Skip to content

v1.16.1: Publish polish and linker hardening

Choose a tag to compare

View all tags
@mise-en-dev mise-en-dev released this 29 May 15:19
· 85 commits to main since this release
Immutable release. Only release title and notes can be modified.
v1.16.1
ed47362
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

A small follow-up to v1.16.0 that unblocks aube publish for mise-style version tags, broadens npm OTP detection, accepts pnpm's linkWorkspacePackages: deep, and adds defense-in-depth against unsafe package aliases in the linker.

Fixed

  • (publish) Normalize semver metadata before publish (#806 by @jdx) — aube publish now parses package.json#version through node_semver and strips leading-v and other npm-style noise before computing tarball names, versions.<v> keys, and dist-tags in the PUT body. When normalization changes the on-disk string, publish rebuilds the archive so package/package.json inside the .tgz matches the cleaned version. This fixes registry rejections like "New versions must be valid semver" for projects (e.g. mise) that tag v2026.5.16. The same PR also widens the interactive OTP retry to detect npm's one-time pass / one time pass wording (previously only one-time password triggered the prompt).

  • (add) Accept linkWorkspacePackages: deep (#799 by @jdx) — pnpm's tri-state linkWorkspacePackages setting (true / false / "deep") is now parsed across workspace YAML, settings.toml, and .npmrc. aube add enables workspace-sibling lookup whenever the resolved value isn't false, so deep projects get workspace:^ manifest writes instead of registry specifiers. Docs no longer claim deep is unsupported.

Security

  • (linker) Reject unsafe package aliases under node_modules (#800 by @jdx) — A new validate_package_link_name guard rejects path-like package names and dependency keys (.., extra slashes, absolute paths, Windows drive prefixes, null bytes, anything that isn't a valid npm node_modules slot) before they're used to build install paths. The check runs during materialize, isolated top-level and workspace symlinks, and hoisted placement planning — HoistedPlacements::from_graph now returns Result so unsafe names fail install/rebuild instead of silently planning bad paths. Failures surface as the new ERR_AUBE_UNSAFE_PACKAGE_NAME (exit code 92).

Full Changelog: https://github.com/endevco/aube/compare/v1.16.0...v1.16.1

💚 Sponsor aube

aube is part of en.dev — an independent developer-tooling studio run by @jdx, also behind mise. Work on aube is funded entirely by sponsors.

If aube is saving your team install time or CI minutes, please consider sponsoring at en.dev. Individual and company sponsorships are what keep the project fast, free, and independent.

Contributors

jdx
Assets 10
Loading