github: shorthand deps fall back to npm registry on package-lock.json install

[tomocrafter]

Summary

For a package.json dep declared via github: shorthand, aube install ignores the git source in package-lock.json and fetches <name>@<version> from the npm registry, 404ing when the package isn't published on npm.

Repro

package.json:

{ "dependencies": { "<pkg>": "github:<owner>/<repo>#<sha>" } }

package-lock.json (lockfileVersion 2):

"node_modules/<pkg>": {
  "version": "<x.y.z>",
  "resolved": "git+ssh://git@github.com/<owner>/<repo>.git#<sha>",
  "integrity": "sha512-..."
}

(<pkg> is GitHub-only; <x.y.z> is just the package's own package.json#version.)

$ aube install
Error: × failed to fetch <pkg>@<x.y.z>: HTTP 404 for
  https://registry.npmjs.org/<pkg>/-/<pkg>-<x.y.z>.tgz

aube import --lockfile-only shows where the info is lost — the specifier is kept in importers: but packages: / snapshots: only carry <pkg>@<x.y.z> with no tarball or git URL. pnpm, in the same situation, writes a key like <pkg>@https://codeload.github.com/<owner>/<repo>/tar.gz/<sha>: with a tarball resolution.

Expected

aube honors the git source — follow resolved: git+ssh://..., or translate github:owner/repo#<sha> into a codeload.github.com tarball fetch.

Environment

• aube 1.2.1 linux-x64 (2026-04-26)
• package-lock.json lockfileVersion 2

Related

• Bun feature parity issues + lockfile regressions #248 — same bug class (GitHub shorthand deps are treated as registry tarballs) for bun.lock; this is the package-lock.json analogue.

[jdx]

Thanks for the clear repro. I tracked this to the package-lock.json reader dropping git resolved URLs unless they looked like HTTP tarball URLs, which left a plain <pkg>@<version> registry package in the graph.

Draft fix is up in #338. It now parses git resolved URLs as LocalSource::Git, keys the package by the git source dep path, and adds both parser and end-to-end package-lock install regressions.

Validation passed locally: cargo test -p aube-lockfile, mise run test:bats test/git_deps.bats, and cargo clippy --all-targets -- -D warnings.

[tomocrafter]

Thank you for addressing this issue! I tried with new version but it fails with

❯ aube i
aube 1.5.1 by en.dev — fetching  [                                                                                                                                               ] 0/1991 · 2s
Error:   × failed to clone ssh://git@github.com/<org>/<repo>.git#<commit-hash>: git error: git ["fetch", "-q", "--", "origin"] failed: git@github.com: Permission
  │ denied (publickey).
  │ fatal: Could not read from remote repository.
  │
  │ Please make sure you have the correct access rights
  │ and the repository exists.

error (using exactly same package.json and package-lock.json).
it seems npm uses HTTPS to fetch it but aube try to clone it with SSH which I haven't configured (I use gh-cli's git credential-helper instead for automatic authentication management).

[jdx]

Sorry about that — the #338 fix only got us as far as recognizing the lockfile entry as a git source. Once recognized, aube was passing the git+ssh://… URL straight to git fetch, which fails when SSH isn't configured. npm and pnpm both sidestep that: for github/gitlab/bitbucket they treat the lockfile URL as canonical-identity only and re-derive an HTTPS fetch URL from (host, owner, repo, sha) each install.

PR up: #394. After it lands, github SHA-pinned deps fetch over https://codeload.github.com/<owner>/<repo>/tar.gz/<sha> (no git binary, no SSH key). On any HTTP error — most commonly a private repo, since codeload doesn't accept npm-registry auth — aube falls back to a shallow git clone over the rewritten HTTPS URL, which picks up your gh credential helper.

If your repo is private, the fallback is the path that should fix it for you. Let me know what you see once it's in a release.

[tomocrafter]

@jdx Thank you for quick response and fix!
I tried newly released version and can confirm that this fix works as expected and now aube i completes its job correctly (with being 10times faster than npm i)!