name": "node", "version": "22.11.0", "onFail": "error" }
   }
  }

  Engines interplay: engines.node/engineStrict now validate against the switched node. The new runtimeOnFail setting (download|error|warn|ignore) is the air-gapped-CI override; version files default to download, bare devEngines to the spec's error. Lockfile pins use pnpm 10.14+'s exact node@runtime: shape with per-platform URLs and sha256- integrity — and parsing them doubles as a compat fix for pnpm-11 lockfiles aube previously misread as registry deps.

• aube runtime CLI (#861 by @jdx) — aube runtime set node <version> (pnpm 11 parity — writes devEngines, installs, records the pin; -g delegates to mise use -g) and aube runtime list. aube doctor gains node-source, node-requested, node-provenance, and node-bin rows.

  aube runtime set node 22.11.0
  aube runtime list

• aube self-version switching (#861 by @jdx) — managePackageManagerVersions (previously a documented no-op, default on, pnpm 10 parity) now re-execs aube under the version requested by devEngines.packageManager (ranges) or packageManager: "aube@<exact>". The switch happens before dispatch — so aube install and any chained auto-installs run under the pinned binary — and preserves the aube/aubr/aubx multicall name. A guard env degrades a broken install to a warning rather than an exec loop. Self-downloads are verified against GitHub's server-computed release asset digests (assets[].digest, tamper-evident under immutable releases), with release metadata served from mise-versions.jdx.dev (CDN-cached, no rate limits) and falling back to the GitHub API (honoring GITHUB_TOKEN/GH_TOKEN, scoped to api.github.com), .sha256 siblings for custom mirrors, then TLS-only. Setting managePackageManagerVersions=false restores the previous strict-validation behavior. Intel macOS has no published asset and errors with a pointer to mise.

Fixed

• (scripts) Require exact source keys for non-registry build approvals (#858 by @jdx) — Source-backed dependencies (file:, git:, raw tarballs) no longer inherit lifecycle build approval from bare package names or name@semver pins. They must be allowed via an exact source key — e.g. esbuild@file+abc123 — with separate allowed_sources/denied_sources sets in BuildPolicy. Workspace onlyBuiltDependencies by name now correctly skips file: postinstalls until the source key is approved. Graph hashing also folds local source specifiers into the package id, so different file/git bytes at the same manifest version get distinct virtual-store hashes (with cascade to parents).

• (scripts) Match pnpm-style URL source keys for build approvals (#860 by @jdx) — Follow-up to #858: non-registry approval keys now use the pnpm-authored shapes (e.g. dep@file:vendor/dep or dep@<tarball-url>) instead of lockfile dep_path bases. allowBuilds keys that mix semver and URL/source specs in a || union are rejected (both orderings) with a clear error. Lifecycle-script docs and the generated allowBuilds settings reference now spell out the exact source-key shapes.

• (install) Warn on deprecated $ override refs (#859 by @jdx) — Merged overrides whose values start with pnpm's deprecated $ reference syntax now log WARN_AUBE_OVERRIDE_DOLLAR_REF_DEPRECATED, pointing users toward catalog entries. Resolution and drop behavior are unchanged; the existing WARN_AUBE_OVERRIDE_MISSING_DEP path still runs for unresolved $ refs.

Changed

• Refresh benchmarks for v1.18.2 (#851 by @mise-en-dev) — Public warm-install ratios: vs Bun ×ばつ (unchanged), vs pnpm ×ばつ → ×ばつ. Repeat-test: vs Bun ×ばつ (unchanged), vs pnpm ×ばつ → ×ばつ. Absolute aube warm-install times moved from 272ms → 383ms on the refreshed run.

Full Changelog: v1.18.2...v1.19.0

💚 Sponsor aube

aube is part of jdx.dev — an independent developer-tooling studio run by @jdx, also behind mise. Work on aube is funded entirely by sponsors.

If aube is saving your team install time or CI minutes, please consider sponsoring at jdx.dev. Individual and company sponsorships are what keep the project fast, free, and independent.

Contributors

• @jdx
• @mise-en-dev

A maintenance release that completes aube's move from the endevco namespace to jdx. There are no behavior changes — but if you install aube from npm or Homebrew, the package coordinates have moved.

Changed

• Project migrated to the jdx namespace (#845 by @jdx) — Repository, docs, package metadata, and release pipelines now live under jdx. User-visible coordinates:

  • npm: @jdx/aube (previously @endevco/aube)
  • Homebrew tap: jdx/homebrew-tap
  • Repository: github.com/jdx/aube
  • Docs: aube.jdx.dev

  Cargo.toml, README.md, SECURITY.md, LICENSE, generated CLI/settings/error-code references, Debian/PPA/COPR packaging, and the aube sponsors blurb all point at the new locations. No install, resolver, or lockfile behavior changed in this release.

Upgrading

If you install aube via npm or Homebrew, update the package name on your next install:

# npm
npm install -g @jdx/aube
# Homebrew
brew install jdx/tap/aube

Existing installs continue to work; only fresh installs need the new coordinates.

Full Changelog: v1.18.1...v1.18.2

💚 Sponsor aube

aube is part of jdx.dev — an independent developer-tooling studio run by @jdx, also behind mise. Work on aube is funded entirely by sponsors.

If aube is saving your team install time or CI minutes, please consider sponsoring at jdx.dev. Individual and company sponsorships are what keep the project fast, free, and independent.

Contributors

• @jdx

A small patch release focused on install robustness: lockfiles with Git merge conflict markers now recover gracefully, aube update --global works from anywhere, and lockfile tarball URLs are verified against the registry before download.

Fixed

• (install) Regenerate conflicted lockfiles (#843 by @jdx) — When aube-lock.yaml still contains Git conflict markers (<<<<<<<, =======, >>>>>>>), install now treats it as a recoverable prefer-frozen parse failure rather than aborting. It emits the new WARN_AUBE_LOCKFILE_CONFLICT_MARKERS warning and regenerates the lockfile from package.json, so a plain aube install after a messy merge just works.

• (update) Support global updates (#840 by @jdx) — aube update --global (and aube update -g <pkg>) now routes through the global install directory instead of requiring a project package.json, so it works from any directory — including outside a repo. Each global install runs the normal update pipeline with --latest and exact manifest pins, then bin shims are relinked and stale executables removed. Named packages resolve by alias; unknown names fail with not globally installed. When combined with a workspace --filter, --global takes precedence and leaves workspace manifests untouched. Fixes #839.

  aube update -g # update every globally installed tool
  aube update -g prettier # update a single global tool

Security

• (install) Verify lockfile tarball URLs (#842 by @jdx) — When the lockfile pins an explicit registry tarball URL (e.g. lockfile-include-tarball-url=true or npm-alias entries), install now fetches per-version registry metadata and compares dist.tarball to the lockfile URL before downloading. Mismatches abort with the new ERR_AUBE_TARBALL_URL_MISMATCH (exit 34). Exact matches pass, and lockfile URLs on registry.npmjs.org are still accepted on alternative hosts when the /-/...tgz path matches, so Verdaccio and other local mirrors continue to work — but tampered paths or arbitrary hosts impersonating npm are rejected.

Changed

• Refresh benchmarks for v1.18.0 (#841 by @mise-en-dev) — Warm-install ratios improved from ×ばつ to ×ばつ vs. Bun; vs. pnpm holds steady at ×ばつ.

Full Changelog: https://github.com/endevco/aube/compare/v1.18.0...v1.18.1

💚 Sponsor aube

aube is part of en.dev — an independent developer-tooling studio run by @jdx, also behind mise. Work on aube is funded entirely by sponsors.

If aube is saving your team install time or CI minutes, please consider sponsoring at en.dev. Individual and company sponsorships are what keep the project fast, free, and independent.

Contributors

• @jdx
• @mise-en-dev

A small feature + fix release: a new aube sponsors command and a publish-time fix that normalizes the repository manifest field for stricter registries.

Added

• aube sponsors command (#824 by @jdx) — A new top-level subcommand that acknowledges 37signals and links to the canonical en.dev sponsor pages. The root README also gains a "Sponsored by 37signals" line.

  aube sponsors

Fixed

• (publish) Normalize string repository fields in the publish manifest (#826 by @jdx) — When package.json contains a string repository value, the PUT body now rewrites it to { "type": "git", "url": "<normalized>" }, matching npm/pnpm 11.5.1 behavior. Shorthand forms (owner/repo, github:..., gitlab:..., bitbucket:...) expand to full git-suffixed HTTPS URLs; explicit https, git@, and URL fragments are preserved, and existing object-shaped repository values are left untouched. This unblocks publishing to registries that reject bare-string repository fields.

Changed

• Refresh benchmarks for v1.17.1 (#820 by @mise-en-dev) — Warm-install ratios vs. Bun improved from ×ばつ to ×ばつ, and vs. pnpm from ×ばつ to ×ばつ.

Full Changelog: https://github.com/endevco/aube/compare/v1.17.1...v1.18.0

💚 Sponsor aube

aube is part of en.dev — an independent developer-tooling studio run by @jdx, also behind mise. Work on aube is funded entirely by sponsors.

If aube is saving your team install time or CI minutes, please consider sponsoring at en.dev. Individual and company sponsorships are what keep the project fast, free, and independent.

Contributors

• @jdx
• @mise-en-dev

A CI-only patch with no user-facing changes — published to revert the GitHub-hosted runner migration from v1.17.0 after it slowed builds.

Changed

• (ci) Switch back to Namespace runners (#819 by @jdx) — Reverts #814, restoring Namespace profiles for CI, bench, docs, COPR/Homebrew, and release-plz jobs, including the native ARM64 Linux PGO+BOLT release job on namespace-profile-endev-linux-arm64-large. Windows and BATS shards continue to run on GitHub-hosted runners.

No runtime or CLI behavior changed in this release; if you're already on v1.17.0 there's nothing new to pick up.

Full Changelog: https://github.com/endevco/aube/compare/v1.17.0...v1.17.1

💚 Sponsor aube

aube is part of en.dev — an independent developer-tooling studio run by @jdx, also behind mise. Work on aube is funded entirely by sponsors.

If aube is saving your team install time or CI minutes, please consider sponsoring at en.dev. Individual and company sponsorships are what keep the project fast, free, and independent.

Contributors

• @jdx

A catch-up release for the tag that introduced staged-publish trust, linker hoisting limits, remote tarball integrity fixes, and OTP support for dist-tag writes. This release is backfilled without binary assets; use v1.17.1 or newer for downloadable artifacts.

Added

• (resolver) Trust staged publishes so packages published through staged registry flows can resolve correctly once promoted (#810 by @jdx).
• (linker) Add hoisting limits to keep dependency placement bounded in large or complex graphs (#809 by @jdx).

Fixed

• (lockfile) Preserve remote tarball integrity metadata when resolving packages from remote tarball specs (#812 by @jdx).
• (dist-tag) Support OTP-protected dist-tag writes (#811 by @jdx).

Changed

• (ci) Switch release, docs, bench, COPR/Homebrew, and most CI jobs to GitHub-hosted runners (#814 by @jdx). This was reverted in v1.17.1 after slower builds.
• (release) Use trusted publishing for cargo releases (#816 by @jdx).
• (deps) Bump toml from 0.8.23 to 1.1.2+spec-1.1.0 (#796 by @dependabot).
• (deps) Bump sha2 from 0.10.9 to 0.11.0 (#790 by @dependabot).
• Refresh benchmarks for v1.16.1 (#808 by @jdx).

Tests

• Cover alias peer cycles in the resolver (#813 by @jdx).
• Cover remote tarball fallback lookup in lockfile handling (#815 by @jdx).

Full Changelog: https://github.com/endevco/aube/compare/v1.16.1...v1.17.0

💚 Sponsor aube

aube is part of en.dev — an independent developer-tooling studio run by @jdx, also behind mise. Work on aube is funded entirely by sponsors.

If aube is saving your team install time or CI minutes, please consider sponsoring at en.dev. Individual and company sponsorships are what keep the project fast, free, and independent.

Contributors

• @jdx
• @dependabot

A small follow-up to v1.16.0 that unblocks aube publish for mise-style version tags, broadens npm OTP detection, accepts pnpm's linkWorkspacePackages: deep, and adds defense-in-depth against unsafe package aliases in the linker.

Fixed

• (publish) Normalize semver metadata before publish (#806 by @jdx) — aube publish now parses package.json#version through node_semver and strips leading-v and other npm-style noise before computing tarball names, versions.<v> keys, and dist-tags in the PUT body. When normalization changes the on-disk string, publish rebuilds the archive so package/package.json inside the .tgz matches the cleaned version. This fixes registry rejections like "New versions must be valid semver" for projects (e.g. mise) that tag v2026.5.16. The same PR also widens the interactive OTP retry to detect npm's one-time pass / one time pass wording (previously only one-time password triggered the prompt).

• (add) Accept linkWorkspacePackages: deep (#799 by @jdx) — pnpm's tri-state linkWorkspacePackages setting (true / false / "deep") is now parsed across workspace YAML, settings.toml, and .npmrc. aube add enables workspace-sibling lookup whenever the resolved value isn't false, so deep projects get workspace:^ manifest writes instead of registry specifiers. Docs no longer claim deep is unsupported.

Security

• (linker) Reject unsafe package aliases under node_modules (#800 by @jdx) — A new validate_package_link_name guard rejects path-like package names and dependency keys (.., extra slashes, absolute paths, Windows drive prefixes, null bytes, anything that isn't a valid npm node_modules slot) before they're used to build install paths. The check runs during materialize, isolated top-level and workspace symlinks, and hoisted placement planning — HoistedPlacements::from_graph now returns Result so unsafe names fail install/rebuild instead of silently planning bad paths. Failures surface as the new ERR_AUBE_UNSAFE_PACKAGE_NAME (exit code 92).

Full Changelog: https://github.com/endevco/aube/compare/v1.16.0...v1.16.1

💚 Sponsor aube

aube is part of en.dev — an independent developer-tooling studio run by @jdx, also behind mise. Work on aube is funded entirely by sponsors.

If aube is saving your team install time or CI minutes, please consider sponsoring at en.dev. Individual and company sponsorships are what keep the project fast, free, and independent.

Contributors

• @jdx

This release brings aube's pnpm lockfile handling up to pnpm 11 parity, pins integrity for hosted git tarballs, and fixes several publish-flow gaps including npm Trusted Publishing and interactive OTP prompts. It also resolves a long-standing install error when a workspace child depends on the workspace root via workspace:*.

Added

• (pnpm) pnpm 11 lockfile parity (#761 by @jdx) — aube-lockfile now reads/writes pnpm's gitHosted metadata and preserves non-derivable registry tarball URLs (e.g. GitHub Packages), so round-trips against pnpm 11 lockfiles stay byte-clean. The CLI also picks up several pnpm-shaped behaviors at the same time: aube audit merges auditConfig.ignoreGhsas / auditConfig.ignoreCves with --ignore, aube publish --json emits a single npm-compatible object for a single-package publish (array only for multi-package), and provenance now accepts NPM_ID_TOKEN in addition to GitHub's default OIDC token.

• (publish) aube stage command (#762 by @jdx) — New visible npm-compat stub. Without npmPath it exits with a clear "not implemented — use npm stage" message; with npmPath configured it delegates the call (including --registry and trailing args) to the underlying npm binary, matching how whoami and set-script already behave.

• (publish) npm Trusted Publishing (OIDC) (#763 by @jdx) — aube publish now exchanges a GitHub Actions OIDC token for a short-lived npm bearer token before upload, so tokenless Trusted Publishing workflows work end-to-end. The exchange happens after the prepublishOnly lifecycle and tarball build, so it uses the final packaged name (important if a hook renames the package). If the OIDC fetch fails for any reason (network, non-2xx, malformed JSON) aube debug-logs and falls back to the existing .npmrc auth instead of erroring out.

• (publish) Interactive OTP prompt on 2FA challenge (#767 by @jdx) — When the registry rejects a publish PUT with a 401/403 that looks like an OTP/2FA challenge and --otp was not provided, aube now prompts for a code (masked input via demand) and retries the request once. In non-interactive runs it returns a clear --otp <CODE> hint instead of failing with a generic auth error. Plain bad-token failures are still surfaced as auth errors rather than misread as OTP prompts.

Fixed

• (resolver) Hosted git tarball integrity is pinned and verified (#783 by @jdx) — Hosted git dependencies fetched through the codeload fast path now have a SHA-512 SRI computed on first fetch, persisted on the lockfile entry, and verified before extraction on subsequent installs. Codeload cache keys also mix in the integrity hash so tarballs with different contents can't collide on the same cache directory.

• (update) workspace:* against the workspace root resolves (#757 by @fu050409) — When the workspace root package.json declared its own name/version and a child package depended on it via workspace:*, aube update/aube install failed with ERR_AUBE_NO_MATCHING_VERSION because the root was never added to the workspace version map. The root is now included in both install/workspace.rs and update.rs, with a 0.0.0 fallback when no version is set.

• (lockfile) No more lossy package-lock.json rewrites from override drift (#753 by @jdx, fixes #752) — Drift checks are now format-aware: npm and yarn lockfiles don't round-trip the top-level override snapshot that aube/pnpm/bun use for drift detection, so a non-empty overrides block in package.json made every npm install look stale and rewrote package-lock.json (potentially reshaping platform-optional package entries and peer metadata). Override-drift comparisons are now skipped for npm and yarn lockfiles, and remain strict for aube-lock.yaml, pnpm-lock.yaml, and bun.lock.

Changed

• (deps) HTTP/TLS stack refresh (#780 by @jdx) — Workspace reqwest bumped to 0.13 (with the renamed rustls feature) and the hickory-proto/hickory-resolver DNS stack moved to 0.26.1, collapsing duplicate reqwest 0.12/0.13 entries. A new aube_util::http::with_webpki_root_fallback helper merges Mozilla's baked-in roots with rustls-platform-verifier on Unix (except Android) and Windows, and registry clients, OSV/supply-chain probes, aube login, and the update notifier all build their HTTP clients through it so TLS trust stays consistent across the upgrade.

• (docs) Clearer prune vs store prune (#758 by @jdx) — aube prune --help now explicitly describes its lockfile-driven cleanup of the project node_modules (including virtual-store entries and .bin links) and points users at aube store prune for global store cleanup, which now has its own long help covering store-path scope, cached-index reachability, and hardlink/reflink behavior.

New Contributors

• @fu050409 made their first contribution in #757

Full Changelog: https://github.com/endevco/aube/compare/v1.15.0...v1.16.0

💚 Sponsor aube

aube is part of en.dev — an independent developer-tooling studio run by @jdx, also behind mise. Work on aube is funded entirely by sponsors.

If aube is saving your team install time or CI minutes, please consider sponsoring at en.dev. Individual and company sponsorships are what keep the project fast, free, and independent.

Contributors

• @jdx
• @fu050409