Turborepo 2.10.3 Recognizes nub and aube, Two New Rust-Based Node.js Package Managers From Colin McDonnell (Zod) and Jeff Dickey (mise)

Turborepo 2.10.3 Recognizes nub and aube, Two New Rust-Based Node.js Package Managers From Colin McDonnell (Zod) and Jeff Dickey (mise)

lschvn

Turborepo v2.10.3 shipped on 2026-07-03 as the eighth release since the Turborepo 2.10 feature release on 2026-06-24. The patch is the first mainstream monorepo task runner to add first-class support for nub and aube, two new Rust-based Node.js package managers that emerged in spring and summer 2026. nub is authored by Colin McDonnell (colinhacks), creator of Zod (43k stars), and aube by Jeff Dickey (jdx), creator of mise. colinhacks opened the nub PR (#13120) on 2026-06-30, with follow-ups #13187 and #13189. anthonyshew opened the aube PR (#13183). Both integrate with the existing packageManager field in package.json and devEngines.packageManager.

The headline signal is not the patch release itself: it is that two of the JS toolchain's most respected builders are now shipping package managers that ride on stock Node instead of replacing it, and that Turborepo (Vercel's de-facto monorepo task runner, used across Next.js, the Vercel CLI, and most Vercel-hosted monorepos) is the first mainstream task runner to formalize both. The release also lands a redesigned TUI surface, native lockfile support for nub's lock.yaml and Bun lockfile v2, normalized packageManager versions across package.json and devEngines, --production on turbo prune, and the workspace TypeScript toolchain moves to 7.0.1-rc.

nub: TypeScript-first Node.js augmentation by colinhacks

nub (@nubjs/nub, v0.2.10, 2.6k GitHub stars, created 2026-06-03) is positioned as "a Bun-like DX on top of stock node, written in Rust." The repo is owned by nubjs on GitHub, and the maintainer behind it is colinhacks, best known as the author of Zod (43k stars) and as a Turborepo committer (he authored the nub recognition PR, the nub-tweaks follow-up, and the semver-range fix for devEngines.packageManager.version). The v0.2.10 release shipped on 2026-06-30 with three fixes: an unhandled Worker-thread error leak that now matches node:worker_threads's fatal-on-error semantics, a brand-boundary leak on aube's user/project config file path under nub (nub now reads only .npmrc plus the NUB_* env knobs, never ~/.config/aube/config.toml), and a nub watch -- target-passthrough that matches node and pnpm 10's behavior.

The toolkit ships seven commands:

CommandReplacesClaimed speedup
nub <file>node, tsx, ts-node, dotenv-cliTypeScript-first execution on stock node
nub run <script>npm run, pnpm run, yarn run24x faster than pnpm run
nubx <bin>npx, pnpm dlx, pnpm exec, yarn dlx19x faster than npx
nub installnpm, pnpm, yarnpnpm-compatible, round-trips npm/pnpm/bun lockfiles
nub watchnodemon, node --watch, tsx watchdependency-graph-driven, watches .env* and tsconfig.json
nub pmcorepackbuilt-in shim manager
nub nodenvm, fnm, n, voltaprovisions Node from nodejs.org on demand

There is no new runtime to adopt. Every augmentation rides on Node's own extension surfaces (worker_threads, node:fs, node:vm, the loader hook API). The package manager round-trips the project's existing lockfile: a nub project that ships a pnpm-lock.yaml keeps that lockfile, and nub install writes back into the same file. Yarn is read-only. The install path is @nubjs/nub on npm, brew install nubjs/tap/nub on Homebrew, mise use -g nub, or the official nubjs/setup-nub GitHub Action.

The framing nub picks is the same one Bun picked in 2023 ("all-in-one, drop-in, fast"), but without the runtime swap. The nub run dev 24x speedup vs pnpm run is a real UX improvement for package.json script-heavy monorepos, and nubx prisma generate at 19x faster than npx is the kind of speedup that turns a 4-second wait into a barely-noticed blip.

aube: lockfile-compatible Node.js package management by jdx

aube (@endevco/aube, v1.25.2, 1.6k GitHub stars, created 2026-04-18) is a Rust-based Node.js package manager from Jeff Dickey (jdx), the creator of mise (the asdf successor). The project is sponsored by entire.io and 37signals. The name is French for "dawn," pronounced /ob/. The tagline is "Never forget to install": the aubr test runner auto-installs first when dependencies are stale, then skips that work when nothing changed, which is the same UX pitch mise has had for years but applied to the install path.

The headline number is the warm-install benchmark on a 1400-package real-world fixture, measured with hyperfine under identical conditions and last regenerated on 2026-07-02:

Package managerWarm installCold installinstall && run test
aube 1.25.2319 ms14.63 s10 ms
bun 1.3.141.49 s5.10 s66 ms
deno 2.9.11.44 s9.15 s81 ms
pnpm 11.9.02.44 s12.99 s388 ms
npm 11.9.07.19 s10.89 s825 ms
yarn 4.17.08.49 s13.18 s1.82 s

aube is 7.7x faster than pnpm and 4.7x faster than Bun on warm installs, and ~80x faster than npm on the install && run test path. The mechanism is the same one pnpm pioneered: a global content-addressable store plus a per-project virtual store. pnpm supports a similar global virtual store, but leaves it off by default; aube enables it by default, which is the whole reason for the warm-install gap.

The lockfile story is the part that matters for adoption. aube reads and writes pnpm-lock.yaml, package-lock.json, npm-shrinkwrap.json, yarn.lock and bun.lock in place. A team that drops aube into a pnpm project does not need to regenerate pnpm-lock.yaml or update CI; aube reads the existing lockfile, links against the global store, and writes the same lockfile back. The packageManager field in package.json flips from "pnpm@11.9.0" to "aube@1.25.2", and the rest of the toolchain sees no diff.

The security story is what makes aube distinct from "fast pnpm." The default config is the strict bundle: lifecycle scripts (preinstall, install, postinstall) wait for approval by default, exotic transitive dependencies are blocked, trust downgrades fail at resolve, and brand-new releases sit in a 24h cooling window. The paranoid: true switch turns every soft gate into a hard fail: jailBuilds = true (the only lifecycle-script jail in any Node.js package manager), strictStoreIntegrity = true (fail when a tarball ships without dist.integrity instead of warning), strictDepBuilds = true (fail when a dep has unreviewed build scripts), advisoryCheck = required (fail when OSV is unreachable), minimumReleaseAgeStrict = true, and trustPolicy = no-downgrade. For supply-chain-sensitive installs, paranoid: true is the conservative default.

The v1.25 series added: v1.25.0 shell activation and shims (so plain node, pnpm, yarn, and npm-family commands go through aube's resolver), v1.25.1 a benchmark refresh, and v1.25.2 a fix for a cold-install lockfile-write overlap race. The lockfile-write overlap is the kind of bug that bites only on parallel CI, and the fact that it was caught and fixed inside the 2.10.3 Turborepo merge window is a good signal for aube's overall code quality.

What Turborepo 2.10.3 actually changed

The nub and aube support is the headline, but the patch is large. The full changelog (v2.10.2 to v2.10.3) carries 41 commits. The eight that matter most for day-to-day use:

  1. Streamed-logs / TUI toggle (#13203). The TUI task list introduced in Turborepo 2.4 is now toggleable against the legacy streamed-logs view at runtime, not just on launch. Teams that want the structured progress view in CI but the plain text in their editor can flip without restarting.
  2. Click-to-select tasks in the TUI task list (#13206). The TUI now accepts mouse clicks on task rows to select a subset of tasks to run, instead of filtering with keyboard input. The release notes flag this as the first step toward "click-to-run" workflows where the user picks tasks in the TUI the same way they would in a CI dashboard.
  3. Auto-copy of TUI selections to the clipboard on mouse release (#13208). A small UX win that closes the "select text in the TUI, copy it" loop without a keyboard shortcut.
  4. --production on turbo prune (#13190). Prune to a deployable subset and exclude devDependencies in one flag, which simplifies Docker layers for production deploys.
  5. Token-exchange recovery guidance (#13192). When the Turborepo platform binary fetch hits an expired or malformed token, the error now points the user at the recovery command instead of failing with a generic unauthorized message.
  6. TypeScript 7.0.1-rc as the workspace toolchain (#13144). Turborepo's own repo is now built against TypeScript 7.0.1-rc, the release candidate of the TypeScript 7 native (Go) compiler. The move shortens the loop from "we ship a feature in Turborepo" to "we ship a feature in Turborepo and prove it on the next-gen TS compiler."
  7. Thin LTO + codegen-units=1 for release builds (#13160). The Rust release binaries now use thin LTO and a single codegen unit, which is the standard Rust recipe for smaller, slightly slower-to-build release binaries. The numbers are not in the PR, but a comparable change in the oxc toolchain shaved ~10-15% off release binary sizes.
  8. Cache-hashing perf fixes (#13209, #13211, #13210). Three commits remove deep clones from the lockfile closure cache, the package-graph root, and the env-wildcard matcher. The hash step is the most repeated work in turbo run, and shaving clones off it shows up on every turbo run build invocation in a large monorepo.

The lockfile story in 2.10.3 is also notable beyond the nub and aube support. PR #13119 (tsushanth) makes Turborepo accept Bun lockfile v2, which is the new format that landed in Bun 1.3.x. PR #13191 makes boundaries-checks skip node_modules, which closes a class of false-positive "dependency boundary violated" errors that surfaced in monorepos with vendored dependencies. PR #13198 turns malformed JSON in turbo.json from a panic into a typed error. PR #13199 improves the error message when the platform-specific binary fetch fails (the "did you forget to install turbo for this platform" path).

Why this matters for monorepo users

The two news threads (nub and aube adoption; the TUI and perf work) are connected by a single shift: the JS toolchain is consolidating on the "augment stock Node" model rather than the "replace Node with a new runtime" model. Bun and Deno bet on a new runtime, and the bet paid off in performance but cost the ecosystem a migration. nub and aube take the Bun-shape DX and ship it on top of stock node, which means a team can adopt either without changing what runs in production. Turborepo is the first mainstream task runner to formalize that position: when the packageManager field points at nub or aube, the monorepo orchestrator knows what to do with the install, prune, generate, and cache-hashing steps without the team writing custom detector logic.

For monorepo users, the practical takeaway is a quieter npx @turbo/codemod migrate or bunx @turbo/codemod migrate window this weekend. The release is additive: existing 2.10.x monorepos keep working, the TUI is a default that can be reverted with TURBO_TUI=0 or the streamed-logs toggle, and the nub/aube detection only activates when the packageManager field points at one of the two. The perf work (thin LTO, codegen-units=1, lockfile and package-graph clone removal) shows up as a small but measurable improvement on every turbo run build in a large monorepo, with no user-visible config change.

The long-term signal is the author pairing. colinhacks (Zod, 43k stars, TypeScript-first schema validation) is the same person who wrote nub. jdx (mise, the asdf successor) is the same person who wrote aube. The Zod author betting on a stock-Node toolchain and the mise author betting on a Bun-shape install path on stock Node is a strong signal that the JS toolchain consensus is moving away from the "new runtime" bet and toward "make the existing runtime feel as fast as Bun, without the migration."

Frequently Asked Questions

Related articles

More coverage with overlapping topics and tags.

npm 11.18 Promotes the `linked` Install Strategy to Stable, Adds the `npm install-scripts` Namespace, and Warns When `min-release-age` Blocks an Audit Fix
tooling

npm 11.18 Promotes the `linked` Install Strategy to Stable, Adds the `npm install-scripts` Namespace, and Warns When `min-release-age` Blocks an Audit Fix

npm 11.18.0 (June 29, 2026) ships three features and a long backlog of bug fixes that together finish the work the npm CLI has been doing on the `install-strategy=linked` (isolated) install mode since RFC #0042 in 2022. The headline is [PR #9677](https://github.com/npm/cli/pull/9677) (backport of #9674), which graduates `--install-strategy=linked` from experimental to stable. The mode installs every package into `node_modules/.store/<name>@<version>/node_modules/<dep>` and links each into its parent's `node_modules` tree, so a package can only `require` dependencies that are actually declared in its own `package.json`. The new docs recommendation ([PR #9690](https://github.com/npm/cli/pull/9690)) is to run `--install-strategy=linked` in CI to catch phantom dependencies before publishing. Around the graduation the release ships a namespaced `npm install-scripts` command ([#9635](https://github.com/npm/cli/pull/9635), backport of #9629) that owns `approve`, `deny`, and `ls`, with `npm approve-scripts` / `npm deny-scripts` kept as aliases; an `install-scripts: prune unused allowScripts entries` housekeeping pass ([#9662](https://github.com/npm/cli/pull/9662)); and a new warning when `min-release-age` blocks an `npm audit fix` ([#9564](https://github.com/npm/cli/pull/9564)). The 43-commit release also fixes 19 `linked` strategy bugs (audit determinism #9638, dangling `.bin` shims #9643, stale `.store` cleanup #9649, invalid `filterNode` crash #9645, peerOptional validation #9641), three `npm sbom` fixes, and a percent-encoded `vcs_url` purl fix ([#9693](https://github.com/npm/cli/pull/9693)).
Prettier 3.9 Overhauls Five Parsers: micromark for Markdown, yaml v2, GraphQL.js v17, a Rust-Based Flow Parser, and Angular
tooling

Prettier 3.9 Overhauls Five Parsers: micromark for Markdown, yaml v2, GraphQL.js v17, a Rust-Based Flow Parser, and Angular

Prettier 3.9.0, released June 27, 2026 (prettier/prettier, blog post by Fisker Cheung), is a parser-heavy release that upgrades Markdown from remark-parse v8 to micromark v4 (better CommonMark and GFM compliance and a stack of long-standing bug fixes), YAML to yaml v2, GraphQL to GraphQL.js v17 (fragment arguments and directives on directive definitions), Flow to the Flow team's new Rust-based oxidized parser (roughly 37% faster on Prettier's valid Flow fixtures and 43% faster on flow_parser.js in local parser-only benchmarks), and Angular. The JavaScript and TypeScript printer is reworked too, particularly in --no-semi mode where comments around break and continue are now stable across repeated formats (an idempotency fix), plus redundant parenthesis removal in return statements, embedded-template interpolation alignment, and logical-not inlining. The release drops the legacy import ... assert {} syntax (Babel 8 removed the parser plugin; migrate to with), fixes a silently broken --cache-strategy content option, and stops EditorConfig files above Git worktrees from leaking in. The team reiterates pinning the exact version in package.json because the formatting changes will produce diffs.
TypeScript 7.0 RC Ships: The Go Compiler Hits Release Candidate, Roughly 10x Faster, With a Side-by-Side Migration Path
typescript

TypeScript 7.0 RC Ships: The Go Compiler Hits Release Candidate, Roughly 10x Faster, With a Side-by-Side Migration Path

TypeScript 7.0 RC (June 18, 2026) is the release candidate of the compiler Microsoft ported from its bootstrapped TypeScript codebase to Go. It is often about 10x faster than TypeScript 6.0, ships a tsc6 compatibility package so it can run side-by-side with 6.0, adds --checkers/--builders/--singleThreaded parallelism controls and a rebuilt watch mode on a Go port of @parcel/watcher, and turns every 6.0 deprecation into a hard error. The stable release is planned within the next month, with a stable programmatic API deferred to 7.1.

Comments

Log in Log in to join the conversation.

No comments yet. Be the first to share your thoughts.