Skip to content

v1.18.1: Conflict-aware lockfiles and verified tarballs

Choose a tag to compare

View all tags
@mise-en-dev mise-en-dev released this 07 Jun 18:53
· 49 commits to main since this release
Immutable release. Only release title and notes can be modified.
v1.18.1
021bb82
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

A small patch release focused on install robustness: lockfiles with Git merge conflict markers now recover gracefully, aube update --global works from anywhere, and lockfile tarball URLs are verified against the registry before download.

Fixed

  • (install) Regenerate conflicted lockfiles (#843 by @jdx) — When aube-lock.yaml still contains Git conflict markers (<<<<<<<, =======, >>>>>>>), install now treats it as a recoverable prefer-frozen parse failure rather than aborting. It emits the new WARN_AUBE_LOCKFILE_CONFLICT_MARKERS warning and regenerates the lockfile from package.json, so a plain aube install after a messy merge just works.

  • (update) Support global updates (#840 by @jdx) — aube update --global (and aube update -g <pkg>) now routes through the global install directory instead of requiring a project package.json, so it works from any directory — including outside a repo. Each global install runs the normal update pipeline with --latest and exact manifest pins, then bin shims are relinked and stale executables removed. Named packages resolve by alias; unknown names fail with not globally installed. When combined with a workspace --filter, --global takes precedence and leaves workspace manifests untouched. Fixes #839.

    aube update -g           # update every globally installed tool
aube update -g prettier  # update a single global tool

Security

  • (install) Verify lockfile tarball URLs (#842 by @jdx) — When the lockfile pins an explicit registry tarball URL (e.g. lockfile-include-tarball-url=true or npm-alias entries), install now fetches per-version registry metadata and compares dist.tarball to the lockfile URL before downloading. Mismatches abort with the new ERR_AUBE_TARBALL_URL_MISMATCH (exit 34). Exact matches pass, and lockfile URLs on registry.npmjs.org are still accepted on alternative hosts when the /-/…tgz path matches, so Verdaccio and other local mirrors continue to work — but tampered paths or arbitrary hosts impersonating npm are rejected.

Changed

  • Refresh benchmarks for v1.18.0 (#841 by @mise-en-dev) — Warm-install ratios improved from 5× to 7× vs. Bun; vs. pnpm holds steady at 9×.

Full Changelog: https://github.com/endevco/aube/compare/v1.18.0...v1.18.1

💚 Sponsor aube

aube is part of en.dev — an independent developer-tooling studio run by @jdx, also behind mise. Work on aube is funded entirely by sponsors.

If aube is saving your team install time or CI minutes, please consider sponsoring at en.dev. Individual and company sponsorships are what keep the project fast, free, and independent.

Contributors

jdx and mise-en-dev
Assets 10
Loading