Release notes from abxpkg

v1.10.5

2026-04-14T23:47:15Z

Highlights

Fixed provider cache ownership so dependency cache entries no longer masquerade as installed binaries. This makes update / upgrade pick real owning providers again, e.g. brew can upgrade node even when other providers cache node as an upstream dependency.
Added shared BinProvider.depends_on_binaries() and BinProvider.installed_binaries() APIs and switched provider sections in abxpkg version to use them directly.
Tightened update verification so normal post-update checks reuse cached installer dependencies when appropriate, while explicit --no-cache still forces a fully fresh path.
Cleaned up CLI output: provider binary rows in abxpkg version now use a fixed-width version column, non-debug progress logs no longer inherit misleading deep indentation, and shared subprocess stderr/stdout formatting is more consistent.

Docs

Updated the README and generated docs to match current defaults and flag behavior, especially around None handling for postinstall_scripts / min_release_age, managed ABXPKG_LIB_DIR install roots, and the current visible CLI surface.

v1.10.4

2026-04-14T22:53:05Z

abxpkg v1.10.4

✨ Highlights

Added richer CLI inspection commands with abxpkg version and abxpkg list, including per-provider runtime state, installer provenance, dependency binaries, and installed binary caches.
Tightened provider dependency provenance so wrapper providers now record the upstream runtimes they actually depend on (node, python, ruby, installer binaries) instead of flattening everything into the active provider.
Improved run --script option merging so same-name script dependencies now contribute defaults to the final run binary without overriding an explicit --binproviders / ABXPKG_BINPROVIDERS selection.
Hardened the base provider action flow so nullable security options are resolved to real provider/action defaults before handlers run, instead of leaking None into provider-specific install/update code.

🧭 Quick Examples

abxpkg version
abxpkg version yt-dlp
abxpkg list
abxpkg list env playwright chromium

abxpkg --binproviders=env,uv,pip run yt-dlp --version
abx --global yt-dlp --version

#!/usr/bin/env -S abxpkg run --script node
// /// script
// dependencies = [
//   {name = "node", binproviders = ["env", "brew"], min_version = "22.0.0"},
//   {name = "playwright", binproviders = ["playwright", "pnpm", "npm", "yarn"]},
// ]
// ///

🛠 What Changed

Added documented abxpkg version / abxpkg list flows and refreshed the generated docs/site output to match the current provider/runtime model.
Refined cache handling so provider-local derived.env entries preserve stable absolute paths, create missing cache directories lazily, and de-duplicate repeated installer/binary lines in global listings.
Fixed Binary._binprovider_order() so cached providers are preferred without dropping uncached fallback providers during update/uninstall flows.
Made no-op providers like env and bash still resolve and validate binaries during install() / update(), including enforcing min_version on the final loaded binary instead of silently accepting a mismatch.
Resolved nullable postinstall_scripts / min_release_age in the base BinProvider.install() / update() / uninstall() path using provider/action defaults, while preserving warnings for unsupported strict values.
Tightened installer provenance so INSTALLER_BINARY() now preserves the real upstream provider that loaded the installer binary, instead of re-wrapping everything as if it came from the active provider.
Ensured explicit --binproviders / ABXPKG_BINPROVIDERS remain an exact provider allowlist/order during installer and dependency resolution, instead of silently widening back to defaults.
Added explicit upstream dependency tracking for wrapper providers that really depend on another runtime binary:
- npm, pnpm, yarn, playwright, and puppeteer now cache node
- pip, ansible, and pyinfra now cache python
- gem now caches ruby
Fixed GoGetProvider installer resolution so go is loaded through a proper go version override instead of relying on generic --version probing.
Tightened BrewProvider behavior so postinstall_scripts=False is only claimed for brew install, not brew upgrade, which has no equivalent --skip-post-install flag.
Improved script-mode dependency merging so same-name dependencies (for example node in run --script node) merge their defaults into the final run binary generically instead of only special-casing min_version.
Updated provider summaries and list/version output so installer binaries, upstream dependency binaries, and installed binaries are reported more accurately and with less duplication.

⚠️ Behavioral Changes

Explicit provider selection now stays explicit. If you pass --binproviders=... or set ABXPKG_BINPROVIDERS, dependency and installer resolution no longer silently re-add default providers behind your back.
install() / update() on read-only/no-op providers still behave as no-ops for mutation, but they now validate the resolved binary and enforce min_version on the result.
Passing nullable security fields through provider instances or provider overrides is safer now: None means “use the provider/action default”, not “let a provider handler crash on an assertion”.

v1.10.2

2026-04-13T11:06:33Z

abxpkg v1.10.2

✨ Highlights

Renamed the project from abx-pkg / abx_pkg to abxpkg, including the Python package name, docs, examples, and release surface.
Added a much richer CLI runtime model around abxpkg run, abx, and abxpkg run --script, with consistent provider ENV/PATH merging for real subprocess execution.
Added provider-local derived.env caches for resolved binaries and installer binaries, including version, sha256, mtime, and euid tracking.
Tightened provider ownership and provenance reporting so installer binaries, upstream dependency binaries, and installed binaries are surfaced more explicitly.
Simplified provider state: much more work now happens lazily at setup() / first-use time instead of during import or construction.

🧭 Quick Examples

pip install abxpkg
abxpkg --global install yt-dlp
abx --binproviders=env,uv,pip,brew yt-dlp --version

abxpkg --min-version=1.2.3 --min-release-age=7 install yt-dlp
abxpkg --overrides='{"pip":{"install_args":["yt-dlp[default]"]}}' install yt-dlp
abxpkg --install-args='["black==24.2.0"]' install black

#!/usr/bin/env -S abxpkg run --script node
// /// script
// dependencies = [
//   {name = "node", binproviders = ["env", "apt", "brew"], min_version = "22.0.0"},
//   {name = "playwright", binproviders = ["pnpm", "npm"]},
// ]
// ///

🛠 What Changed

Reworked the core provider engine around the new abxpkg/ package layout and a much larger BinProvider / Binary runtime surface.
Added loaded_mtime and loaded_euid alongside loaded_abspath, loaded_version, and loaded_sha256, and threaded them through provider caches, summaries, and binary models.
Added provider-local derived.env metadata caching, installer caching, and dependency caching so repeated loads can skip expensive version probes when the fingerprint still matches.
Standardized pip and uv install-root layouts so hermetic environments live at <install_root>/venv while provider metadata stays at <install_root>.
Hardened install semantics so package-manager success only counts if a runnable binary is actually produced; failed installs now roll back generically in the base provider flow.
Split runtime dependency reporting into clearer concepts like INSTALLER_BINARY, depends_on_binaries, and installed_binaries.
Extended the CLI with --global as a thin alias for --lib=None, hidden upgrade aliases, richer provider/version reporting, and direct handler-style override flags such as --install-args, --version, --abspath, and --packages.
Improved abx so it stays a very thin wrapper over abxpkg run --install ... while still forwarding the expanded CLI surface correctly.
Added inline /// script dependency parsing for abxpkg run --script, including [tool.abxpkg] env injection and dependency provider ENV/PATH merging before script execution.
Reworked logging output and CLI rendering substantially: quieter non-debug failures, better subprocess output formatting, better method highlighting, and richer provider/version summaries.

⚠️ Behavioral Changes

The package/import surface is now abxpkg, not abx-pkg / abx_pkg.
CLI managed mode is now the default; use --global or --lib=None to force provider global mode.
load() / install() correctness is stricter: providers no longer get to report success unless they can resolve a runnable binary afterward.
Provider ownership/provenance is less hand-wavy now: upstream installer/dependency binaries are tracked separately from installed binaries.

v1.9.30

2026-04-12T19:39:52Z

abx-pkg v1.9.30

✨ Highlights

Added abx-pkg run --script, which reads inline /// script metadata blocks so scripts can declare binary dependencies and tool.abx-pkg settings right at the top of the file.
Unified managed providers around shared install_root / bin_dir behavior, and made ABX_PKG_LIB_DIR resolve from the live environment so CLI --lib overrides behave consistently.
Added first-class --no-cache and --debug CLI controls, and tightened the shared binary lifecycle so load() / install() / update() / uninstall() all speak the same cache semantics.
Fixed several installer-resolution and recursion edge cases, while making the real Playwright and Puppeteer test paths much faster instead of faking them.

🧭 Quick Examples

abx-pkg --lib=/tmp/abx --no-cache install yt-dlp
abx-pkg --debug --binproviders=env,npm,playwright run --script node ./capture.js

#!/usr/bin/env -S abx-pkg run --script node

// /// script
// dependencies = [
//   {name = "playwright", binproviders = ["npm", "pnpm"]},
//   {name = "chromium", binproviders = ["playwright", "puppeteer", "apt"], min_version = "131.0.0"},
// ]
// [tool.abx-pkg]
// ABX_PKG_POSTINSTALL_SCRIPTS = true
// ///

🛠 What Changed

parse_script_metadata() and run --script now parse comment-prefix-agnostic /// script blocks, resolve declared dependencies before execution, merge [tool.abx-pkg] settings, and preserve child exit codes/stdout/stderr cleanly.
The provider constructor surface now consistently prefers install_root and bin_dir, while legacy provider-specific root aliases are still accepted through validation aliases.
abx_pkg_install_root_default() now reads ABX_PKG_LIB_DIR from the live environment instead of a module-import snapshot, so CLI --lib and runtime env overrides propagate correctly across providers.
Removed load_or_install from the public API / CLI in favor of install(), and promoted no_cache into the shared lifecycle surface for Binary and BinProvider.
Hardened installer resolution across providers: fixed detect_euid() recursion, fixed dry-run version probing, corrected Go PATH / env handling, restored Yarn Berry --force behavior for no_cache, and normalized installer-binary abspath handling.
Playwright and Puppeteer now share the cleaned install_root / bin_dir model, bootstrap their installer binaries more predictably, and reuse seeded real browser installs in tests to cut redundant downloads.
CI now provisions both Yarn classic and Yarn Berry explicitly, pins pnpm to 10.19.0, and uses workflow concurrency cancellation plus job timeouts to prevent stale runs from piling up.
README and generated docs were refreshed to match the new CLI, lifecycle, and managed-root behavior.

⚠️ Behavioral Changes

Use Binary.install() / abx-pkg install instead of load_or_install.
CLI logging now defaults to INFO; enable debug output explicitly with --debug or ABX_PKG_DEBUG=1.
--no-cache / ABX_PKG_NO_CACHE=1 now apply consistently across load(), install(), update(), uninstall(), and run.

🧪 Verification

uv run prek run --all-files passed on the release commit.
Focused real-provider coverage was exercised for Playwright, Puppeteer, Bun, pnpm, Yarn classic, Yarn Berry, and GoGet lifecycle paths.

Thanks to everyone pushing on the install-root cleanup, browser provider edge cases, and CLI ergonomics. 🛠️

v1.9.29

2026-04-10T06:31:12Z

abx-pkg v1.9.29

✨ Highlights

Added abx-pkg run, a direct exec path that resolves a binary through the configured providers and then hands off execution cleanly.
Added abx, a thin abx-pkg --install run ... alias that behaves like a cross-provider npx / uvx / pipx run.
Unified provider install-root defaults around ABX_PKG_LIB_DIR, provider-specific ABX_PKG_<NAME>_ROOT overrides, and a platform-aware default lib dir.
Added a generated GitHub Pages landing page with a docs build pipeline and a much more structured README.
Made provider behavior more explicit by removing silent uv / pnpm auto-switching from PipProvider and NpmProvider.

🧭 Quick Examples

abx yt-dlp --help
abx --binproviders=env,uv,pip,brew yt-dlp --version
abx-pkg --binproviders=pip --install run black --version

export ABX_PKG_LIB_DIR=~/.config/abx/lib
export ABX_PKG_PIP_ROOT=~/.cache/abx/pip

abx-pkg --binproviders=pip,uv install black
abx-pkg --postinstall-scripts=False --min-release-age=7 install yt-dlp

🛠 What Changed

Exposed the full Binary / BinProvider configuration surface on the CLI, including install roots, timeouts, release-age controls, postinstall-script policy, and overrides.
Hardened the new run / abx command path for macOS, -- handling, bare boolean flags, and child-arg forwarding.
Switched the centralized default lib dir to platformdirs, while keeping explicit kwargs and provider-specific env vars highest priority.
Landed a GitHub Pages deployment workflow, docs renderer, and generated landing page for the provider matrix and API surface.
Propagated security flags to Playwright bootstrap installs and tightened several provider-specific install-root edge cases.
Expanded test coverage heavily, especially around the CLI, install-root precedence, and real subprocess execution.

⚠️ Behavioral Changes

PipProvider no longer silently falls through to uv; choose UvProvider explicitly when you want uv semantics.
NpmProvider no longer silently falls through to pnpm; choose PnpmProvider explicitly when you want pnpm semantics.
Providers with isolated install roots now follow one clear precedence order: explicit kwargs > ABX_PKG_<NAME>_ROOT > ABX_PKG_LIB_DIR/<name> > provider default.

🧪 Verification

GitHub Actions passed on main for the release line before the version bump.
Local checks passed with uv run pyright and focused uv run pytest slices covering the new CLI/install-root work.

Thanks to everyone pushing on the provider edge cases and CLI ergonomics. 🚀

v1.9.28

2026-04-09T09:52:34Z

abx-pkg v1.9.28

✨ Highlights

Added dedicated providers for uv, pnpm, yarn, bun, deno, and Playwright browser installs, and exported them from the public abx_pkg API.
Added a real abx-pkg CLI built with rich-click, including version, install, update, uninstall, load, and load_or_install, plus --lib, --binproviders, and --dry-run.
Added centralized install-root defaults via ABX_PKG_LIB_DIR, with per-provider ABX_PKG_<NAME>_ROOT overrides across providers that manage their own install roots.

🧰 What Changed

UvProvider now stands on its own instead of piggybacking on PipProvider, with support for both hermetic venv installs and uv tool mode.
PnpmProvider, YarnProvider, BunProvider, and DenoProvider each got dedicated implementations with their own install/update/uninstall logic, managed prefixes, and provider-specific security flag handling.
Added PlaywrightProvider for browser artifact installs, alongside follow-up improvements to browser-provider path handling and install/load coverage.
Provider defaults now honor ABX_PKG_LIB_DIR and provider-specific root env vars consistently, and the repo now includes end-to-end tests covering precedence and on-disk install locations.
The generic version probe now skips non-zero --version exits instead of misreading their stderr, and PipProvider now falls back to package metadata when a console script refuses version flags.
Ansible and Pyinfra package-install paths were hardened for real-world privilege boundaries, including better interpreter selection for apt-backed Ansible runs and safer brew drop-privilege handling.
Packaging metadata was refreshed to ship the console script cleanly and include the new CLI dependency and build layout changes.

🧪 Quality & Docs

CI now provisions Yarn 4 via corepack, Bun, Deno, Go, and richer environment diagnostics so the expanded provider matrix is exercised more realistically.
Added broad new provider and CLI test coverage, including dedicated suites for uv, pnpm, yarn, bun, deno, playwright, and ABX_PKG_LIB_DIR.
README docs were expanded to cover the new providers, environment-variable install-root behavior, and the new CLI, with the Django-specific guidance folded into a single collapsible section.

Thanks to everyone stress-testing the edge cases that made this release sharper. 🛠️

v1.9.25: Rename CustomProvider to BashProvider

2026-04-03T06:58:41Z

Highlights

Renamed the shell-command provider from CustomProvider / custom to BashProvider / bash.
Renamed the provider module to abx_pkg.binprovider_bash, updated lazy exports/imports, and switched the managed-root config from ABX_PKG_CUSTOM_ROOT to ABX_PKG_BASH_ROOT.
Renamed provider-specific fields and exported shell env vars to bash_root, bash_bin_dir, BASH_INSTALL_ROOT, and BASH_BIN_DIR.

Behavior

Preserved the existing shell-command install/update/uninstall model while keeping install_root and bin_dir aliases working for the renamed provider.
Updated the provider lifecycle and security-control tests to exercise the renamed bash provider end to end.
Fixed Puppeteer's internal installer binary naming to puppeteer-browsers so the documented/provider-facing name matches the actual binary being bootstrapped.

Documentation

Refreshed the README provider list and binprovider sections so the security-option docs match the current implementation.
Added and corrected documentation for bash, chromewebstore, and puppeteer, including provider defaults, env-backed security controls, and unsupported-option warning behavior.

Upgrade notes

Replace CustomProvider imports with BashProvider.
Replace provider name custom with bash in Binary.overrides and any serialized config.
Replace custom_root / custom_bin_dir with bash_root / bash_bin_dir.
Replace ABX_PKG_CUSTOM_ROOT with ABX_PKG_BASH_ROOT.

v1.9.24

2026-04-03T06:43:17Z

Highlights

Added three new first-class providers: ChromeWebstoreProvider, PuppeteerProvider, and CustomProvider.
Packaged the Chrome/extension JS runtime directly inside abx-pkg, so Chrome Web Store installs now work without depending on a sibling abx-plugins checkout.
Reworked provider option precedence so per-call args override Binary(...), and Binary(...) overrides provider defaults, with cleaner handling for dry_run, postinstall_scripts, and min_release_age.
Improved privilege escalation and subprocess error reporting across providers, including preserving failed sudo output when a fallback attempt also fails.
Parallelized CI to run one test file per job with auto-discovered live lifecycle coverage.

New Providers

`ChromeWebstoreProvider`

Added a dedicated Chrome Web Store provider in abx_pkg/binprovider_chromewebstore.py.
Supports install_root / bin_dir via extensions_root / extensions_dir.
Installs extensions into a managed cache and resolves the installed binary to the unpacked manifest.json.
Ships the required JS runtime and config files inside the package:
- abx_pkg/js/base/config.json
- abx_pkg/js/base/utils.js
- abx_pkg/js/chrome/config.json
- abx_pkg/js/chrome/chrome_utils.js
Includes real lifecycle tests covering provider and Binary(...) flows.

`PuppeteerProvider`

Added a dedicated Puppeteer/browser provider in abx_pkg/binprovider_puppeteer.py.
Supports provider-managed install roots and bin dirs for @puppeteer/browsers installs.
Handles generic browser install args instead of forcing a Chrome-only abstraction.
Fixed installed-browser resolution to use semantic version ordering rather than lexicographic string sorting.
Includes real lifecycle tests plus regression coverage for version ordering.

`CustomProvider`

Added a dedicated CustomProvider built on top of EnvProvider for shell-command installs.
Supports install_root / bin_dir via custom_root / custom_bin_dir.
Uses literal per-binary shell overrides for install/update/uninstall while still participating in the standard Binary/BinProvider lifecycle.
Includes real lifecycle coverage for direct provider and Binary(...) usage.

Core Behavior Changes

Provider and Binary option precedence

Added consistent per-call dry_run support to install(), update(), uninstall(), and load_or_install().
Standardized precedence so:
- explicit action args win
- Binary(...) defaults come next
- provider defaults come last
Exposed env-backed defaults for:
- ABX_PKG_INSTALL_TIMEOUT
- ABX_PKG_VERSION_TIMEOUT
- ABX_PKG_DRY_RUN (preferred over DRY_RUN when both are set)

Security controls

Provider-wide defaults for min_release_age / postinstall_scripts now only hydrate from env vars on providers that actually support those controls.
Unsupported providers no longer fail closed by default when these options are present.
Instead, unsupported explicit values now warn and continue.
EnvProvider no longer claims support for install-only security controls it cannot enforce.
pip and npm install-arg merging now preserves explicitly supplied conflicting flags instead of blindly overriding them.

API cleanup

binproviders is now the canonical field name used throughout docs/examples instead of binproviders_supported.
Module API normalization now handles both provider classes and provider instances consistently.
Unavailable-provider errors now use the generic wording:
- XProvider is disabled because <installer> is not available on this host

Subprocess and Privilege Handling

Centralized subprocess error logging in the shared _raise_proc_error(...) path.
Reworked older providers to use shared subprocess error handling instead of open-coded log+raise branches.
Updated shared exec() behavior to attempt privilege escalation when the provider needs a different EUID, while still falling back to the unprivileged path when escalation is unavailable.
When both a sudo attempt and a fallback attempt fail, the final error now includes both outputs.
Fixed ansible/pyinfra tempdir cleanup when privileged subprocesses leave root-owned files behind.

Provider-specific Improvements

AptProvider, BrewProvider, CargoProvider, GemProvider, GoGetProvider, NixProvider, PipProvider, NpmProvider, PyinfraProvider, AnsibleProvider, and DockerProvider now rely more consistently on shared subprocess/error handling.
PipProvider and NpmProvider now merge security controls with explicit install args more rigorously.
BrewProvider respects explicit --skip-post-install args when present.
PipProvider and NpmProvider gained stronger tests around provider defaults vs per-call overrides.

Packaging and Tooling

Added wheel/sdist inclusion rules for packaged JS assets in pyproject.toml.
Added bin/setup_monorepo.sh for local monorepo setup.
Updated the README to document the new providers, env vars, canonical binproviders field name, and current provider behavior.

CI and Test Coverage

Switched the main test workflow to one-job-per-file parallelization.
Live lifecycle tests are now auto-discovered from the actual test files instead of being hard-coded.
Reduced the standard matrix to:
- Linux: Python 3.11, 3.14
- macOS: Python 3.13
Added new provider integration suites for:
- chromewebstore
- custom
- puppeteer
Expanded coverage for:
- module API normalization
- env-backed security defaults
- unsupported security option warning behavior
- provider-vs-action override precedence

v1.9.23

2026-04-02T16:38:18Z

abx-pkg v1.9.23

Highlights

🧪 Replaced the old single-file tests.py runner with a real pytest suite under tests/, with live lifecycle coverage across apt, brew, pip, npm, cargo, gem, goget, nix, docker, pyinfra, and ansible.

uv run pytest -m "not root_required and not docker_required"

🧭 Standardized isolated install layout across providers with shared install_root / bin_dir aliases, while still supporting provider-specific knobs like pip_venv, npm_prefix, cargo_root, gem_home, gopath, nix_profile, and docker_shim_dir.

from pathlib import Path
from abx_pkg import PipProvider

provider = PipProvider(install_root=Path("/tmp/venv"))
print(provider.install_root, provider.bin_dir)

⏱️ Centralized shared provider runtime behavior in BinProvider, including install_timeout, version_timeout, PATH propagation into subprocesses, deep-copy override handling, and safer cache-dir setup.

from abx_pkg import NpmProvider

provider = NpmProvider(install_timeout=120, version_timeout=10)
binary = provider.install("zx")

Provider Fixes

🔒 Fixed security override precedence so explicit install_args can adjust effective security behavior before fail-closed checks run, especially for npm --ignore-scripts and --min-release-age=....

from abx_pkg import NpmProvider

provider = NpmProvider(min_release_age=36500).get_provider_with_overrides(
    overrides={"zx": {"install_args": ["zx", "--min-release-age=0"]}},
)

🐳 Improved version detection for multiline banners by teaching SemVer.parse(...) to scan up to 5 lines. This fixes wrappers and tools whose version appears after a heading line, including Docker-backed command shims.

from abx_pkg import SemVer

SemVer.parse(
    "ShellCheck - shell script analysis tool\nversion: v0.11.0-65-gcd41f79"
)
# -> SemVer("0.11.0")

🧰 Tightened provider-specific behavior across the built-ins:
- apt / brew helper backends now use resolved install_args
- cargo uninstall no longer reuses incompatible version-pinned install flags
- nix uninstall preserves other entries in the same profile
- goget is now the canonical provider name throughout the package and docs
- Binary.abspaths is available as a backward-compatible read alias for loaded_abspaths

Docs And DX

📚 Refreshed the README API reference with verified provider defaults, install roots, security controls, timeout behavior, override support, and direct source/test links.
🛠️ Updated the development workflow docs to match the current toolchain and test layout.

uv sync --all-extras --all-groups
uv run prek run --all-files
uv run pytest -sx tests/

v1.9.22

2026-04-02T07:34:44Z

✨ Highlights

🔒 Security defaults now propagate consistently across binaries and providers.
- BinProvider now owns default postinstall_scripts and min_release_age values, and Binary inherits them automatically when you don't override them explicitly.
- Unsupported providers now fail closed instead of silently ignoring security constraints.
```
provider = EnvProvider(postinstall_scripts=True, min_release_age=4)
binary = Binary(name="python", binproviders=[provider])
assert binary.postinstall_scripts is True
assert binary.min_release_age == 4
```
⬆️ min_version is enforced end-to-end instead of only being advisory.
- install() and update() now validate the resolved version after the package manager runs.
- load_or_install() will upgrade an already-installed binary when it exists but does not satisfy the requested minimum version.
```
binary = provider.load_or_install("black", min_version=SemVer("24.0.0"))
```
📦 Provider install/update plumbing is more explicit and consistent.
- Core handler signatures now thread postinstall_scripts, min_release_age, and min_version through setup/install/update paths.
- pip and npm explicitly declare support for release-age and postinstall controls.
- brew only uses Pyinfra/Ansible helper paths when postinstall scripts are allowed, and otherwise falls back to direct CLI invocations with the right flags.
- Timeout settings are preserved through provider copies via model fields instead of hidden underscored state.
🧪 Tests were expanded around the new behavior and cleaned up for strict type-checking.
- Added fail-closed coverage for providers that cannot honor min_release_age or disabled postinstall scripts.
- Added live tests for pip minimum-version upgrades and npm postinstall-script overrides.
- Tightened the test helper typing so ty-check and pyright pass without cast, Any, or type: ignore shortcuts.
```
def is_install_args_sequence(value: object) -> TypeGuard[InstallArgs]:
    return isinstance(value, (tuple, list)) and all(isinstance(item, str) for item in value)
```
🏷️ Release metadata
- Version bumped to 1.9.22.
- uv.lock refreshed to match the new package version.