aube

Skip to content

★1.2k

v1.15.0 · released recently<br>aube /ob/ - pronounced "ohb"<br>Never forget to install.<br>Aube installs automatically when you run a script. The tightest security defaults of any Node.js package manager - and the only one with a lifecycle-script jail. Drops into existing projects using existing lockfiles.<br>Start running ->$mise use aubecopy<br>Other install methods

7.8xfaster than pnpm<br>4.8xfaster than bun<br>90% ? npm copies dependencies into every project. Aube keeps package files in one global store and links projects to it, so three apps with React, Vite, TypeScript, and Playwright share the heavy files instead of storing three full copies. less disk space than npm

aubr test<br>$ mise use aube<br>mise [email protected] ✓ installed<br>mise ./mise.toml tools: [email protected]<br>$ aubr test<br>aube1.15.0by en.devfetching░░░░░░░░░░░░░░░░░░░░░░░░░░0/319 pkgs<br>⠋@vue/[email protected]<br>⠸@types/[email protected]<br>⠦[email protected]

01speedaubebundenopnpmnpmFastest Node.js package manager. In the warm install benchmark, aube is 7.8x faster than pnpm and 4.8x faster than Bun. The chart shows warm installs with no node_modules; the other benchmarks cover CI and cold-cache cases. See the benchmarks ->02lockfilesyarn.lockpnpm-lock.yamlpackage-lock.jsonreadaube writesame lockfile, written backUse existing lockfiles. Read and write yarn.lock, pnpm-lock.yaml, or package-lock.json in place without forcing a team-wide migration. Lockfile compatibility ->03repeat$ aubr testdeps stale · install first✓ ran 100 tests successfully$ aubr testdeps fresh · ran 100 tests successfullyRun scripts instead of installing. aubr test auto-installs first when dependencies changed, then skips that work on repeat runs. Use aubx for one-off tools.Run scripts and binaries ->04disk[email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected]aube storeapp api web Use less disk. A global content-addressable store lets projects share package files instead of keeping a full copy in every checkout. node_modules layout ->05securetrust downgrades blockednew releases 24h coolingtyposquats checked on addbuild scripts deny by defaultSupply-chain defaults across the install path. Trust downgrades fail at resolve, new releases sit out a 24h cooling window, aube add blocks known-malicious packages and prompts on near-zero-download installs, lifecycle scripts wait for approval, and exotic transitive deps are blocked. paranoid: true adds the build jail and turns the soft gates into hard fails. Security overview ->