feat(audit): support update fix mode

[jdx]

What changed

• Adds pnpm-compatible aube audit --fix=update to update vulnerable packages through the lockfile instead of writing overrides.
• Changes --fix into pnpm's optional method form: bare --fix defaults to override, and --fix=override / --fix=update are accepted.
• Allows aube audit -i to default into override fix mode, matching pnpm's interactive behavior.
• Adds resolver support for advisory ranges so audit update mode avoids vulnerable versions during sibling reuse, lockfile reuse, and version picking.

Why

pnpm 11 added audit --fix=update as the user-visible path for fixing advisories without generating override entries. Aube's previous audit fix path was override-only, so users coming from pnpm 11 got the wrong behavior.

Validation

• cargo check -q
• cargo build -q
• cargo clippy --all-targets -- -D warnings
• cargo test -p aube-resolver test_pick_version_prefers_locked -- --nocapture
• mise run test:bats test/audit.bats

---

Note

Medium Risk
Changes aube audit from read-only to optionally rewriting package.json and the lockfile, and alters resolver version-picking behavior when vulnerable ranges are provided; this can impact dependency graphs and reproducibility if the avoidance logic is wrong.

Overview
Adds pnpm-compatible audit fixing modes: --fix now accepts optional values (override default, update to refresh the lockfile) and introduces -i/--interactive to select which advisories to fix.

Implements --fix=update by re-running resolution while steering specific packages away from advisory semver ranges, then writing updated aube-lock.yaml and (when needed) adjusting direct dependency specifiers to match the new resolved versions.

Extends the resolver with vulnerable_ranges support so sibling reuse, lockfile reuse, and version picking prefer non-vulnerable versions when available, while falling back to the original pick if no safe version exists; updates CLI docs/usage metadata and expands bats/unit tests to cover the new behaviors.

^{Reviewed by Cursor Bugbot for commit 9a3a439. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

Adds pnpm 11-compatible aube audit --fix=update mode that re-resolves the dependency graph with vulnerable ranges injected, rewrites the lockfile, and (for exact pins only) updates package.json specifiers without writing overrides. Also adds -i/--interactive flag that invokes a multi-select TUI to choose which advisories to fix, defaulting to override mode. The sync_root_dep_specifiers call and spec_satisfies_version guard address the lockfile-specifier/manifest-mismatch and unnecessary-range-narrowing issues flagged in the previous review round.

Confidence Score: 5/5

Safe to merge; no P0/P1 issues found and the previously flagged P1s are addressed.

All previously flagged P1s (specifier/manifest mismatch, unnecessary range narrowing, sibling-dedupe only checking the first match) are addressed in this revision. Only two P2 style nits remain.

No files require special attention.

Important Files Changed

Filename	Overview
crates/aube/src/commands/audit.rs	Core implementation of --fix=update mode: re-resolves with vulnerable_ranges, rewrites lockfile and manifest as needed. sync_root_dep_specifiers added to address the previously-flagged lockfile specifier/manifest mismatch. spec_satisfies_version guard prevents unnecessary range narrowing. Overall logic is sound.
crates/aube-resolver/src/resolve.rs	Adds is_vulnerable and prefer_non_vulnerable_pick helpers; hooks them into sibling-dedupe, lockfile-reuse, and version-pick paths. The sibling-dedupe path now correctly scans all siblings with a combined find predicate. prefer_non_vulnerable_pick correctly uses proper semver comparison over BTreeMap iteration.
crates/aube-resolver/src/builder.rs	Adds vulnerable_ranges: BTreeMap::new() initialisation in both Resolver constructors and the with_vulnerable_ranges builder method. Straightforward and complete.
crates/aube-resolver/src/lib.rs	Adds vulnerable_ranges field to the Resolver struct with clear documentation.
test/audit.bats	Adds Bats integration tests for --fix, --fix=override, -i, --fix=update (range and exact-pin fixtures). Non-TTY means -i always selects all rows; the interactive selection path is exercised only via the unit test in audit.rs.
aube.usage.kdl	Correctly updates --fix to accept an optional <FIX> argument with update/override choices, and adds the -i/--interactive flag.
docs/cli/audit.md	Documentation updated to reflect --fix <FIX> choices and new -i/--interactive flag.
docs/cli/commands.json	Machine-readable command metadata updated to match the new --fix and --interactive shapes.

_{Reviews (4): Last reviewed commit: "fix(audit): sync partial update fixes" | Re-trigger Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 153c6eb. Configure here.}