Turborepo v2.10.3 shipped on 2026-07-03 as the eighth release since the Turborepo 2.10 feature release on 2026-06-24. The patch is the first mainstream monorepo task runner to add first-class support for nub and aube, two new Rust-based Node.js package managers that emerged in spring and summer 2026. nub is authored by Colin McDonnell (colinhacks), creator of Zod (43k stars), and aube by Jeff Dickey (jdx), creator of mise. colinhacks opened the nub PR (#13120) on 2026-06-30, with follow-ups #13187 and #13189. anthonyshew opened the aube PR (#13183). Both integrate with the existing packageManager field in package.json and devEngines.packageManager.
The headline signal is not the patch release itself: it is that two of the JS toolchain's most respected builders are now shipping package managers that ride on stock Node instead of replacing it, and that Turborepo (Vercel's de-facto monorepo task runner, used across Next.js, the Vercel CLI, and most Vercel-hosted monorepos) is the first mainstream task runner to formalize both. The release also lands a redesigned TUI surface, native lockfile support for nub's lock.yaml and Bun lockfile v2, normalized packageManager versions across package.json and devEngines, --production on turbo prune, and the workspace TypeScript toolchain moves to 7.0.1-rc.
nub: TypeScript-first Node.js augmentation by colinhacks
nub (@nubjs/nub, v0.2.10, 2.6k GitHub stars, created 2026-06-03) is positioned as "a Bun-like DX on top of stock node, written in Rust." The repo is owned by nubjs on GitHub, and the maintainer behind it is colinhacks, best known as the author of Zod (43k stars) and as a Turborepo committer (he authored the nub recognition PR, the nub-tweaks follow-up, and the semver-range fix for devEngines.packageManager.version). The v0.2.10 release shipped on 2026-06-30 with three fixes: an unhandled Worker-thread error leak that now matches node:worker_threads's fatal-on-error semantics, a brand-boundary leak on aube's user/project config file path under nub (nub now reads only .npmrc plus the NUB_* env knobs, never ~/.config/aube/config.toml), and a nub watch -- target-passthrough that matches node and pnpm 10's behavior.
The toolkit ships seven commands:
| Command | Replaces | Claimed speedup |
|---|---|---|
nub <file> | node, tsx, ts-node, dotenv-cli | TypeScript-first execution on stock node |
nub run <script> | npm run, pnpm run, yarn run | 24x faster than pnpm run |
nubx <bin> | npx, pnpm dlx, pnpm exec, yarn dlx | 19x faster than npx |
nub install | npm, pnpm, yarn | pnpm-compatible, round-trips npm/pnpm/bun lockfiles |
nub watch | nodemon, node --watch, tsx watch | dependency-graph-driven, watches .env* and tsconfig.json |
nub pm | corepack | built-in shim manager |
nub node | nvm, fnm, n, volta | provisions Node from nodejs.org on demand |
There is no new runtime to adopt. Every augmentation rides on Node's own extension surfaces (worker_threads, node:fs, node:vm, the loader hook API). The package manager round-trips the project's existing lockfile: a nub project that ships a pnpm-lock.yaml keeps that lockfile, and nub install writes back into the same file. Yarn is read-only. The install path is @nubjs/nub on npm, brew install nubjs/tap/nub on Homebrew, mise use -g nub, or the official nubjs/setup-nub GitHub Action.
The framing nub picks is the same one Bun picked in 2023 ("all-in-one, drop-in, fast"), but without the runtime swap. The nub run dev 24x speedup vs pnpm run is a real UX improvement for package.json script-heavy monorepos, and nubx prisma generate at 19x faster than npx is the kind of speedup that turns a 4-second wait into a barely-noticed blip.
aube: lockfile-compatible Node.js package management by jdx
aube (@endevco/aube, v1.25.2, 1.6k GitHub stars, created 2026-04-18) is a Rust-based Node.js package manager from Jeff Dickey (jdx), the creator of mise (the asdf successor). The project is sponsored by entire.io and 37signals. The name is French for "dawn," pronounced /ob/. The tagline is "Never forget to install": the aubr test runner auto-installs first when dependencies are stale, then skips that work when nothing changed, which is the same UX pitch mise has had for years but applied to the install path.
The headline number is the warm-install benchmark on a 1400-package real-world fixture, measured with hyperfine under identical conditions and last regenerated on 2026-07-02:
| Package manager | Warm install | Cold install | install && run test |
|---|---|---|---|
| aube 1.25.2 | 319 ms | 14.63 s | 10 ms |
| bun 1.3.14 | 1.49 s | 5.10 s | 66 ms |
| deno 2.9.1 | 1.44 s | 9.15 s | 81 ms |
| pnpm 11.9.0 | 2.44 s | 12.99 s | 388 ms |
| npm 11.9.0 | 7.19 s | 10.89 s | 825 ms |
| yarn 4.17.0 | 8.49 s | 13.18 s | 1.82 s |
aube is 7.7x faster than pnpm and 4.7x faster than Bun on warm installs, and ~80x faster than npm on the install && run test path. The mechanism is the same one pnpm pioneered: a global content-addressable store plus a per-project virtual store. pnpm supports a similar global virtual store, but leaves it off by default; aube enables it by default, which is the whole reason for the warm-install gap.
The lockfile story is the part that matters for adoption. aube reads and writes pnpm-lock.yaml, package-lock.json, npm-shrinkwrap.json, yarn.lock and bun.lock in place. A team that drops aube into a pnpm project does not need to regenerate pnpm-lock.yaml or update CI; aube reads the existing lockfile, links against the global store, and writes the same lockfile back. The packageManager field in package.json flips from "pnpm@11.9.0" to "aube@1.25.2", and the rest of the toolchain sees no diff.
The security story is what makes aube distinct from "fast pnpm." The default config is the strict bundle: lifecycle scripts (preinstall, install, postinstall) wait for approval by default, exotic transitive dependencies are blocked, trust downgrades fail at resolve, and brand-new releases sit in a 24h cooling window. The paranoid: true switch turns every soft gate into a hard fail: jailBuilds = true (the only lifecycle-script jail in any Node.js package manager), strictStoreIntegrity = true (fail when a tarball ships without dist.integrity instead of warning), strictDepBuilds = true (fail when a dep has unreviewed build scripts), advisoryCheck = required (fail when OSV is unreachable), minimumReleaseAgeStrict = true, and trustPolicy = no-downgrade. For supply-chain-sensitive installs, paranoid: true is the conservative default.
The v1.25 series added: v1.25.0 shell activation and shims (so plain node, pnpm, yarn, and npm-family commands go through aube's resolver), v1.25.1 a benchmark refresh, and v1.25.2 a fix for a cold-install lockfile-write overlap race. The lockfile-write overlap is the kind of bug that bites only on parallel CI, and the fact that it was caught and fixed inside the 2.10.3 Turborepo merge window is a good signal for aube's overall code quality.
What Turborepo 2.10.3 actually changed
The nub and aube support is the headline, but the patch is large. The full changelog (v2.10.2 to v2.10.3) carries 41 commits. The eight that matter most for day-to-day use:
- Streamed-logs / TUI toggle (#13203). The TUI task list introduced in Turborepo 2.4 is now toggleable against the legacy streamed-logs view at runtime, not just on launch. Teams that want the structured progress view in CI but the plain text in their editor can flip without restarting.
- Click-to-select tasks in the TUI task list (#13206). The TUI now accepts mouse clicks on task rows to select a subset of tasks to run, instead of filtering with keyboard input. The release notes flag this as the first step toward "click-to-run" workflows where the user picks tasks in the TUI the same way they would in a CI dashboard.
- Auto-copy of TUI selections to the clipboard on mouse release (#13208). A small UX win that closes the "select text in the TUI, copy it" loop without a keyboard shortcut.
--productiononturbo prune(#13190). Prune to a deployable subset and exclude devDependencies in one flag, which simplifies Docker layers for production deploys.- Token-exchange recovery guidance (#13192). When the Turborepo platform binary fetch hits an expired or malformed token, the error now points the user at the recovery command instead of failing with a generic
unauthorizedmessage. - TypeScript 7.0.1-rc as the workspace toolchain (#13144). Turborepo's own repo is now built against TypeScript 7.0.1-rc, the release candidate of the TypeScript 7 native (Go) compiler. The move shortens the loop from "we ship a feature in Turborepo" to "we ship a feature in Turborepo and prove it on the next-gen TS compiler."
- Thin LTO +
codegen-units=1for release builds (#13160). The Rust release binaries now use thin LTO and a single codegen unit, which is the standard Rust recipe for smaller, slightly slower-to-build release binaries. The numbers are not in the PR, but a comparable change in the oxc toolchain shaved ~10-15% off release binary sizes. - Cache-hashing perf fixes (#13209, #13211, #13210). Three commits remove deep clones from the lockfile closure cache, the package-graph root, and the env-wildcard matcher. The hash step is the most repeated work in
turbo run, and shaving clones off it shows up on everyturbo run buildinvocation in a large monorepo.
The lockfile story in 2.10.3 is also notable beyond the nub and aube support. PR #13119 (tsushanth) makes Turborepo accept Bun lockfile v2, which is the new format that landed in Bun 1.3.x. PR #13191 makes boundaries-checks skip node_modules, which closes a class of false-positive "dependency boundary violated" errors that surfaced in monorepos with vendored dependencies. PR #13198 turns malformed JSON in turbo.json from a panic into a typed error. PR #13199 improves the error message when the platform-specific binary fetch fails (the "did you forget to install turbo for this platform" path).
Why this matters for monorepo users
The two news threads (nub and aube adoption; the TUI and perf work) are connected by a single shift: the JS toolchain is consolidating on the "augment stock Node" model rather than the "replace Node with a new runtime" model. Bun and Deno bet on a new runtime, and the bet paid off in performance but cost the ecosystem a migration. nub and aube take the Bun-shape DX and ship it on top of stock node, which means a team can adopt either without changing what runs in production. Turborepo is the first mainstream task runner to formalize that position: when the packageManager field points at nub or aube, the monorepo orchestrator knows what to do with the install, prune, generate, and cache-hashing steps without the team writing custom detector logic.
For monorepo users, the practical takeaway is a quieter npx @turbo/codemod migrate or bunx @turbo/codemod migrate window this weekend. The release is additive: existing 2.10.x monorepos keep working, the TUI is a default that can be reverted with TURBO_TUI=0 or the streamed-logs toggle, and the nub/aube detection only activates when the packageManager field points at one of the two. The perf work (thin LTO, codegen-units=1, lockfile and package-graph clone removal) shows up as a small but measurable improvement on every turbo run build in a large monorepo, with no user-visible config change.
The long-term signal is the author pairing. colinhacks (Zod, 43k stars, TypeScript-first schema validation) is the same person who wrote nub. jdx (mise, the asdf successor) is the same person who wrote aube. The Zod author betting on a stock-Node toolchain and the mise author betting on a Bun-shape install path on stock Node is a strong signal that the JS toolchain consensus is moving away from the "new runtime" bet and toward "make the existing runtime feel as fast as Bun, without the migration."



