Security

aube treats supply-chain protection as a first-class concern. This page lists every security-relevant feature, its default, and the one-line config to turn it on or off.

To report a vulnerability, see the security policy.

The paranoid switch

The fastest way to opt into the strict-security posture is one line:

paranoid: true

This forces every setting in the strict bundle on, regardless of how each is configured individually:

• jailBuilds = true
• trustPolicy = no-downgrade (overrides explicit off)
• minimumReleaseAgeStrict = true — turns the age gate into a hard fail instead of "fall back to the lowest satisfying version"
• strictStoreIntegrity = true — fail when a tarball ships without dist.integrity instead of warning
• strictDepBuilds = true — fail the install when a dep has unreviewed build scripts instead of silently skipping

Use it when you want maximum protection without listing each setting.

Default-deny lifecycle scripts

Lifecycle scripts (preinstall, install, postinstall) are the sharpest supply-chain edge in a JavaScript install. aube does not run dependency lifecycle scripts unless you've approved them explicitly:

# aube-workspace.yaml
allowBuilds:
  esbuild: true
  sharp: true

Or interactively:

aube approve-builds

Root-package lifecycle scripts (your own project's) still run normally — the boundary is dependency code.

Settings: allowBuilds. Install adds unreviewed build packages to aube-workspace.yaml (or pnpm-workspace.yaml if one already exists) as false; approving them flips the entry to true.

Jailed lifecycle scripts

When a dependency is approved to build, jailing keeps it from getting your full filesystem, network, and environment. On macOS aube wraps the script with a Seatbelt profile; on Linux it applies Landlock and seccomp before exec. Both deny network access and limit writes to package and jail-owned temporary directories. On Windows the env is scrubbed and HOME is redirected to a temporary directory.

jailBuilds: true

Grant narrow exceptions per-package instead of disabling the jail wholesale:

jailBuilds: true
jailBuildPermissions:
  sharp:
    env: [SHARP_DIST_BASE_URL]
    write: ["~/.cache/sharp"]
    network: true

Default: false today, planned to flip to true in the next major.

Full reference: Jailed builds.

Trust policy

trustPolicy = no-downgrade blocks installs of a version that carries weaker trust evidence than any earlier-published version of the same package. aube only counts the structured metadata shape npm emits after registry-side checks:

1. npm trusted-publisher — package was published via OIDC from a trusted CI provider (_npmUser.trustedPublisher.id).
2. Sigstore provenance — package was published with npm publish --provenance (dist.attestations.provenance.predicateType with an SLSA provenance URI).

This install-time policy validates the registry metadata shape; it does not cryptographically verify the attached attestation bundle.

A trust downgrade may indicate a supply-chain incident: publisher account takeover, repository tampering, or a malicious co-maintainer publishing without the original CI flow.

trustPolicy: no-downgrade

Exempt specific packages or versions when needed (only exact versions, no ranges):

trustPolicyExclude:
  - "@vendor/legacy-pkg"            # all versions
  - "[email protected]"                # one version
  - "[email protected] || 1.0.1"          # version union
  - "is-*"                           # name glob (no version)

Default: no-downgrade. Set trustPolicy: off to disable, or use trustPolicyExclude for per-package opt-outs.

Settings: trustPolicy, trustPolicyExclude, trustPolicyIgnoreAfter.

Minimum release age

Wait a configurable period before installing newly published versions. Catches typo-squat and dependency-confusion attacks that get unpublished within hours.

minimumReleaseAge: 4320  # 3 days

minimumReleaseAgeStrict: true fails the install when no version satisfies the range; otherwise the resolver falls back to the lowest satisfying version ignoring the cutoff for that pick only.

Default: 0 (disabled).

Settings: minimumReleaseAge, minimumReleaseAgeExclude, minimumReleaseAgeStrict.

Block exotic transitive dependencies

Reject transitive dependencies that resolve to git+, file:, or direct tarball URLs — those skip the registry and its integrity verification. Direct deps you pin yourself in package.json are still allowed.

blockExoticSubdeps: true   # default

Settings: blockExoticSubdeps.

Tarball integrity

Every registry tarball is verified against the SHA-512 hash recorded in the packument's dist.integrity field before it is added to the store. Mismatches fail the install loudly. The hash is preserved in the lockfile, so subsequent installs reverify on every fetch.

The content-addressable store itself uses BLAKE3 for the on-disk index — fast to compute and immune to length-extension. Linked node_modules files are reflinks (APFS/btrfs), hardlinks (ext4), or copies; none of those paths can modify the canonical store entry.

Auth tokens

Registry tokens are read from .npmrc (the npm convention) or environment variables (NPM_TOKEN, AUBE_AUTH_TOKEN, etc.) and never written to the lockfile, tarball cache, or logs. aube login and aube logout manage tokens via the standard npm config file.

Inside jailed lifecycle scripts, common token env vars (NPM_TOKEN, NODE_AUTH_TOKEN, GITHUB_TOKEN, SSH_AUTH_SOCK, AWS_*, etc.) are scrubbed from the script environment unless explicitly granted via jailBuildPermissions.

Auditing installed dependencies

aube audit                # list known CVEs at moderate+ severity
aube audit --audit-level high
aube audit --fix          # write package.json overrides to patched versions
aube audit --json | jq    # machine-readable for CI

Same advisory data source as npm audit and pnpm audit; same response schema.

Recommended baseline

For most projects, the following is a good starting point:

# aube-workspace.yaml
paranoid: true             # bundles jailBuilds, no-downgrade, strict gates
allowBuilds:
  esbuild: true
  sharp: true
  # ...whatever your project actually needs to build

trustPolicy=no-downgrade and minimumReleaseAge: 1440 (24h) are already default-on; paranoid: true adds the rest of the bundle on top. Pair this with aube audit in CI so a newly disclosed CVE fails the build instead of silently shipping.