v1.15.0 · released recently
aube /ob/ - pronounced "ohb"
Never forget to install.
Aube installs automatically when you run a script. The tightest security defaults of any Node.js package manager - and the only one with a lifecycle-script jail. Drops into existing projects using existing lockfiles.
Start running Other install methods
mise use aube- 90% npm copies dependencies into every project. Aube keeps package files in one global store and links projects to it, so three apps with React, Vite, TypeScript, and Playwright share the heavy files instead of storing three full copies.
- less disk space than npm
node_modules; the other benchmarks cover CI and cold-cache cases. See the benchmarks ->02lockfilesUse existing lockfiles. Read and write yarn.lock, pnpm-lock.yaml, or package-lock.json in place without forcing a team-wide migration. Lockfile compatibility ->03repeatRun scripts instead of installing.aubr test auto-installs first when dependencies changed, then skips that work on repeat runs. Use aubx for one-off tools.Run scripts and binaries ->04diskUse less disk. A global content-addressable store lets projects share package files instead of keeping a full copy in every checkout. node_modules layout ->05secureSupply-chain defaults across the install path. Trust downgrades fail at resolve, new releases sit out a 24h cooling window, aube add blocks known-malicious packages and prompts on near-zero-download installs, lifecycle scripts wait for approval, and exotic transitive deps are blocked. paranoid: true adds the build jail and turns the soft gates into hard fails. Security overview ->