Nub Files

v0.1.13 is a patch release that fixes a false positive in the malicious-package check, where a bare, dist-tag, or range install could be wrongly blocked because an older version of the package carried a malicious advisory.

[!IMPORTANT] If nub install <pkg> was wrongly blocked on v0.1.12, upgrade to v0.1.13. Installs like nub install axios are no longer blocked when the resolved version is clean. The security property is unchanged: an install that resolves to a malicious version is still blocked.

Package manager

v0.1.12's OSV malicious-package gate matched advisories against the package as a whole, so a bare/dist-tag/range install of a package whose latest is clean was blocked when an older version carried a malicious advisory. v0.1.13 resolves the install to its concrete version first and relies on the version-aware post-resolve OSV gate, so a clean latest installs while the actually-malicious version stays blocked. (#89, Fixes #88, cc71b04)

Testing & internals

• Extract the nub-cache-key crate to lock down cache-key invalidation in tests (#87, 63f5447).
• Isolate ~/.npmrc in the cold-CAS bench harness so a polluted host config can't break runs (e5b808a).

Documentation

• Bump Node version examples to 26 in the README and the nub node pin error (84e7b4a).
• Set the external-issue acknowledgement convention to exactly "Investigating." with no preamble or diagnosis (eb892e1).

Commits in this release

• v0.1.13 (f711a1e)
• fix(pm): resolve dist-tag/range to concrete version before the OSV malicious-package check (#88) (#89, cc71b04)
• docs(skill): external-issue ack is exactly "Investigating." — no preamble/diagnosis (eb892e1)
• test(native): extract nub-cache-key crate to lock cache-key invalidation (#87, 63f5447)
• test(bench): isolate ~/.npmrc in cold-CAS harness so a polluted host config can't break runs (e5b808a)
• docs: bump Node version examples to 26 in README + nub node pin error (84e7b4a)

Full Changelog: https://github.com/nubjs/nub/compare/v0.1.12...v0.1.13