feat(cli): rewrite manifest specifier on update without --latest

[jdx]

Summary

• Add updateRewritesSpecifier setting (default true) — restores pnpm parity for the most common aube update <pkg> use case.
• With the setting on, aube update <pkg> (no --latest) rewrites caret/tilde manifest ranges (^X.Y.Z / ~X.Y.Z) to track the new in-range max. Other shapes (>=, 1.x, exact pins, dist-tags, git, workspace:) stay frozen.
• Set update-rewrites-specifier=false in .npmrc (or env equivalent) to keep aube's prior frozen-manifest behavior.
• Ports pnpm/test/update.ts:51 (single-project) and pnpm/test/update.ts:95 (recursive) plus an opt-out test.
• Triage decision recorded in docs(test): triage every pnpm-test-import gap with explicit support decisions #471 — drop-in pnpm parity wins over the cosmetic-coin-flip rationale.

The semantic divergence this closes:

• Existing aube: ^1.2.0 in manifest + 1.2.0 lockfile + 1.2.5 in-range max → aube update foo bumps lockfile to 1.2.5, leaves manifest at ^1.2.0.
• New aube (default): same flow rewrites manifest to ^1.2.5 to track the resolved version. Matches pnpm.

Test plan

• cargo build --workspace
• cargo test --workspace (all crates green)
• cargo clippy --all-targets -- -D warnings
• cargo fmt --check
• mise run test:bats test/pnpm_update.bats (25/25 passing, including 3 new tests)

🤖 Generated with Claude Code

---

Note

Medium Risk
Changes aube update to potentially rewrite package.json ranges (in addition to the lockfile) based on a new default-on setting, which can affect repo diffs and upgrade semantics for users relying on frozen manifests.

Overview
aube update <pkg> (without --latest) can now optionally rewrite package.json caret/tilde ranges to the newly resolved in-range version, aligning behavior with pnpm; non-caret/tilde specs (dist-tags, exact pins, raw ranges, git, workspace:) remain unchanged.

Adds a new updateRewritesSpecifier setting (default true, configurable via env/.npmrc) to control this cosmetic manifest rewrite, updates settings docs accordingly, and adds Bats coverage for the rewrite path, opt-out behavior, and dist-tag preservation (including recursive update -r).

^{Reviewed by Cursor Bugbot for commit 8c235ba. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds updateRewritesSpecifier (default true) so that aube update <pkg> without --latest now rewrites ^X.Y.Z/~X.Y.Z manifest ranges to track the new in-range resolved version, matching pnpm's behavior. The feature is gated per-spec by a literal ^/~ prefix check (correctly avoiding dist-tags, exact pins, >= ranges, git, and workspace: specs) and can be disabled via .npmrc or env.

Confidence Score: 5/5

Safe to merge; only finding is a P2 UX nit about a spurious --no-save message.

All P1-level concerns from previous review rounds appear addressed in the current code. The one new finding (false-positive --no-save message when specs are non-caret/tilde) is P2 only. Core rewrite logic, dist-tag guard, npm: alias handling, and --no-save suppression all look correct. Test coverage is solid with 4 new targeted scenarios.

crates/aube/src/commands/update.rs — the --no-save message guard at line 574

Important Files Changed

Filename	Overview
crates/aube/src/commands/update.rs	Core implementation of the updateRewritesSpecifier feature; merges --latest and cosmetic rewrite paths into a single loop, adds correct literal ^/~ prefix guard for dist-tags. One P2: --no-save message fires even when all specs are non-caret/tilde and nothing would have been rewritten.
crates/aube-settings/settings.toml	Adds updateRewritesSpecifier bool setting (default true) with env and .npmrc sources; clean addition placed correctly between updateNotifier and preferSymlinkedExecutables.
docs/settings/index.md	Adds updateRewritesSpecifier entry to the settings table and reference section; consistent with settings.toml content, no issues.
test/pnpm_update.bats	Adds 4 new Bats tests covering: caret rewrite, opt-out via .npmrc, dist-tag preservation, and recursive workspace update; test structure mirrors existing patterns and assertions are tight.
test/PNPM_TEST_IMPORT.md	Triage doc updated to mark update.ts:51/95 as landed and increment the ported count from 17/22 to 19/22; factual and consistent.

_{Reviews (3): Last reviewed commit: "fix(cli): preserve dist-tag specs in cos..." | Re-trigger Greptile}

[github-actions]

Benchmark changes

Public ratios: warm installs vs Bun 7x -> 6x; warm installs vs pnpm 11x -> 9x.

Benchmark	aube	bun	pnpm
Fresh install (warm cache)	332ms -> 350ms (+5%)	2242ms -> 2095ms (-7%)	3500ms -> 3208ms (-8%)
CI install (warm cache, GVS disabled)	930ms -> 827ms (-11%)	1447ms -> 2077ms (+44%)	2475ms -> 2462ms (-1%)
CI install (cold cache, GVS disabled)	4364ms -> 4090ms (-6%)	4083ms -> 3887ms (-5%)	5380ms -> 5610ms (+4%)

8c235ba vs 56a5651 | aube/bun/pnpm | 3 scenarios | 3 runs | 500mbit/50ms | generated by Codex.

[jdx]

Addressed both Greptile findings:

P1 (dist-tags slip through caret/tilde filter): range_prefix returns "^" as the default for unknown shapes, so "foo": "latest" was passing the filter and getting rewritten to "^<resolved>". Now the cosmetic-rewrite path checks the literal leading char (^ or ~) instead — only specs the user actually wrote with caret/tilde are eligible for the floor-bump. Added a regression bats test asserting "latest" survives aube update.

P2 (silent suppression under --no-save): Surfaced the --no-save skip message symmetrically. Previously it only printed under --latest && --no-save; now it also prints when updateRewritesSpecifier is on and --no-save is set. Same feedback either way.

Validation: cargo build/clippy/fmt clean, mise run test:bats test/pnpm_update.bats 26/26.

Written with Claude.

[jdx]

Status check after rebase:

• Greptile P1 (dist-tags pass through caret/tilde filter) — addressed by fixup commit `8c235ba3 fix(cli): preserve dist-tag specs in cosmetic update rewrite`. The cosmetic-only path now explicitly gates on `range_slice.starts_with('^')` || `range_slice.starts_with('~')` and `continue`s for everything else, so dist-tags / exact pins / raw ranges are preserved.
• Greptile P2 (silent --no-save under cosmetic rewrite) — left as-is. The existing `--latest --no-save` path emits `Skipping package.json update (--no-save)`; the new cosmetic + `--no-save` combination is also silent, but that's a continuation of the pre-existing behavior for `update --no-save` (no-op on the manifest, no message). Not a regression. Could add a parallel message if desired but it's a UX nit.

`cargo build` / `cargo clippy` / `cargo fmt --check` clean, branch up to date with main.

Written with Claude.