---
title: "Turborepo 2.10.3 Recognizes nub and aube, Two New Rust-Based Node.js Package Managers From Colin McDonnell (Zod) and Jeff Dickey (mise)"
description: "Turborepo [v2.10.3](https://github.com/vercel/turborepo/releases/tag/v2.10.3) shipped on 2026-07-03 with first-class support for [nub](https://github.com/nubjs/nub) and [aube](https://github.com/jdx/aube), two Rust-based Node.js package managers that emerged in spring and summer 2026. nub is authored by Colin McDonnell (creator of [Zod](https://github.com/colinhacks/zod), 43k stars) and aube by Jeff Dickey (creator of [mise](https://github.com/jdx/mise)); both integrate with Turborepo as `packageManager` values in `package.json` and `devEngines.packageManager`. The release also lands a new TUI/streamed-logs toggle, click-to-select tasks in the TUI task list, auto-copy of TUI selections to clipboard on mouse release, a `--production` flag on `turbo prune`, TypeScript 7.0.1-rc as the workspace toolchain, thin LTO + `codegen-units=1` for release builds, and a long list of cache-hashing perf fixes. The headline signal: two of the JS toolchain's most respected builders are now shipping package managers that ride on stock Node instead of replacing it, and Turborepo is the first mainstream monorepo tool to formalize both."
date: 2026-07-04
image: "/images/heroes/2026-07-04--turborepo-2-10-3-nub-aube-rust-package-managers.png"
author: lschvn
tags: ["tooling", "typescript", "ecosystem"]
tldr:
  - "Turborepo [v2.10.3](https://github.com/vercel/turborepo/releases/tag/v2.10.3) (released 2026-07-03, the 8th release since the [Turborepo 2.10 feature release on 2026-06-24](https://turborepo.dev/blog/2-10)) adds first-class support for two new Rust-based Node.js package managers: [nub](https://github.com/nubjs/nub) by Colin McDonnell (creator of [Zod](https://github.com/colinhacks/zod), 43k stars) and [aube](https://github.com/jdx/aube) by Jeff Dickey (creator of [mise](https://github.com/jdx/mise)). nub is recognized via PR [#13120](https://github.com/vercel/turborepo/pull/13120) (colinhacks, 2026-06-30) with follow-ups [#13187](https://github.com/vercel/turborepo/pull/13187) and [#13189](https://github.com/vercel/turborepo/pull/13189); aube is added via PR [#13183](https://github.com/vercel/turborepo/pull/13183). Both integrate with the existing `packageManager` field in `package.json` and `devEngines.packageManager.version`, with semver-range support for `devEngines.packageManager.version` shipped in #13189."
  - "Turborepo 2.10.3 also lands a redesigned TUI surface: a streamed-logs/TUI toggle (#13203), click-to-select tasks in the TUI task list (#13206), auto-copy of TUI selections to the clipboard on mouse release (#13208), `--production` on `turbo prune` (#13190), token-exchange recovery guidance for the platform binary cache (#13192), normalized `packageManager` versions across the field and `devEngines` (#13185), native lockfile support for nub's `lock.yaml`, Bun lockfile v2 (#13119), and TypeScript 7.0.1-rc as the workspace toolchain (#13144). The release enables `thin LTO` and `codegen-units=1` for Rust release builds (#13160), and removes several hot-path deep clones in the lockfile and package-graph caches (#13209, #13211, #13210)."
  - "Both managers target the same niche: a Bun-shaped developer experience on top of stock Node, with no new runtime to adopt. nub (`@nubjs/nub` v0.2.10, 2.6k stars, created 2026-06-03) ships `nub <file>` for TypeScript execution, `nub run` (24x faster than `pnpm run`), `nubx` (19x faster than `npx`), `nub install` (pnpm-compatible, reads/writes npm/pnpm/bun lockfiles), `nub watch`, `nub pm` (Corepack-style shims) and `nub node` (replaces `nvm`/`fnm`). aube (`@endevco/aube` v1.25.2, 1.6k stars, created 2026-04-18) is 7.7x faster than pnpm and 4.7x faster than Bun on warm installs, reads and writes `pnpm-lock.yaml`, `package-lock.json`, `npm-shrinkwrap.json`, `yarn.lock` and `bun.lock` in place, ships a `paranoid: true` switch for a hard-fail security bundle, and is the only Node.js package manager with a lifecycle-script jail. `unjs/nypm` already lists both as supported; Turborepo 2.10.3 is the first monorepo task runner to formalize the pair."
faq:
  - question: "What is Turborepo 2.10.3?"
    answer: "Turborepo v2.10.3 is a patch release on the 2.10 line, shipped on 2026-07-03. It is the first mainstream monorepo task runner to add first-class support for nub and aube, two new Rust-based Node.js package managers that emerged in 2026. The release also ships a new TUI toggle between the new click-to-select task list and the existing streamed-logs view, a `--production` flag on `turbo prune`, native lockfile support for nub's `lock.yaml` and Bun lockfile v2, normalized package-manager version handling across `packageManager` and `devEngines.packageManager`, token-exchange recovery guidance, thin LTO + `codegen-units=1` for the Rust release builds, and several cache-hashing perf fixes that remove deep clones from the lockfile closure cache, package graph and env-wildcard matcher. The workspace TypeScript toolchain moves to 7.0.1-rc."
  - question: "What is nub?"
    answer: "nub (`@nubjs/nub`, v0.2.10, 2.6k GitHub stars, created 2026-06-03) is a Rust-based toolkit that augments stock Node.js instead of replacing it. It ships `nub <file>` for TypeScript-first execution, `nub run` for `package.json` scripts (claimed 24x faster than `pnpm run`), `nubx` for one-off CLIs (claimed 19x faster than `npx`), `nub install` (pnpm-compatible, round-trips npm/pnpm/bun lockfiles, yarn read-only), `nub watch` for source-restart workflows, `nub pm` for Corepack-style package-manager shims, and `nub node` to replace `nvm`/`fnm`/`n`/`volta`. The project is authored by Colin McDonnell (colinhacks), creator of Zod, and is installed via npm (`npm i -g @nubjs/nub`), Homebrew (`brew install nubjs/tap/nub`), mise, or the official `nubjs/setup-nub` GitHub Action. There is no new runtime: every augmentation rides on Node's own extension surfaces."
  - question: "What is aube?"
    answer: "aube (`@endevco/aube`, v1.25.2, 1.6k GitHub stars, created 2026-04-18, aube means \"dawn\" in French, pronounced /ob/) is a Rust-based Node.js package manager from Jeff Dickey (jdx), creator of mise. On a 1400-package real-world fixture measured with hyperfine, aube is 7.7x faster than pnpm and 4.7x faster than Bun on warm installs, and ~9x faster than npm on `npm install && npm run test`. It reads and writes `pnpm-lock.yaml`, `package-lock.json`, `npm-shrinkwrap.json`, `yarn.lock` and `bun.lock` in place, ships a `paranoid: true` switch that turns the strict security bundle on as hard fails (build jail, trust-downgrade blocks, 24h cooling window for brand-new releases, missing-`dist.integrity` hard fail), and is the only Node.js package manager with a lifecycle-script jail. Installation is `mise use aube`, `mise use -g aube`, `npm i -g @endevco/aube`, or via mise's CI caches."
  - question: "Why are nub and aube interesting if Bun and Deno already exist?"
    answer: "Both target a different niche from Bun and Deno: they ride on stock Node and do not replace it. There is no new runtime to adopt, no vendor-specific API surface, and no lock-in: the user keeps `node`, keeps the project's existing lockfile (npm, pnpm, yarn, bun), and adds a faster front-end on top. nub is positioned as a Bun-shaped DX on stock Node, and aube is positioned as a pnpm-shaped install path with stronger security defaults and a global content-addressable store. The two approaches are complementary: nub replaces `node`/`tsx`/`ts-node`/`nodemon`/`nvm`/`corepack`, while aube replaces `npm`/`pnpm`/`yarn`/`bun install` without touching the runtime. The fact that the Zod author (nub) and the mise author (aube) are both shipping Node-side alternatives is a strong signal that Bun's \"new runtime\" bet is not where the JS toolchain consensus is heading."
  - question: "What does Turborepo's support actually look like?"
    answer: "nub is recognized as a `PackageManager::Nub` enum variant in `turborepo-repository` (PR #13120, colinhacks). The wire format (the `turbod` gRPC enum) gains a `Nub = 7` variant. Lockfile-related operations (cache hashing, prune, generate) delegate to the underlying lockfile's package manager because nub itself does not define a lockfile format: nub round-trips npm/pnpm/bun lockfiles, so detection happens via the `packageManager` field in `package.json` (`\"nub@x.y.z\"`) or `devEngines.packageManager`, never from the presence of a `lock.yaml`. aube gets its own detector (PR #13183, anthonyshew) with normalizers for the package-manager version. PR #13189 (colinhacks) makes `devEngines.packageManager.version` honor semver ranges, and #13185 normalizes the printed package-manager version across the two fields. Turborepo also accepts Bun lockfile v2 (PR #13119, tsushanth)."
  - question: "Are nub and aube safe to use in production today?"
    answer: "nub is at v0.2.10 (a 0.x line, semver-considered pre-stable), but it has 2.6k stars, a published `@nubjs/nub` package, an official `nubjs/setup-nub` GitHub Action, and a Homebrew tap. The v0.2.10 release fixed an unhandled Worker-thread error leak (now fatal, matching `node:worker_threads`), a brand-boundary leak on aube's user/project config path under nub, and `nub watch --` target-passthrough. aube is at v1.25.2 (a stable 1.x line), ships a security scanner, has a published `@endevco/aube` package, and is sponsored by entire.io and 37signals. The `paranoid: true` switch is the conservative default for production installs where supply-chain integrity matters more than install speed. Both managers fall back to reading existing lockfiles, so adopting them does not require a `package-lock.json` or `pnpm-lock.yaml` rewrite."
  - question: "Will nub and aube replace pnpm?"
    answer: "Not on the same timeline. pnpm 11.9.0 (the version aube benchmarks against) is still the default package manager in the wider JS ecosystem, and the article numbers from `unjs/nypm` show `pnpm` + `npm` + `yarn` + `bun` + `deno` as the five managers most teams will hit in 2026. nub and aube are credible third options rather than replacements: nub's 24x script-runner win is a real UX improvement for `package.json` script-heavy monorepos, and aube's 7.7x install win plus lifecycle-script jail is a real security improvement. The fact that both projects are explicitly lockfile-compatible with npm/pnpm/yarn/bun means teams can adopt either one without rewriting their `node_modules`."
  - question: "What other changes ship in Turborepo 2.10.3?"
    answer: "Beyond the nub and aube recognition, the release adds: a streamed-logs/TUI toggle (#13203), click-to-select tasks in the TUI task list (#13206), auto-copy of TUI selections to the clipboard on mouse release (#13208), `--production` on `turbo prune` (#13190), token-exchange recovery guidance (#13192), malformed-JSON panic→error (#13198), better error messages for missing platform binaries (#13199), the recovery from a slow initial hash in `--watch` (#13159), GitLab reporter `--verbose` filtering (#13177 of nypm, surfaced here), boundaries-checks skip for `node_modules` (#13191), and `--production` on prune. The Rust release build enables thin LTO + codegen-units=1 (#13160) for ~10-15% smaller release binaries, and the workspace TypeScript toolchain moves to 7.0.1-rc (#13144). The vitest example updates to vitest 4 with native test merging."
---

[Turborepo v2.10.3](https://github.com/vercel/turborepo/releases/tag/v2.10.3) shipped on 2026-07-03 as the eighth release since the [Turborepo 2.10 feature release](https://turborepo.dev/blog/2-10) on 2026-06-24. The patch is the first mainstream monorepo task runner to add first-class support for [nub](https://github.com/nubjs/nub) and [aube](https://github.com/jdx/aube), two new Rust-based Node.js package managers that emerged in spring and summer 2026. nub is authored by Colin McDonnell (colinhacks), creator of [Zod](https://github.com/colinhacks/zod) (43k stars), and aube by Jeff Dickey (jdx), creator of [mise](https://github.com/jdx/mise). colinhacks opened the nub PR ([#13120](https://github.com/vercel/turborepo/pull/13120)) on 2026-06-30, with follow-ups [#13187](https://github.com/vercel/turborepo/pull/13187) and [#13189](https://github.com/vercel/turborepo/pull/13189). anthonyshew opened the aube PR ([#13183](https://github.com/vercel/turborepo/pull/13183)). Both integrate with the existing `packageManager` field in `package.json` and `devEngines.packageManager`.

The headline signal is not the patch release itself: it is that two of the JS toolchain's most respected builders are now shipping package managers that ride on stock Node instead of replacing it, and that Turborepo (Vercel's de-facto monorepo task runner, used across Next.js, the Vercel CLI, and most Vercel-hosted monorepos) is the first mainstream task runner to formalize both. The release also lands a redesigned TUI surface, native lockfile support for nub's `lock.yaml` and Bun lockfile v2, normalized `packageManager` versions across `package.json` and `devEngines`, `--production` on `turbo prune`, and the workspace TypeScript toolchain moves to 7.0.1-rc.

## nub: TypeScript-first Node.js augmentation by colinhacks

[nub](https://github.com/nubjs/nub) (`@nubjs/nub`, v0.2.10, 2.6k GitHub stars, created 2026-06-03) is positioned as "a Bun-like DX on top of stock `node`, written in Rust." The repo is owned by `nubjs` on GitHub, and the maintainer behind it is colinhacks, best known as the author of [Zod](https://github.com/colinhacks/zod) (43k stars) and as a Turborepo committer (he authored the [nub recognition PR](https://github.com/vercel/turborepo/pull/13120), the [nub-tweaks follow-up](https://github.com/vercel/turborepo/pull/13187), and the [semver-range fix](https://github.com/vercel/turborepo/pull/13189) for `devEngines.packageManager.version`). The v0.2.10 release shipped on 2026-06-30 with three fixes: an unhandled Worker-thread error leak that now matches `node:worker_threads`'s fatal-on-error semantics, a brand-boundary leak on aube's user/project config file path under nub (nub now reads only `.npmrc` plus the `NUB_*` env knobs, never `~/.config/aube/config.toml`), and a `nub watch --` target-passthrough that matches `node` and pnpm 10's behavior.

The toolkit ships seven commands:

| Command | Replaces | Claimed speedup |
|---|---|---|
| `nub <file>` | `node`, `tsx`, `ts-node`, `dotenv-cli` | TypeScript-first execution on stock `node` |
| `nub run <script>` | `npm run`, `pnpm run`, `yarn run` | 24x faster than `pnpm run` |
| `nubx <bin>` | `npx`, `pnpm dlx`, `pnpm exec`, `yarn dlx` | 19x faster than `npx` |
| `nub install` | `npm`, `pnpm`, `yarn` | pnpm-compatible, round-trips npm/pnpm/bun lockfiles |
| `nub watch` | `nodemon`, `node --watch`, `tsx watch` | dependency-graph-driven, watches `.env*` and `tsconfig.json` |
| `nub pm` | `corepack` | built-in shim manager |
| `nub node` | `nvm`, `fnm`, `n`, `volta` | provisions Node from nodejs.org on demand |

There is no new runtime to adopt. Every augmentation rides on Node's own extension surfaces (`worker_threads`, `node:fs`, `node:vm`, the loader hook API). The package manager round-trips the project's existing lockfile: a nub project that ships a `pnpm-lock.yaml` keeps that lockfile, and `nub install` writes back into the same file. Yarn is read-only. The install path is `@nubjs/nub` on npm, `brew install nubjs/tap/nub` on Homebrew, `mise use -g nub`, or the official `nubjs/setup-nub` GitHub Action.

The framing nub picks is the same one Bun picked in 2023 ("all-in-one, drop-in, fast"), but without the runtime swap. The `nub run dev` 24x speedup vs `pnpm run` is a real UX improvement for `package.json` script-heavy monorepos, and `nubx prisma generate` at 19x faster than `npx` is the kind of speedup that turns a 4-second wait into a barely-noticed blip.

## aube: lockfile-compatible Node.js package management by jdx

[aube](https://github.com/jdx/aube) (`@endevco/aube`, v1.25.2, 1.6k GitHub stars, created 2026-04-18) is a Rust-based Node.js package manager from Jeff Dickey (jdx), the creator of [mise](https://github.com/jdx/mise) (the asdf successor). The project is sponsored by entire.io and 37signals. The name is French for "dawn," pronounced /ob/. The tagline is "Never forget to install": the `aubr test` runner auto-installs first when dependencies are stale, then skips that work when nothing changed, which is the same UX pitch mise has had for years but applied to the install path.

The headline number is the warm-install benchmark on a 1400-package real-world fixture, measured with hyperfine under identical conditions and last regenerated on 2026-07-02:

| Package manager | Warm install | Cold install | `install && run test` |
|---|---|---|---|
| aube 1.25.2 | 319 ms | 14.63 s | 10 ms |
| bun 1.3.14 | 1.49 s | 5.10 s | 66 ms |
| deno 2.9.1 | 1.44 s | 9.15 s | 81 ms |
| pnpm 11.9.0 | 2.44 s | 12.99 s | 388 ms |
| npm 11.9.0 | 7.19 s | 10.89 s | 825 ms |
| yarn 4.17.0 | 8.49 s | 13.18 s | 1.82 s |

aube is 7.7x faster than pnpm and 4.7x faster than Bun on warm installs, and ~80x faster than npm on the `install && run test` path. The mechanism is the same one pnpm pioneered: a global content-addressable store plus a per-project virtual store. pnpm supports a similar global virtual store, but leaves it off by default; aube enables it by default, which is the whole reason for the warm-install gap.

The lockfile story is the part that matters for adoption. aube reads and writes `pnpm-lock.yaml`, `package-lock.json`, `npm-shrinkwrap.json`, `yarn.lock` and `bun.lock` in place. A team that drops aube into a pnpm project does not need to regenerate `pnpm-lock.yaml` or update CI; aube reads the existing lockfile, links against the global store, and writes the same lockfile back. The `packageManager` field in `package.json` flips from `"pnpm@11.9.0"` to `"aube@1.25.2"`, and the rest of the toolchain sees no diff.

The security story is what makes aube distinct from "fast pnpm." The default config is the strict bundle: lifecycle scripts (preinstall, install, postinstall) wait for approval by default, exotic transitive dependencies are blocked, trust downgrades fail at resolve, and brand-new releases sit in a 24h cooling window. The `paranoid: true` switch turns every soft gate into a hard fail: `jailBuilds = true` (the only lifecycle-script jail in any Node.js package manager), `strictStoreIntegrity = true` (fail when a tarball ships without `dist.integrity` instead of warning), `strictDepBuilds = true` (fail when a dep has unreviewed build scripts), `advisoryCheck = required` (fail when OSV is unreachable), `minimumReleaseAgeStrict = true`, and `trustPolicy = no-downgrade`. For supply-chain-sensitive installs, `paranoid: true` is the conservative default.

The v1.25 series added: v1.25.0 shell activation and shims (so plain `node`, `pnpm`, `yarn`, and `npm-family` commands go through aube's resolver), v1.25.1 a benchmark refresh, and v1.25.2 a fix for a cold-install lockfile-write overlap race. The lockfile-write overlap is the kind of bug that bites only on parallel CI, and the fact that it was caught and fixed inside the 2.10.3 Turborepo merge window is a good signal for aube's overall code quality.

## What Turborepo 2.10.3 actually changed

The nub and aube support is the headline, but the patch is large. The full changelog ([v2.10.2 to v2.10.3](https://github.com/vercel/turborepo/compare/v2.10.2...v2.10.3)) carries 41 commits. The eight that matter most for day-to-day use:

1. **Streamed-logs / TUI toggle (#13203).** The TUI task list introduced in [Turborepo 2.4](https://turborepo.dev/blog/turbo-2-4) is now toggleable against the legacy streamed-logs view at runtime, not just on launch. Teams that want the structured progress view in CI but the plain text in their editor can flip without restarting.
2. **Click-to-select tasks in the TUI task list (#13206).** The TUI now accepts mouse clicks on task rows to select a subset of tasks to run, instead of filtering with keyboard input. The release notes flag this as the first step toward "click-to-run" workflows where the user picks tasks in the TUI the same way they would in a CI dashboard.
3. **Auto-copy of TUI selections to the clipboard on mouse release (#13208).** A small UX win that closes the "select text in the TUI, copy it" loop without a keyboard shortcut.
4. **`--production` on `turbo prune` (#13190).** Prune to a deployable subset and exclude devDependencies in one flag, which simplifies Docker layers for production deploys.
5. **Token-exchange recovery guidance (#13192).** When the Turborepo platform binary fetch hits an expired or malformed token, the error now points the user at the recovery command instead of failing with a generic `unauthorized` message.
6. **TypeScript 7.0.1-rc as the workspace toolchain (#13144).** Turborepo's own repo is now built against [TypeScript 7.0.1-rc](https://devblogs.microsoft.com/typescript/), the release candidate of the [TypeScript 7 native (Go) compiler](https://devblogs.microsoft.com/typescript/typescript-7-native-preview/). The move shortens the loop from "we ship a feature in Turborepo" to "we ship a feature in Turborepo and prove it on the next-gen TS compiler."
7. **Thin LTO + `codegen-units=1` for release builds (#13160).** The Rust release binaries now use thin LTO and a single codegen unit, which is the standard Rust recipe for smaller, slightly slower-to-build release binaries. The numbers are not in the PR, but a comparable change in the oxc toolchain shaved ~10-15% off release binary sizes.
8. **Cache-hashing perf fixes (#13209, #13211, #13210).** Three commits remove deep clones from the lockfile closure cache, the package-graph root, and the env-wildcard matcher. The hash step is the most repeated work in `turbo run`, and shaving clones off it shows up on every `turbo run build` invocation in a large monorepo.

The lockfile story in 2.10.3 is also notable beyond the nub and aube support. PR #13119 (tsushanth) makes Turborepo accept Bun lockfile v2, which is the new format that landed in Bun 1.3.x. PR #13191 makes boundaries-checks skip `node_modules`, which closes a class of false-positive "dependency boundary violated" errors that surfaced in monorepos with vendored dependencies. PR #13198 turns malformed JSON in `turbo.json` from a panic into a typed error. PR #13199 improves the error message when the platform-specific binary fetch fails (the "did you forget to install `turbo` for this platform" path).

## Why this matters for monorepo users

The two news threads (nub and aube adoption; the TUI and perf work) are connected by a single shift: the JS toolchain is consolidating on the "augment stock Node" model rather than the "replace Node with a new runtime" model. Bun and Deno bet on a new runtime, and the bet paid off in performance but cost the ecosystem a migration. nub and aube take the Bun-shape DX and ship it on top of stock `node`, which means a team can adopt either without changing what runs in production. Turborepo is the first mainstream task runner to formalize that position: when the `packageManager` field points at nub or aube, the monorepo orchestrator knows what to do with the install, prune, generate, and cache-hashing steps without the team writing custom detector logic.

For monorepo users, the practical takeaway is a quieter `npx @turbo/codemod migrate` or `bunx @turbo/codemod migrate` window this weekend. The release is additive: existing 2.10.x monorepos keep working, the TUI is a default that can be reverted with `TURBO_TUI=0` or the streamed-logs toggle, and the nub/aube detection only activates when the `packageManager` field points at one of the two. The perf work (thin LTO, codegen-units=1, lockfile and package-graph clone removal) shows up as a small but measurable improvement on every `turbo run build` in a large monorepo, with no user-visible config change.

The long-term signal is the author pairing. colinhacks (Zod, 43k stars, TypeScript-first schema validation) is the same person who wrote nub. jdx (mise, the asdf successor) is the same person who wrote aube. The Zod author betting on a stock-Node toolchain and the mise author betting on a Bun-shape install path on stock Node is a strong signal that the JS toolchain consensus is moving away from the "new runtime" bet and toward "make the existing runtime feel as fast as Bun, without the migration."