v1.17.0: Staged publishes, hoisting limits, and tarball integrity

A catch-up release for the tag that introduced staged-publish trust, linker hoisting limits, remote tarball integrity fixes, and OTP support for dist-tag writes. This release is backfilled without binary assets; use v1.17.1 or newer for downloadable artifacts.

Added

• (resolver) Trust staged publishes so packages published through staged registry flows can resolve correctly once promoted (#810 by @jdx).
• (linker) Add hoisting limits to keep dependency placement bounded in large or complex graphs (#809 by @jdx).

Fixed

• (lockfile) Preserve remote tarball integrity metadata when resolving packages from remote tarball specs (#812 by @jdx).
• (dist-tag) Support OTP-protected dist-tag writes (#811 by @jdx).

Changed

• (ci) Switch release, docs, bench, COPR/Homebrew, and most CI jobs to GitHub-hosted runners (#814 by @jdx). This was reverted in v1.17.1 after slower builds.
• (release) Use trusted publishing for cargo releases (#816 by @jdx).
• (deps) Bump toml from 0.8.23 to 1.1.2+spec-1.1.0 (#796 by @dependabot).
• (deps) Bump sha2 from 0.10.9 to 0.11.0 (#790 by @dependabot).
• Refresh benchmarks for v1.16.1 (#808 by @jdx).

Tests

• Cover alias peer cycles in the resolver (#813 by @jdx).
• Cover remote tarball fallback lookup in lockfile handling (#815 by @jdx).

Full Changelog: https://github.com/endevco/aube/compare/v1.16.1...v1.17.0

💚 Sponsor aube

aube is part of en.dev — an independent developer-tooling studio run by @jdx, also behind mise. Work on aube is funded entirely by sponsors.

If aube is saving your team install time or CI minutes, please consider sponsoring at en.dev. Individual and company sponsorships are what keep the project fast, free, and independent.