Skip to content

v1.16.0: pnpm 11 parity, trusted publishing, and git tarball integrity

Choose a tag to compare

View all tags
@mise-en-dev mise-en-dev released this 26 May 01:12
· 105 commits to main since this release
Immutable release. Only release title and notes can be modified.
v1.16.0
817207d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

This release brings aube's pnpm lockfile handling up to pnpm 11 parity, pins integrity for hosted git tarballs, and fixes several publish-flow gaps including npm Trusted Publishing and interactive OTP prompts. It also resolves a long-standing install error when a workspace child depends on the workspace root via workspace:*.

Added

  • (pnpm) pnpm 11 lockfile parity (#761 by @jdx) — aube-lockfile now reads/writes pnpm's gitHosted metadata and preserves non-derivable registry tarball URLs (e.g. GitHub Packages), so round-trips against pnpm 11 lockfiles stay byte-clean. The CLI also picks up several pnpm-shaped behaviors at the same time: aube audit merges auditConfig.ignoreGhsas / auditConfig.ignoreCves with --ignore, aube publish --json emits a single npm-compatible object for a single-package publish (array only for multi-package), and provenance now accepts NPM_ID_TOKEN in addition to GitHub's default OIDC token.

  • (publish) aube stage command (#762 by @jdx) — New visible npm-compat stub. Without npmPath it exits with a clear "not implemented — use npm stage" message; with npmPath configured it delegates the call (including --registry and trailing args) to the underlying npm binary, matching how whoami and set-script already behave.

  • (publish) npm Trusted Publishing (OIDC) (#763 by @jdx) — aube publish now exchanges a GitHub Actions OIDC token for a short-lived npm bearer token before upload, so tokenless Trusted Publishing workflows work end-to-end. The exchange happens after the prepublishOnly lifecycle and tarball build, so it uses the final packaged name (important if a hook renames the package). If the OIDC fetch fails for any reason (network, non-2xx, malformed JSON) aube debug-logs and falls back to the existing .npmrc auth instead of erroring out.

  • (publish) Interactive OTP prompt on 2FA challenge (#767 by @jdx) — When the registry rejects a publish PUT with a 401/403 that looks like an OTP/2FA challenge and --otp was not provided, aube now prompts for a code (masked input via demand) and retries the request once. In non-interactive runs it returns a clear --otp <CODE> hint instead of failing with a generic auth error. Plain bad-token failures are still surfaced as auth errors rather than misread as OTP prompts.

Fixed

  • (resolver) Hosted git tarball integrity is pinned and verified (#783 by @jdx) — Hosted git dependencies fetched through the codeload fast path now have a SHA-512 SRI computed on first fetch, persisted on the lockfile entry, and verified before extraction on subsequent installs. Codeload cache keys also mix in the integrity hash so tarballs with different contents can't collide on the same cache directory.

  • (update) workspace:* against the workspace root resolves (#757 by @fu050409) — When the workspace root package.json declared its own name/version and a child package depended on it via workspace:*, aube update/aube install failed with ERR_AUBE_NO_MATCHING_VERSION because the root was never added to the workspace version map. The root is now included in both install/workspace.rs and update.rs, with a 0.0.0 fallback when no version is set.

  • (lockfile) No more lossy package-lock.json rewrites from override drift (#753 by @jdx, fixes #752) — Drift checks are now format-aware: npm and yarn lockfiles don't round-trip the top-level override snapshot that aube/pnpm/bun use for drift detection, so a non-empty overrides block in package.json made every npm install look stale and rewrote package-lock.json (potentially reshaping platform-optional package entries and peer metadata). Override-drift comparisons are now skipped for npm and yarn lockfiles, and remain strict for aube-lock.yaml, pnpm-lock.yaml, and bun.lock.

Changed

  • (deps) HTTP/TLS stack refresh (#780 by @jdx) — Workspace reqwest bumped to 0.13 (with the renamed rustls feature) and the hickory-proto/hickory-resolver DNS stack moved to 0.26.1, collapsing duplicate reqwest 0.12/0.13 entries. A new aube_util::http::with_webpki_root_fallback helper merges Mozilla's baked-in roots with rustls-platform-verifier on Unix (except Android) and Windows, and registry clients, OSV/supply-chain probes, aube login, and the update notifier all build their HTTP clients through it so TLS trust stays consistent across the upgrade.

  • (docs) Clearer prune vs store prune (#758 by @jdx) — aube prune --help now explicitly describes its lockfile-driven cleanup of the project node_modules (including virtual-store entries and .bin links) and points users at aube store prune for global store cleanup, which now has its own long help covering store-path scope, cached-index reachability, and hardlink/reflink behavior.

New Contributors

Full Changelog: https://github.com/endevco/aube/compare/v1.15.0...v1.16.0

💚 Sponsor aube

aube is part of en.dev — an independent developer-tooling studio run by @jdx, also behind mise. Work on aube is funded entirely by sponsors.

If aube is saving your team install time or CI minutes, please consider sponsoring at en.dev. Individual and company sponsorships are what keep the project fast, free, and independent.

Contributors

jdx and fu050409
Assets 10
Loading