Skip to content

Update dependency jdx/mise to v2026.5.18#296

Merged
nikobockerman merged 1 commit into
mainfrom
renovate/jdx-mise-2026.x
Jun 2, 2026
Merged

Update dependency jdx/mise to v2026.5.18#296
nikobockerman merged 1 commit into
mainfrom
renovate/jdx-mise-2026.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Jun 1, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Update Change
jdx/mise minor v2026.4.28v2026.5.18

Release Notes

jdx/mise (jdx/mise)

v2026.5.18: : Hook script arrays and lock-identity fixes

Compare Source

A focused release that teaches hooks to accept script arrays, ships an npm install -g mise package, and tightens lock identity across several backends so mise.lock entries can no longer be reused for option combinations that resolve to a different artifact set.

Added

  • (config) Hooks now accept script/scripts arrays for current-shell hooks (#​9836 by @​risu729):

    [hooks.enter]
shell = "bash"
script = [
  "source completions.sh",
  "export PROJECT_READY=1",
]

    Note that run is still string-only — to spawn multiple inline commands, use a list of { run = "..." } entries or one multiline run string.

Fixed

  • (env) PATH entries under mise's installs directory are now treated as mise-managed during hook-env reactivation, so an inactive install path like installs/node/24/bin inherited from a parent shell can no longer sit ahead of the active project's installs/node/22.17.1/bin (#​10162 by @​risu729).
  • (config) .miserc.toml discovery now stops at raw MISE_CEILING_PATHS entries (without recursing through the lazy fallback), preventing a parent .miserc.toml above the ceiling from injecting MISE_ENV (#​10165 by @​risu729).
  • (task) mise tasks ls --json, tasks info --json, and the MCP tasks resource now serialize full run entries — including single task refs and task groups — instead of script-only strings (#​10163 by @​risu729).
  • (task) Bump usage-lib to 3.4.0 and update the zsh completion to read display<TAB>insert pairs from usage complete-word, restoring task completions after the usage-cli 3.4.0 output change (#​10181 by @​jdx).
  • (installer) Add the missing warn helper used by the standalone installer's checksum fallback paths (#​10157 by @​risu729, recreating @​olfway's original fix).
Lock identity

A batch of fixes ensures mise lock selects entries by an identity that actually reflects the installed result, so toggling an option no longer silently reuses a stale lock entry:

  • (conda) Include the conda channel — the same tool@version resolved against conda-forge, bioconda, or a private channel can produce entirely different builds and checksums (#​9984 by @​risu729).
  • (rust) Include rustup profile, components, and targets, read from both tool options and rust-toolchain.toml, with stable sorting (#​9988 by @​risu729).
  • (github) Include target artifact selectors (api_url, version_prefix, per-platform asset_pattern, direct url, no_app) for GitHub, GitLab, and Forgejo backends, resolved per target platform (#​9985 by @​risu729).
  • (python) Include non-default patch_sysconfig = false (the interpreter tree differs after install); virtualenv stays out as an activation-only overlay (#​10161 by @​risu729).

Changed

  • (npm) mise is now published to npm under the unscoped mise package, so npm install -g mise and npx mise work directly. The legacy @jdxcode/mise scoped package continues to be published, and the new wrapper reuses the existing @jdxcode/mise-<os>-<arch> platform tarballs (#​10183 by @​jdx).

Full Changelog: jdx/mise@v2026.5.17...v2026.5.18

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.17: : Custom aqua registry cache and Windows fixes

Compare Source

A catch-up release for the tag that shipped the compiled custom aqua registry cache, several Windows task/shim fixes, and a handful of backend install improvements. This release is backfilled without binary assets; use v2026.5.18 or newer for downloadable artifacts.

Added

  • (aqua) Add a compiled custom registry cache to speed up aqua registry lookups and reduce repeated parsing work (#​9583 by @​jdx).

Fixed

  • (upgrade) Handle a lone v prefix in --bump latest queries (#​10130 by @​jdx).
  • (env) Force the Unix environment key to uppercase PATH, avoiding mixed-case path handling surprises (#​9927 by @​jdx).
  • (http) Limit fallback retries against the shared versions host (#​10142 by @​jdx).
  • (bun) Use Bun's native windows-arm64 build for Bun 1.3.10 and newer (#​10150 by @​M1noa).
  • (task) Honor explicit and quoted shell paths on Windows (#​10148 by @​M1noa).
  • (task) Convert PATH to /cygdrive form for Cygwin bash tasks on Windows (#​10147 by @​M1noa).
  • (ui) Honor color settings in interactive prompt themes (#​10151 by @​M1noa).
  • (pipx) Upgrade the shared pip environment when using version constraints (#​10138 by @​jdx).
  • (shim) Refresh stale Windows shims after a mise version update (#​10152 by @​M1noa).
  • (completion) Keep global -C/--cd usable in task argument completion (#​10153 by @​M1noa).
  • (github) Handle x86 release assets as x64 fallbacks where upstreams publish mismatched naming (#​10103 by @​jdx).
  • (github) Strip OpenGrep platform suffixes before asset matching (#​10166 by @​jdx).
  • (github) Penalize certificate assets as metadata so they are not selected as install archives (#​10158 by @​jdx).

Changed

Documentation

Full Changelog: jdx/mise@v2026.5.16...v2026.5.17

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.16: : versions-host metadata, fork-bomb fixes, and friendlier upgrades

Compare Source

Added
  • (github) Use the shared mise-versions host for release metadata and artifact attestations before falling back to api.github.com, dramatically cutting anonymous GitHub API usage in CI/Docker (#​10127 by @​jdx).
  • (node) New node.npm_shim setting (MISE_NODE_NPM_SHIM) to opt out of the bundled npm wrapper, letting corepack manage bin/npm cleanly (#​10082 by @​jjb).
  • (npm) New allow_builds tool option for npm-backend installs that expands to --allow-build=<pkg> for aube and pnpm, accepting a string, array, or true for all builds (#​10116 by @​jdx).
Fixed
  • (backend) Strip the system shims dir from dependency_env PATH to prevent npm/go shim re-entry fork-bombs in devcontainer/Docker setups using mise install --system (#​10019 by @​andrewjamesbrown).
  • (backend) Improve libc detection on musl distros so installing gcompat on Alpine no longer flips mise to glibc binaries (#​10020 by @​thespags).
  • (aqua) Skip in-place link creation when src and dst alias the same inode (fixes godot install on macOS/APFS) (#​10012 by @​tvararu).
  • (aqua) Lock github_content packages using raw GitHub content URLs instead of archive URLs (#​10102 by @​risu729).
  • (toolset) hook-env and other prefer-offline flows no longer fetch remote versions to resolve concrete/latest/prefix:* specs, speeding up shells with many fuzzy tools (#​10098 by @​jdx).
  • (upgrade) Preserve installed versions still pinned by other tracked project lockfiles during upgrade cleanup (#​10114 by @​jdx).
  • (upgrade) Improve current version detection so prefix requests like go = "1.25" show the best matching installed version in summaries (#​9973 by @​jdx).
  • (lock) Allow mise lock and mise upgrade to refresh mise.lock even when locked = true is set (#​10111 by @​jdx).
  • (install) Reject install requests whose resolved backend is in disable_backends, including explicit syntax like ubi:owner/repo (#​9905 by @​risu729).
  • (use) Reject tool version strings that start with - (e.g. mise use dummy@--version) (#​10113 by @​jdx).
  • (en) Preserve MISE_ENV / -E profile when an activated subshell sources mise activate (#​10124 by @​jdx).
  • (unset) Respect MISE_GLOBAL_CONFIG_FILE when running mise unset from $HOME, matching mise set/use (#​10105 by @​jdx).
  • (task) Set config_root on tasks loaded from global config so {{config_root}} renders correctly (#​10106 by @​jdx).
  • (task) Render templates and expand ~/ in sandbox allow_read / allow_write paths (#​10112 by @​jdx).
  • (shim) Skip dot-prefixed (hidden) executables when generating shims (#​10123 by @​jdx).
  • (pipx) Combine --pip-args=VALUE into a single argv element so pipx's argparse accepts values starting with -- (#​10120 by @​iloveitaly).
  • (security) Apply url_replacements to the GitHub attestations API base URL (#​9971 by @​SlaterByte).
  • Show the mise version in friendly error output (#​10109 by @​jdx).
  • (copr) Increase build timeout (#​10071 by @​jdx).
Performance
  • Cache repeated successful path canonicalization across hot PATH/shim/activation lookups (#​10068 by @​jdx).
Changed
Documentation
💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.15: : loongarch64 and riscv64 support

Compare Source

A small release that recognizes loongarch64 and riscv64 as valid platform arches and refreshes the conda (rattler) backend.

Fixed

  • Add loongarch64 and riscv64 to the set of arches accepted by Platform::validate(). Previously, lockfiles targeting linux-riscv64 or linux-loongarch64 would fall back to the common platform set instead of resolving to the requested single platform, so installs on those machines couldn't use lockfile-authoritative platform selection (#​10038 by @​k0tran).

Changed

  • Bump rattler (used by the conda backend) from 0.42 to 0.43, picking up upstream fixes for missing symlinks during Windows installs, deterministic path ordering from link_package_sync, and accepting full URLs as the OAuth issuer host (#​10030).

New Contributors

Full Changelog: jdx/mise@v2026.5.14...v2026.5.15

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.14: : Reject wrong-arch release assets

Compare Source

A small fix release that hardens GitHub release asset auto-selection against picking binaries for the wrong CPU architecture.

Fixed

  • (github) Asset auto-selection now hard-rejects any candidate whose filename explicitly declares a non-matching architecture, even when other scoring bonuses (preferred name, archive type, libc match) would otherwise rank it first. This fixes cases like cargo-msrv on aarch64 Linux, where cargo-msrv-x86_64-unknown-linux-gnu-*.tgz was being chosen over no-match-better-than-wrong-match. Explicit asset_pattern configuration is unchanged (#​10018 by @​jdx).

Full Changelog: jdx/mise@v2026.5.13...v2026.5.14

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.13: : Safer npm installs, faster shell completions

Compare Source

A focused release that tightens npm install safety by default, removes network calls from shell completion generation, and fixes asset picking so primary release binaries beat related sub-archives.

Added

  • (npm) The npm backend now passes --ignore-scripts=true by default when installing through npm, and no longer adds Bun's --trust flag automatically. npm_args and bun_args remain the user escape hatches and are appended after the defaults, so you can opt back in per tool (#​9913 by @​risu729):

    [tools]
# opt back into npm lifecycle scripts for one tool
"npm:some-tool" = { version = "latest", npm_args = "--ignore-scripts=false" }
# opt into Bun's broad install-time script trust
"npm:other-tool" = { version = "latest", bun_args = "--trust" }

    For dependency build approvals, prefer aube or pnpm with --allow-build=<pkg>; see the refreshed npm backend docs.

Fixed
  • (completion) mise completion is often invoked on shell init. It no longer refreshes remote version metadata while building the toolset, so slow networks and timeouts don't delay every new shell (#​10010 by @​sargunv-headway).
  • (github) Auto-detection scoring now gives a small bonus to assets whose platform-stripped filename matches the repo/tool name, and treats manylinux* / musllinux* asset names as Linux with the right glibc/musl libc. This fixes installs like opengrep/opengrep, where opengrep-core_linux_aarch64.tar.gz was previously winning over the primary opengrep_* binary. Explicit asset_pattern configuration is unchanged (#​10008 by @​risu729).
  • (shim) Optioned tool aliases (e.g. GitHub tool_alias entries with per-alias asset_pattern / bin_path) are now visible to runtime symlink and shim rebuilds. Previously these alias backends bypassed the global backend cache and could be missed after install, leaving latest symlinks or executable shims unbuilt (#​9848 by @​risu729).
  • (release) The embedded mise-plugins vfox plugin set now includes vfox-groovy, vfox-php, and vfox-scala as fallbacks after the default asdf backend (#​9832 by @​risu729).
  • (doctor) The mise doctor version-check request now uses the regular HTTP client and the configured http_timeout (controllable via MISE_HTTP_TIMEOUT), instead of an unconfigurable 3s timeout. Timeout error messages now point at the real setting (#​9977 by @​risu729).
  • (config) Tool options coming from the install manifest are tracked as their own source layer, kept below config and inline backend args in precedence, and no longer serialized back out as inline backend args (#​9958 by @​risu729).
Changed
  • (registry) vector now uses the aqua backend, which has Vector-specific vdev-* release filtering. This avoids resolving stray vdev-* GitHub releases as the latest Vector (#​10011 by @​jdx).
  • (registry) vale now tracks its updated aqua-registry location (#​10002 by @​eread).
  • (dotnet) The .NET backend reads prerelease (and other tool options) through a local typed option reader, with the legacy package-flag fallback preserved (#​9962 by @​risu729).

Full Changelog: jdx/mise@v2026.5.12...v2026.5.13

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.12: : minimum-release-age, global edit, and install_env fixes

Compare Source

A focused release that renames the release-age cutoff flag to something more discoverable, deprecates the legacy default_packages_file mechanism, and fixes several install_env propagation gaps across backends.

Added

  • (cli) mise edit --global / -g opens the global config file (~/.config/mise/config.toml, or $MISE_GLOBAL_CONFIG_FILE if set), bringing mise edit in line with mise use --global, mise settings set --global, and other commands. A positional path still wins over the flag (#​9953 by @​fru1tworld).

  • (cli) The release-age cutoff flag on mise install, use, upgrade, and latest has been renamed from --before to --minimum-release-age, matching the per-tool option and global setting of the same name. The old --before spelling is kept as a hidden alias so existing scripts keep working (#​9768 by @​risu729):

    mise latest node --minimum-release-age 2024-01-01
mise install --minimum-release-age 90d

Fixed

  • (aqua) Verify cosign bundles that ship a long-lived public key via cosign.opts --key locally, instead of routing them through sigstore-verify's unsupported public-key bundle path. This fixes installs like aqua:stackrox/kube-linter@0.8.3, which previously failed with public key verification not yet supported (#​9972 by @​jdx).
  • (backend) Per-tool install_env is now passed into tool-level postinstall hook commands (#​9930 by @​risu729) and applied to command-backed install paths across package-manager backends, vfox cmd.exec hooks, SPM build/probe commands, and core language install-time commands (#​9929 by @​risu729).
  • (cargo) Fall back to cargo install (instead of cargo-binstall) when tool options require source-build feature selection. cargo-binstall is still used for compatible options such as bin, crate, and locked (#​9928 by @​risu729).
  • (config) Restore the env_file setting and the MISE_ENV_FILE env var, which had been incorrectly marked deprecated. env._.file in mise.toml is the right replacement for legacy top-level env_file entries, but it's not behaviorally equivalent to MISE_ENV_FILE=.env, which uses FindUp from the current directory (#​9903 by @​risu729).

Changed

  • (core) Default package files are now on a deprecation timeline (#​9970 by @​jdx). The settings go.default_packages_file, node.default_packages_file, python.default_packages_file, and ruby.default_packages_file (i.e. ~/.default-go-packages, ~/.default-npm-packages, ~/.default-python-packages, ~/.default-gems) will start emitting a warning in 2026.11.0 and be removed in 2027.11.0. The recommended replacements are package-manager backends for CLIs:

    [tools]
"npm:typescript" = "latest"
"pipx:black"     = "latest"
"gem:rubocop"    = "latest"
"go:github.com/jesseduffield/lazygit" = "latest"

    or a tool-level postinstall hook for packages that really should be installed into every runtime version:

    [tools]
node = { version = "22", postinstall = "npm install -g typescript" }

  • (cli) User-facing help, docs, and the man page now use tool/backend wording instead of plugin/runtime where tools are not necessarily plugins, including renaming MISE_${PLUGIN}_VERSION references to MISE_${TOOL}_VERSION. mise tool-alias now prefers --tool as the primary long flag, with --plugin retained as an alias (#​9906 by @​risu729).

  • (registry) The qsv shorthand now resolves to aqua:dathere/qsv first, falling back to the existing github:dathere/qsv and asdf:vjda/asdf-qsv entries (#​9910 by @​risu729).

  • (snap) The snap package is now built and published for arm64 in addition to amd64, so snap install mise works on arm64 desktops (#​9948 by @​jnsgruk).

New Contributors

Full Changelog: jdx/mise@v2026.5.11...v2026.5.12

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.11: : Provenance verification at lock time

Compare Source

Added

  • (security) Verify and record provenance during mise lock, with a new provenance_api_failures_fatal setting to control whether GitHub attestation API failures are fatal (#​9945 by @​jdx).
  • (security) Fall back to verifying archive contents when SLSA provenance attests every file inside an archive but not the archive itself, fixing releases like github:prefix-dev/pixi@0.68.1 (#​9898 by @​sargunv).
  • (plugins) Support remote git subdirectory sources for plugins, e.g. git::https://host/repo.git//path/to/plugin?ref=branch (#​9893 by @​jdx).

Fixed

  • (github) Asset picker now picks the shortest matching name as a tiebreaker for asset_pattern and accepts platform-agnostic runtime archives like .phar, .jar, and .pyz (fixes installing composer) (#​9946 by @​jdx).
  • (config) Invalid miserc.toml now produces a clear parse error at startup instead of being silently ignored (#​9937 by @​jdx).
  • (install) Per-tool .mise.backend.toml metadata is now written alongside install directories, making merged/copied installs self-describing and refreshing install state mid-run so same-run dependency resolution sees freshly installed tools (#​9941 by @​jdx).
  • (install) postinstall hooks now run through the configured default inline shell instead of $SHELL -c (#​9812 by @​risu729).
  • (cache) mise cache prune [PLUGIN]... now honors the plugin filter instead of pruning every cache directory (#​9914 by @​risu729).
  • (task) Preserve task-declared env, MISE_TASK_* metadata, and MISE_ENV across nested hook-env invocations, while keeping the nested-PATH fix from #​9765 intact (#​9850 by @​risu729).
  • (backend) Resolve helper dependency toolsets in offline mode so minimum_release_age cannot mis-route helper tools like node/npm when querying upstream versions (#​9808 by @​risu729).
  • (vfox) Key vfox EnvKeys hooks by the resolved install path so shared/system installs don't reuse user-path cache entries (#​9907 by @​risu729).
  • (use) Skip the mise use -g shadow warning when the active version comes from system config (#​9900 by @​risu729).
  • (doctor) List installed plugins from install state, including those owned by disabled backends, and add a plugins object to mise doctor -J (#​9863 by @​risu729).
  • (erlang) erlang.compile = false is now strict precompiled mode and no longer falls back to kerl build-install on unsupported distros (#​9866 by @​risu729).

Changed

  • (registry) Prefer the aqua backend for cilium-hubble, localstack, mark, openbao, porter, process-compose, rtk, sqlc, turso, and xcodegen, with existing GitHub/asdf backends preserved as fallbacks (#​9789 by @​risu729).
  • (registry) Add aqua:jbangdev/jbang as the primary backend for jbang, enabling Windows support (#​9811 by @​risu729).
  • (registry) Alias dotnet-core to dotnet (#​9807 by @​risu729).
  • (registry) Add lisette (#​9944 by @​ivov).
  • (registry) Fix sourcery archive format so macOS installs use the .zip asset instead of trying to extract it as tar.gz (#​9902 by @​risu729).
  • (docs) Trim the global settings example in the configuration docs (#​9912 by @​risu729).

New Contributors

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.10: : AWS SSO for s3 backends

Compare Source

A small release that unblocks s3 backends for users on AWS SSO profiles, plus two minor option-handling fixes that fell out of an internal refactor of the GitHub/GitLab/Forgejo backend.

Fixed

  • (s3) s3 backends now work with SSO-based AWS profiles. The sso feature of aws-config is enabled, so configurations that authenticate via AWS IAM Identity Center no longer fail with:

    S3 error: DispatchFailure { ... ProfileFile provider could not be built:
This behavior requires following cargo feature(s) enabled: sso.

    (#​9875 by @​Amir-Ahmad).

  • (backend) Two small behavior fixes landed while centralizing Git backend option reads (#​9838 by @​risu729):

    • Forgejo now applies the same install-time option filtering as GitHub/GitLab.
    • no_app is now read through target-aware platform option lookup, so platforms.<target>.no_app = true is honored when resolving assets for cross-platform lockfiles.

Changed

  • (backend) Internal refactor introducing a shared BackendOptions reader and a typed option wrapper for the unified GitHub/GitLab/Forgejo backend. No user-visible behavior change beyond the fixes above (#​9838 by @​risu729).

New Contributors

Full Changelog: jdx/mise@v2026.5.9...v2026.5.10

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.9: : SwiftPM artifact bundles and per-hook watch shells

Compare Source

A modest release: SwiftPM gains artifact bundle support, [[watch_files]] hooks can pick their own inline shell, and a handful of fixes land for aqua latest-tag resolution, vfox cmd.exec, and GitHub OAuth device-flow URLs. Plain-string Tera rendering also gets a fast path.

Added

  • (spm) SwiftPM installs now prefer prebuilt artifact bundles (*.artifactbundle.zip) when a release publishes one for the current Swift target triple, falling back to a source build otherwise (#​9825) by @​ikesyo. New controls:

    [tools]
# require an artifact bundle; fail instead of source-building
"spm:giginet/swift-testing-revolutionary" = { version = "0.4.0", artifactbundle = true }

# always source-build, ignore any bundles
"spm:tuist/tuist" = { version = "latest", artifactbundle = false }

# disambiguate when multiple bundle assets are published
"spm:org/tool" = { version = "1.0.0", artifactbundle_asset = "tool.artifactbundle.zip" }

[settings]
# apply "bundles only" globally (mirrors cargo.binstall_only)
spm.artifactbundle_only = true

  • (config) [[watch_files]] entries with run accept an optional shell field, rendered through templates and falling back to the configured default inline shell when unset (#​9810) by @​risu729:

    [[watch_files]]
patterns = ["*.js"]
run = "eslint --fix ."
shell = "bash -c"

    shell only applies to run hooks; combining it with task produces a warning and the value is ignored.

Fixed

  • (aqua) When GitHub's latest release pointed at a tag that aqua's registry rejected via version_filter or version_constraint, mise would return it anyway. The latest fast path now applies both checks before accepting a tag (#​9834) by @​risu729.
  • (vfox) Lua cmd.exec calls inside vfox plugins now build commands from mise's configured unix_default_inline_shell_args / windows_default_inline_shell_args instead of hardcoding sh -c or cmd /C, aligning plugin behavior with tasks, Tera command rendering, and other inline shell users (#​9837) by @​risu729.
  • GitHub OAuth device-flow paths were slightly off compared to the documented endpoints. The default oauth_auth_url is now the GitHub login base, with mise appending /device/code and /oauth/access_token per GitHub's device-flow docs (#​9791) by @​jasisk.
  • (patrons) mise patrons now points the "become a patron" link to the en.dev homepage instead of /sponsor (#​9868) by @​jdx.

Changed

  • (registry) npm is now resolved through aqua:npm/cli (with npm:npm retained as a fallback), and buck2 switches to aqua:facebook/buck2 with prerelease = true so its always-prerelease releases are visible (#​9762, #​9805) by @​risu729.
  • (registry) Added SonarQube CLI as aqua:SonarSource/sonarqube-cli (#​9824) by @​3PeatVR.

Performance

  • (config) Strings with no Tera block markers ({{, {%, {#, including whitespace-trimmed forms) now bypass the Tera renderer at config evaluation sites, skipping context construction, async context fetches, and get_tera setup. Tera 1.20.1's grammar guarantees these are the only block openers, so output is unchanged for both well-formed and malformed templates (#​9833) by @​risu729.

Documentation

New Contributors

Full Changelog: jdx/mise@v2026.5.8...v2026.5.9

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.8: : Patrons, cleaner task output, and sigstore-rust

Compare Source

A small release: a new mise patrons command, cleaner task command output when scripts start with a shebang, and a fix for mise upgrade summaries getting wiped by progress cleanup. Under the hood, signature verification moves to the modern sigstore-rust stack.

Added

  • (patrons) New mise patrons subcommand lists individuals on the Patron tier supporting mise development (#​9841) by @​jdx. Data is fetched from the en.dev patrons feed, cached for 24h, and falls back to stale cache on network failure. Each patron's name renders as a clickable OSC 8 hyperlink in supporting terminals.

    $ mise patrons
mise is supported by these patrons — thank you

  • Ronald Gierlach
  • youfoundron

Become a patron: https://en.dev/sponsor

    Flags: -J/--json, --refresh.

  • (registry) Add a racket shorthand backed by the aqua racket/racket/minimal package, exposing both racket and raco from the official racket-lang.org release artifacts (#​9784) by @​albertnetymk.

Fixed

  • (task) When a task's run body starts with #!/usr/bin/env bash or set -Eeuo pipefail, the echoed command line would show only that boilerplate and hide the rest of the script. Leading shebang, blank, and set ... lines are now skipped when building the displayed command, so the first real command shows up. Execution is unchanged (#​9844) by @​jdx. Fixes #​9842.

    # before
[generate-completions] $ #!/usr/bin/env bash

# after
[generate-completions] $ fzf --fish > ~/.config/fish/completions/fzf.fish

  • (upgrade) mise upgrade could erase its own Upgraded N tools: summary detail lines when an upgrade also performed an uninstall — fresh progress jobs registered for the cleanup phase were still active at shutdown, so stop_clear() wiped them along with the summary. Progress jobs are now finished and reset before the summary prints (#​9860) by @​risu729. Regression from #​9779; addresses #​9856.

Changed

  • (security) Sigstore verification (verify_github_attestation, verify_cosign_signature, verify_slsa_provenance, detect_attestations) now runs on a local mise-sigstore adapter built on sigstore-verify 0.7 from sigstore-rust, replacing the previous sigstore-verification 0.2 dependency (#​9260) by @​jdx. The mise call sites and helper API are unchanged. The new adapter still covers legacy cosign v1 bundles (e.g. goreleaser-signed releases) and raw DSSE *.intoto.jsonl envelopes (slsa-github-generator) that the upstream Bundle::from_json rejects.

Deprecated

  • (config) The top-level env_file setting (and MISE_ENV_FILE) is now marked deprecated. Use env._.file in mise.toml instead (#​9862) by @​risu729. The JSON Schema gains the deprecated keyword, a warning is scheduled for 2026.11.0, and removal is planned for 2027.11.0.

    # before
env_file = ".env"

# after
[env]
_.file = ".env"

New Contributors

Full Changelog: jdx/mise@v2026.5.7...v2026.5.8

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.7: : Lazy GitHub tokens, hardened version parsing, and faster task freshness

Compare Source

A round of correctness and performance fixes: vfox-managed tools no longer prompt your password manager on every shell hook, mise upgrade stops double-printing its summary, mise settings get finally distinguishes typos from unset values, and conda installs that pulled in adwaita-icon-theme are unstuck. Plus a security pass that hardens version-string parsing against shell injection.

Fixed

  • (vfox) GitHub tokens are now resolved lazily inside Lua plugins. Previously, mise hook-env, mise activate, mise completion, and even mise --help would call github.credential_command for every installed vfox tool — potentially unlocking a password manager on every prompt. The resolver is now only invoked when a Lua plugin actually issues an HTTP request to a GitHub API URL, e.g. during an install (#​9816) by @​jdx. Fixes #​9797.

  • (upgrade) mise upgrade (and mise up) no longer prints the installed-tools block twice when an upgrade also needs to uninstall an older version. The shared progress-job registry is now cleared after each phase so the subsequent uninstall renders cleanly (#​9779) by @​jdx. Fixes #​9774.

  • (settings) mise settings get distinguishes between a known setting that hasn't been set and a typo:

    $ mise settings get python.compile
mise ERROR Setting [python.compile] is not set
$ mise settings get not.a.real.setting
mise ERROR Unknown setting: not.a.real.setting

    Previously both returned Unknown setting, since Option<T> fields skipped by TOML serialization were indistinguishable from missing keys (#​9818) by @​jdx.

  • (backend) Several backends (aqua, github/gitlab/forgejo, http, s3, ubi, vfox, conda, Windows npm) reported bin-paths pointing at the concrete resolved install dir (e.g. installs/tiny/1.0.0/...) instead of the stable runtime symlink for the requested label (e.g. installs/tiny/latest/...). A new runtime_path_for_install_path helper remaps backend-discovered absolute paths onto the runtime path while leaving explicit relative bin_path values alone (#​9606) by @​risu729.

  • (conda) mise use -g imagemagick (and other tools pulling in adwaita-icon-theme) failed with conda solve failed: encountered duplicate records for adwaita-icon-theme-40.1.1-.... rattler-solve detects duplicates by DistArchiveIdentifier rather than URL, so when conda-forge served the same archive under multiple CDN URLs, the existing URL-based dedup wasn't enough. Dedup now uses r.identifier, the exact key the solver uses (#​9831) by @​jdx. Fixes #​9829.

Added

  • (github) github.credential_command now runs through the configured default inline shell (instead of hardcoded sh -c) and is invoked with MISE_CREDENTIAL_HOST and MISE_CREDENTIAL_PROVIDER in the environment. The deprecated $1 / ${1} hostname positional argument continues to work for sh-compatible shells (ash, bash, dash, ksh, sh, zsh); a deprecation warning lands in 2026.11.0 and removal is planned for 2027.11.0 (#​9664) by @​risu729.

Performance

  • (aqua) The baked aqua standard-registry package and alias lookup tables are now generated as static phf::Maps at build time via phf_codegen, instead of lazy runtime HashMaps. Warmed lookup is comparable, but first-use no longer allocates ~115 KiB of heap or builds a 2,179-entry bucket table (#​9763) by @​risu729.

  • (task) When task.source_freshness_hash_contents = true, mise now caches each source file's blake3 hash keyed by (size, mtime_secs, mtime_nanos) — git's stat-info trick — in a per-task file under STATE/task-sources/. Unchanged files are skipped on subsequent runs; entries for files removed from sources are pruned automatically (#​9819) by @​jdx. See discussion #​9802.

Security

  • Reject shell metacharacters in version strings at the ToolRequest boundary (#​9814) by @​jdx. ToolRequest::new now validates version, prefix, ref/*, sub-*, and path: requests, rejecting $, backticks, quotes, \, control chars, and .. traversal. This single change neutralizes the CRITICAL RCE class flagged against vfox-ag, vfox-bfs, vfox-bpkg, vfox-chezscheme, vfox-redis, vfox-yarn, and shell-injection findings on clickhouse, leiningen, `

Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from nikobockerman as a code owner June 1, 2026 03:34
@renovate renovate Bot force-pushed the renovate/jdx-mise-2026.x branch from a2a75fc to a18c317 Compare June 2, 2026 01:04
@renovate renovate Bot changed the title Update dependency jdx/mise to v2026.5.16 Update dependency jdx/mise to v2026.5.18 Jun 2, 2026
@nikobockerman nikobockerman merged commit 5ba5157 into main Jun 2, 2026
21 checks passed
@nikobockerman nikobockerman deleted the renovate/jdx-mise-2026.x branch June 2, 2026 03:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nikobockerman nikobockerman Awaiting requested review from nikobockerman nikobockerman is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nikobockerman