Aube is a high-performance Node.js package manager designed for security, speed, and efficiency. Created by jdx, it improves upon existing symlink-based models by implementing a global virtual store by default, allowing multiple projects to share dependency files without duplicating heavy storage. It is built to drop into existing JavaScript projects by reading and writing standard lockfiles like package-lock.json, yarn.lock, and pnpm-lock.yaml in place, avoiding the need for project-wide migrations. Security is a primary focus, with Aube providing robust, default-enabled protections such as build jails for lifecycle scripts, supply-chain guardrails, and malicious package scanning.

Functionality centers on managing project dependencies, running scripts, and handling binaries efficiently. When developers run commands like aubr test, the tool automatically handles dependency installation if they have become stale, skipping unnecessary work on repeat runs. It maintains a clean node_modules layout using an isolated symlink model, preventing common issues like phantom dependencies, while optionally allowing hoisted layouts for compatibility with older tools that require flatter structures.

Some of the key features are:

• Isolated Symlink Layout: Projects only expose direct dependencies at the top level, effectively preventing phantom dependency issues and ensuring cleaner module resolution.
• Content-Addressable Store: Uses a global, content-addressable storage system that enables multiple projects to share the same package files, significantly reducing disk space usage.
• Jailed Builds: Executes approved dependency lifecycle scripts within a restricted, sandboxed build environment to enhance supply-chain security by limiting filesystem and network access.
• Global Virtual Store: Enables a per-user virtual store for all projects by default, further accelerating installations and optimizing storage across different repositories on the same machine.
• Security Scanners: Integrates support for advanced security scanning modules to detect and block malicious packages before they are integrated into the dependency graph.
• Existing Lockfile Compatibility: Reads and writes standard industry lockfiles in place, ensuring seamless integration with existing npm, yarn, or pnpm projects.
• Automatic Lifecycle Management: Automatically detects stale dependencies and performs necessary installations or updates during script execution, streamlining the developer experience.

Operationally, the tool functions by resolving the dependency graph and materializing package files into a global store. It then utilizes efficient linking techniques—such as reflinks, hardlinks, or copies—to populate the virtual store in project directories. The CLI includes familiar commands that function similarly to npm or pnpm but with added performance and safety defaults. It includes native shims for running scripts (aubr) and executing one-off binaries (aubx) that dispatch commands directly from the toolchain context.

Some common use cases include:

• Large Monorepos: Managing multiple interconnected packages efficiently by sharing dependencies across the repository through a global content-addressable store.
• Secure CI Pipelines: Enforcing strict dependency integrity and build script isolation in automated environments to prevent supply-chain attacks.
• Performance-Critical Development: Accelerating local development loops in massive projects where repeated dependency installation usually causes significant downtime.
• Legacy Project Migration: Adopting a faster, more secure package manager for existing applications without requiring team-wide changes to lockfile formats.