Skip to content

v1.13.0: Supply-chain gates for `aube add`

Choose a tag to compare

View all tags
@mise-en-dev mise-en-dev released this 13 May 23:20
· 185 commits to main since this release
Immutable release. Only release title and notes can be modified.
v1.13.0
f21d6e2
This commit was signed with the committer’s verified signature.
jdx
GPG key ID: 584DADE86724B407
Verified
Learn about vigilant mode.

Added

  • (install) Bun-compatible pluggable security scanner — drop in any securityScanner package that follows the Bun Security Scanner API (oven-sh template, @socketsecurity/bun-security-scanner, etc.) and aube runs it post-resolve against the full graph via a node bridge (#657)
  • (add) Supply-chain gates on aube add: OSV MAL-* advisory hard-block plus a weekly-downloads floor with TTY prompt / --allow-low-downloads bypass. New advisoryCheck and lowDownloadThreshold settings, both folded into paranoid: true (#656)
  • (install) OSV checks now extend to the full resolved graph, routed live-API vs. local OSV mirror based on whether resolution produced fresh (name, version) picks; opt-in advisoryCheckOnInstall covers plain reinstalls, advisoryCheckEveryInstall forces live API every time (#678)
  • (add) Auto-skip supply-chain gates for packages routed through a non-registry.npmjs.org registry, plus a new allowedUnpopularPackages glob allowlist to silence the downloads gate on known-internal names (#673)

Changed

  • (install) No longer rewrites package.json / workspace yaml to seed allowBuilds: { <pkg>: "set this to true or false" } placeholders for unreviewed build scripts (#662)
  • (install perf) Deleted the pre-resolver direct-dep packument prefetch; 12–22% wall-time win across fixture size, bandwidth, and RTT (#672)
  • (add) --allow-build=<pkg> now flips an existing deny instead of erroring, help renders correctly as --allow-build=<PKG>, and the no-op --ignore-scripts is hidden on add / import / update (#660)

Fixed

  • (linker) Windows bin shims for aube add --global … --allow-build=<dep> no longer emit a duplicated install-root path segment when .aube/<dep>/ sits behind a directory junction (#659)
  • (global) aube remove --global on Windows no longer fails with Access is denied (os error 5) on the hash pointer when it's an NTFS directory junction (#658)

💚 Sponsor aube

aube is part of en.dev — an independent developer-tooling studio run by @jdx, also behind mise. Work on aube is funded entirely by sponsors.

If aube is saving your team install time or CI minutes, please consider sponsoring at en.dev. Individual and company sponsorships are what keep the project fast, free, and independent.

Assets 10
Loading