Please report security issues privately via GitHub's security advisory form: github.com/endevco/aube/security/advisories/new
Do not file a public discussion for vulnerabilities. We will acknowledge receipt within a few business days, work with you on a fix, and credit you in the release notes unless you prefer otherwise.
aube ships with several supply-chain protections enabled by default and several more available as one-line opt-ins. Full reference: aube.en.dev/security.
| Setting | Default | What it protects against |
|---|---|---|
blockExoticSubdeps |
true |
Transitive deps from git+, file:, or raw tarball URLs |
allowBuilds (deny-by-default) |
true |
Lifecycle scripts running without explicit approval |
trustPolicy |
"no-downgrade" |
Versions that lost provenance or trusted-publisher evidence |
minimumReleaseAge |
1440 (24h) |
Newly published versions before they have aged in the registry |
jailBuilds |
false (planned true in v2) |
Approved scripts with full filesystem / network / env |
paranoid |
false |
Master switch — forces jailBuilds, trustPolicy=no-downgrade, minimumReleaseAgeStrict, strictStoreIntegrity, strictDepBuilds |
| Tarball integrity (SHA-512) | always on | Tampered tarballs in the registry or proxy cache |
| Content-addressed store (BLAKE3) | always on | Drift between the store and the linked node_modules |
aube audit |
n/a | Known CVEs against the resolved dependency tree |
Security fixes target the latest minor of the current major release. Older majors do not receive backports.