v1.13.1: Version-aware transitive MAL-* gate

A targeted fix for the transitive supply-chain gate added in v1.13.0: the post-resolve OSV check is now version-aware, so name-level MAL-* advisories stop blocking installs that resolve to clean versions of the same package.

Fixed

• (install) Version-aware transitive MAL-* check (#682 by @jdx) — The post-resolve gate was reusing the pre-resolve name-only OSV query, so any name-level advisory hit every install that transitively pulled in any version of that package. Concretely, aube add cowsay@1.6.0 refused with ERR_AUBE_MALICIOUS_PACKAGE because cowsay's tree includes ansi-regex@3.0.1, and ansi-regex carries the Sep 2025 shai-hulud advisory MAL-2025-46966 against 6.2.1 — a version published years after 3.0.1. The live-API and OSV-mirror lookups now send (name, version) pairs, refusal messages surface name@version (MAL-…), and the local mirror index bumps to format = 2 (storing per-advisory affected versions; v1 indexes rebuild on next refresh, and advisories with no enumerated versions still fail closed). The pre-resolve aube add name-gate keeps its versionless query — typosquats are malicious in every version.

Full Changelog: https://github.com/endevco/aube/compare/v1.13.0...v1.13.1

💚 Sponsor aube

aube is part of en.dev — an independent developer-tooling studio run by @jdx, also behind mise. Work on aube is funded entirely by sponsors.

If aube is saving your team install time or CI minutes, please consider sponsoring at en.dev. Individual and company sponsorships are what keep the project fast, free, and independent.