v1.12.0: Tidier config, smarter installs from bun.lock

A round of fixes driven by user reports — bun.lock imports now keep peer-only packages, the store layout is reorganized so one cache mount covers everything, and aube config set stops scribbling unknown keys into .npmrc.

Added

• Smarter aube config set / delete routing (#634 by @jdx) — Writes only land in .npmrc for the npm-shared surface (per-host auth/cert templates, scoped registries, and a curated allowlist of npm-standard scalars like registry, proxy, fetch-retries, …). Aube-only and pnpm-only keys (autoInstallPeers, dangerouslyAllowAllBuilds, pnpmfilePath, …) plus unknown free-form keys now go to ~/.config/aube/config.toml. Dotted writes for aube map settings — aube config set --local allowBuilds.@mongodb-js/zstd true, aube config set --local overrides.lodash 4.17.21 — edit a single entry of pnpm-workspace.yaml (or package.json#<pnpm|aube>.<map>) in place. aube config delete sweeps both files so legacy writes from older versions are still cleaned up. New error code ERR_AUBE_CONFIG_NESTED_AUBE_KEY covers invalid nested writes.
• Polished install progress display (#616 by @jdx) — The bar is now cyan across every phase (no more "completing twice" as the phase flips green), reserves the final slice so it never reads 100% while the linker is still running, and paints a full 100% from a new done phase on finish() / stop() so the last frame matches the ✓ summary line. The displayed ~XX MB total is now a dynamic blend of the static unpackedSize × 0.20 fallback and a linear extrapolation from observed bytes-per-package — converging to the real total instead of overshooting by ~48%. resolving switched yellow → cyan, the pkgs counter is bold/uncolored mid-install, and WARN_AUBE_SLOW_METADATA drops redundant fields.

Fixed

• Peer-only packages from bun.lock no longer silently dropped (#639 by @jdx) — filter_graph's GC walk ran before hoist_auto_installed_peers, so peer-installed deps like @mui/material that weren't directly listed in workspace dependencies: got pruned as unreachable before the hoist could promote them. The pipeline now hoists first, then walks. On the linked repro, aube install goes from 6 packages (with broken @mui/material / @emotion/*) to 44 with everything resolved.
• bun.lock imports now run the peer-context pass (#619 by @jdx) — LockfileKind::Bun was missing from the apply_peer_contexts branch, so peer-dependent packages landed at .aube/<pkg>@<ver>/ without sibling peer links and walked up to whatever hoisted copy they found. Now they get peer-qualified dep_paths (e.g. @cloudflare+vite-plugin@1.17.1_vite@8.0.10_…) with correct sibling symlinks, matching the npm-lockfile import behavior.
• Stale cached indexes now self-heal at fetch time (#635 by @jdx) — Cached package indexes moved from $XDG_CACHE_HOME/aube/index/ into the store at <store>/v1/index/, next to v1/files/. The install fast path swapped load_index for load_index_verified, so an index whose CAS shards have drifted out from under it is dropped at fetch classification and the tarball re-fetched cleanly — instead of the materializer dying mid-link with ERR_AUBE_MISSING_STORE_FILE. Fixes a BuildKit cache-mount footgun where only one of the two cache dirs would be persisted.
• engines.pnpm no longer triggers spurious version warnings (#633 by @jdx) — A project pinning engines.pnpm: ">=10.11.1" produced warn: wanted pnpm >=10.11.1, got 1.x on every install (or a hard failure under engine-strict). Aube and pnpm live in different version namespaces, so honoring this field was net-negative. engines.pnpm is now skipped entirely; engines.aube is still honored for projects that want to gate on the running tool, and engines.node is unchanged.
• update -i no longer reports phantom upgrade rows for catalog deps (#636 by @jdx) — When a catalog: dep resolved to a newer version while the same name was pulled in transitively at an older one (e.g. jose@6.2.3 direct + jose@5.10.0 via @upstash/qstash), lookup_pkg's name-scan picked the transitive snapshot as "current" and offered a downgrade row the rewrite path then ignored. Lookup now goes through the importer's DirectDep.dep_path. The companion fix extends the --latest prerelease guard to the locked version, so "^1.0.0-rc.1" isn't silently rewritten to whatever the registry's latest dist-tag points at.
• update / add / dedupe / remove / audit preserve cross-platform optionals and time: entries (#637 by @jdx) — These commands now route through install's configure_resolver, inheriting the full settings pipeline (supportedArchitectures, resolutionMode, minimumReleaseAge, overrides, …). They opt out of the full-packument disk cache so an immediately-following re-resolve picks up registry dist-tag changes, and the resolver carries forward the prior lockfile's time: entry when a fresh corgi packument lacks publish time for a resolved version — so direct deps don't lose their time: line on update.
• aube add --global --allow-build=<pkg> actually pre-approves builds (#620 by @jdx) — The synthetic inner AddArgs was being built with allow_build: Vec::new(), silently dropping the outer flag and erroring with "must be reviewed before install" under strictDepBuilds=true. The flag is now plumbed through run_global / run_global_inner and approvals are written to the throwaway install dir's package.json#aube.allowBuilds before lifecycle scripts run.

Changed

• aube store path now returns the v1/ directory (#635) — One level above the previous v1/files/ output, so a single Docker BuildKit cache mount or backup captures both the CAS and the new co-located index dir. Scripts consuming aube store path will now mount one level higher (the intended behavior). A lazy in-place migration from the legacy $XDG_CACHE_HOME/aube/index/ location runs on the first store open after upgrade (rename fast path, recursive-copy fallback for cross-FS).

💚 Sponsor aube

aube is part of en.dev — an independent developer-tooling studio run by @jdx, also behind mise. Work on aube is funded entirely by sponsors.

If aube is saving your team install time or CI minutes, please consider sponsoring at en.dev. Individual and company sponsorships are what keep the project fast, free, and independent.