Update dependency jdx/mise to v2026

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
jdx/mise	major	v2024.7.1 → v2026.6.3

---

Release Notes

jdx/mise (jdx/mise)

v2026.6.3: : auto_env, release-age polish, and lockfile fixes

Compare Source

This release smooths over follow-ups to v2026.6.2's built-in minimum_release_age cutoff, introduces opt-in platform-aware config environments, and tightens lockfile and Windows behavior for tasks and installs.

Added

• (config) New auto_env early-init setting (MISE_AUTO_ENV or .miserc.toml) that automatically activates platform-derived config environments — unix, {os} (linux / macos / windows), and {os}-{arch} (e.g. windows-x64, macos-arm64) — so files like mise.windows.toml, mise/config.macos-arm64.toml, and matching mise.<env>.lock lockfiles load automatically. Precedence is unix < {os} < {os}-{arch} < explicit MISE_ENV, and auto envs are deliberately not propagated through MISE_ENV or {{ mise_env }}. Off by default in this release; a transitional warning ships in 2026.12.0 and the default flips on in 2027.6.0 (#​10316 by @​jdx).
• (github) mise token github --oauth --refresh (and the hidden mise github token alias) forces a fresh OAuth token mint even when the cached token is still time-valid. The refresh-token grant is tried first with no user interaction, falling back to a new device-code flow. Useful when you authorize the app first and install it on a repo afterwards and the cached token still has the pre-installation permissions (#​10317 by @​jdx).
• (backend) version_expr can now post-process version_regex results as a pipeline — when both are set, regex output is exposed as a versions variable to expr. This fixes oc and openshift-install latest resolution (now 4.22.0 instead of 4.9.9) by sorting the lexicographic HTML listing from mirror.openshift.com via version_expr = 'sortVersions(versions)' (#​10302 by @​konono).
• (deps) First-class Deno support in mise deps — automatic detection plus list, install, add, and remove (#​10291 by @​felipecrs).
• (registry) Added imagemagick (aqua:ImageMagick/ImageMagick) (#​10118 by @​thernstig) and vscode-cli (aqua:microsoft/vscode/code) (#​10314 by @​felipecrs).

Fixed

• (config) The built-in 24h default minimum_release_age introduced in v2026.6.2 no longer disables installed-version fast paths, fixing a regression where shell startup grew from ~2.5s to ~65s because every mise which / mise hook-env invocation fetched remote version lists. Cutoff resolution now tracks provenance (Default / Provided / Explicit): the default only gates remote picks at install time, while explicit CLI / setting / per-tool cutoffs keep their date-aware semantics (#​10315 by @​jdx).
• (backend) minimum_release_age = "0s" is now correctly treated as disabling the cutoff. Backends can also expose fast-path latest release metadata (with created_at), so the canonical latest can pass an age check even when cached remote version lists are stale (#​10310 by @​jdx).
• (python) Core Python remote versions now carry release timestamps — python-build-standalone dates for precompiled listings and python-build definition commit timestamps for source-build listings — so minimum_release_age actually filters them (#​10311 by @​jdx).
• (lock) Tools resolved from idiomatic version files (.node-version, .python-version, …) are now written to the project mise.lock instead of a phantom sibling lockfile, so mise install --locked no longer rejects them as missing (#​10309 by @​jdx). When multiple base configs share a project root, lockfile selection is now deterministic and picks the highest-precedence config — e.g. colocated mise.toml and .mise/config.toml consistently target .mise/mise.lock (#​10319 by @​jdx).
• (task) Tasks loaded via task_config.includes now receive the collected task_templates map, so a task that only has extends = "template:..." actually inherits its run entries instead of silently exiting successfully (#​10312 by @​jdx).
• (task) On Windows, inline tasks and [hooks] commands routed through cmd /c preserve inner double quotes. Previously, the std argv serializer produced \"-escaped strings that cmd.exe passed through literally, so e.g. uv run --no-project python -c "import pathlib; print(pathlib.Path.home())" failed with SyntaxError: unterminated string literal. Commands are now built verbatim via cmd /s /c "...", with forwarded args still MSVCRT-quoted inside (#​10301 by @​JamBalaya56562).
• File renames during install now retry up to 5 times on Windows for transient ERROR_ACCESS_DENIED (5) and ERROR_SHARING_VIOLATION (32) errors (typically Windows Defender holding extracted files), with exponential backoff from 50ms to 800ms (#​10300 by @​jhult).
• (completions) Require usage 3.5 in the generated usage spec to pick up zsh colon completion fixes; the zsh completion script now consumes three tab-separated fields and uses compadd (#​10313 by @​jdx).
• (registry) podman now points at its new GitHub organization after the upstream rename on 2026-06-01 (#​10288 by @​TyceHerrman).

New Contributors

• @​felipecrs made their first contribution in #​10314
• @​jhult made their first contribution in #​10300

Full Changelog: jdx/mise@v2026.6.2...v2026.6.3

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.6.2: : Supply-chain defaults and clearer install warnings

Compare Source

This release tightens mise's default supply-chain posture: fuzzy version resolution now waits 24 hours after a release by default on timestamp-aware backends, with new excludes, opt-outs, and warnings so it stays out of your way when you don't want it. A couple of long-standing GitHub-attestation and npm-install rough edges are smoothed over as well.

Added

• (config) Apply a built-in 24-hour minimum_release_age when no global or per-tool value is set, for backends that expose release timestamps (core, aqua, github, npm, pipx, etc.). Asdf/vfox/plugin-style tools without release metadata are unaffected. mise ls-remote now reports how many releases were hidden, and mise upgrade warns when a newer release is being ignored by the cutoff, e.g.:

  newer jq release 1.7.2 ignored by minimum_release_age
  

  Set minimum_release_age = "0s" to disable the default. Pinned exact versions still bypass the filter. (#​10279 by @​jdx)

• (config) New minimum_release_age_excludes setting to skip the global (and built-in) release-age policy for selected tools or whole backends. Entries may be tool shorthands, full backend IDs, or backend wildcards:

  [settings]
  minimum_release_age = "24h"
  minimum_release_age_excludes = ["jq", "npm:prettier", "npm:*"]

  Per-tool minimum_release_age and CLI --minimum-release-age still take precedence as before. (#​10277 by @​jdx)

• (registry) cargo-msrv is now available in the registry, installed via aqua (foresterre/cargo-msrv) with a cargo:cargo-msrv fallback (#​10276 by @​jdx).

Fixed

• (github) GitHub artifact attestation detection and verification now respect the existing registry/default-backend gate, so custom github: repos and non-registry aqua packages talk to GitHub directly instead of routing through the mise-versions host. Python precompiled builds still use the versions host; Ruby precompiled attestations use it only for the default jdx/ruby source (#​10260 by @​jdx).
• (npm) After global npm installs, mise warns when the package declares lifecycle scripts (preinstall / install / postinstall) that were skipped because mise still passes --ignore-scripts=true. Setting npm_args = "--ignore-scripts=false" (or --no-ignore-scripts) correctly suppresses the warning, with later flags winning (#​10280 by @​jdx).

Changed

• (registry) aube and pitchfork now resolve to jdx/aube and jdx/pitchfork in both the mise registry and the vendored aqua registry, with endevco/* aliases retained for compatibility. Aube <= 1.18.1 skips GitHub artifact attestations to match the upstream aqua registry change (#​10285 by @​jdx).

Documentation

• (security) A new Security page consolidates software verification and supply-chain guidance, documents the 24h minimum_release_age default and 0s opt-out, and clarifies that only npm: and pipx: currently forward the cutoff to transitive dependency resolution (#​10278 by @​jdx).
• (settings) Examples and CLI hints prefer the shorter mise settings set key=value form (#​10271 by @​jdx).
• Debian/Ubuntu install instructions now recommend extrepo, since mise's deb repository was added to Debian extrepo (#​10262 by @​okulev).
• Sponsor logos on the docs site now have better contrast (#​10270 by @​jdx).

New Contributors

• @​okulev made their first contribution in #​10262

Full Changelog: jdx/mise@v2026.6.1...v2026.6.2

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.6.1: : aqua multi-registry, SOPS TOML, and a GitHub backend tune-up

Compare Source

Added

• (aqua) Support multiple custom registries via aqua.registries; deprecates single-string aqua.registry_url (#​10179 by @​risu729).
• (env) Decrypt SOPS-encrypted TOML env files (.env.toml) through rops (#​10201 by @​risu729).
• (hooks) Add run_windows for Windows-specific inline hook commands (#​10202 by @​risu729).
• (task) Render task_config.includes with the Tera config context and expand ~/ for local includes (#​10225 by @​risu729).
• (task) Support standalone .toml task files via git:: directory includes (#​10219 by @​davidolrik).
• (aqua) Extract 7z archives, including auto-detection of .7z assets (#​10224 by @​risu729).

Fixed

• (env) Include the uv venv (uv.lock + .venv) in the env_cache key so VIRTUAL_ENV no longer leaks across sibling directories when env_cache=true and python.uv_venv_auto is set (#​10217 by @​Nagato-Yuzuru).
• (task) Resolve dependency sources relative to each task's directory and pass per-dependency --watch paths to watchexec (#​10054 by @​43081j).
• (ruby) Include resolved Ruby install options (compile mode, installer, build repo, precompiled URL, patch inputs) in lock identity (#​9992 by @​risu729).
• (elixir) Resolve lockfile URL and SHA-256 from builds.hex.pm metadata; locked installs reuse the lockfile URL (#​10226 by @​risu729).
• (github) Accept GitHub-canonicalized owner/repo casing when validating mise-versions release asset URLs (#​10240 by @​risu729).
• (github) Detect 401 responses on cached native OAuth tokens, refresh once, and retry transparently (#​10246 by @​jdx).
• (github) Warn when mise-versions GitHub metadata lookups hit rate limits or non-404 errors (#​10254 by @​jdx).
• (github) Skip the versions host for non-registry github: tools (#​10255 by @​jdx).
• (github) Emit logfmt-style structured fields for versions-host calls, with credentials and query stripped from URLs (#​10256 by @​jdx).
• Nix flake build test failure by adding git to nativeCheckInputs (#​10243 by @​okuuva).

Security

• (http) Sanitize HTTP backend version names in install symlink paths to prevent repository-controlled versions from escaping the installs directory (GHSA-f94h-j2qg-fxw3) (#​10245 by @​jdx).

Documentation

• Recommend the stable Snap channel for Linux installation (#​10250 by @​salim-b).

Registry

• Prefer aqua:endevco/aube for aube so glibc/musl libc variants are picked up automatically (#​10171 by @​jdx).
• Add pgroll (#​10252 by @​diegoholiveira).
• Add cargo-release (#​10258 by @​jdx).

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.6.0: : Corepack-managed npm and aqua Windows parity

Compare Source

A focused release that wires npm into Corepack when requested, brings aqua's Windows extension handling in line with upstream, and fixes task include ordering plus a Git Bash cygdrive regression.

Added

• (npm) Ensure npm itself is managed by Corepack when node.corepack=true and node.npm_shim=false, so the Corepack-managed npm shim is enabled alongside yarn/pnpm (#​10196 by @​roele).
• (cli) New mise sponsors subcommand and a sponsor block on the docs site that lists sponsors fetched from en.dev/sponsors.json (#​10182 by @​jdx).

Fixed

• (aqua) Mirror aqua's Windows extension semantics end-to-end (#​10167 by @​risu729):
  • complete_windows_ext is now tri-state — explicit true completes Windows asset/URL/file source names, explicit false leaves them alone, and an omitted value completes by default except for github_content/github_archive packages.
  • Registry windows_ext (default .exe, .sh for github_content/github_archive) and append_ext are honored when rendering assets, URLs, and Windows install links.
  • .exe and .jar assets are treated as already complete, existing extensions like .ps1 are preserved when format is omitted, and version dots in names like tool.1.0.0 no longer suppress Windows completion. The registry compilation cache is bumped to version 2 and will be regenerated on next use.
• (spm) Include provider, api_url, artifactbundle, and artifactbundle_asset in SPM lock identity so toggling between source builds and artifact bundles no longer silently reuses a stale mise.lock entry. provider is canonicalized to lowercase (default github omitted), api_url has trailing slashes trimmed, and filter_bins stays out of lock identity since it only affects which built executables are exposed (#​10160 by @​risu729).
• (bun) Improve musl detection on Linux: when the system libc preference is unset, fall back to runtime detection and treat unknown results as non-musl, fixing glibc-system installs that were incorrectly resolving to bun's musl build (#​10195 by @​roele).
• (task) Honor task_config.includes order so a local task can override a same-named git:: include. Previously a regression in #​9147 combined with non-git includes being loaded before all git:: includes meant a git:: include always clobbered a same-named local task regardless of position. Includes now load in their declared order with first-wins file-task dedup, so the earlier entry in the list takes precedence uniformly across directory, toml-file, and git:: includes (#​10191 by @​vmaleze).
• (task) Honor MISE_CYGDRIVE_PREFIX for Git Bash / MSYS2, not only Cygwin. Git Bash users with a custom /etc/fstab automount root can now set the prefix to fix the converted PATH; defaults are unchanged (/c/... for Git Bash, /cygdrive/c/... for Cygwin) (#​10190 by @​JamBalaya56562).
• (completion) Rely on usage 3.4.0's usage#649 for inherited global flags so -C/--cd, -j/--jobs, and -q/--quiet are recognized before a mounted task without the broad promotion workaround. The narrowed promotion now only covers orphan-short flags -r/-S (whose root globals are long-only), and min_usage_version is bumped to 3.4 so older usage CLIs warn to upgrade instead of silently regressing (#​10176 by @​JamBalaya56562).

Documentation

• Fix the choice template function example to use named-argument syntax (#​10197 by @​joekrill).

New Contributors

• @​joekrill made their first contribution in #​10197

Full Changelog: jdx/mise@v2026.5.18...v2026.6.0

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.18: : Hook script arrays and lock-identity fixes

Compare Source

A focused release that teaches hooks to accept script arrays, ships an npm install -g mise package, and tightens lock identity across several backends so mise.lock entries can no longer be reused for option combinations that resolve to a different artifact set.

Added

• (config) Hooks now accept script/scripts arrays for current-shell hooks (#​9836 by @​risu729):

  [hooks.enter]
  shell = "bash"
  script = [
    "source completions.sh",
    "export PROJECT_READY=1",
  ]

  Note that run is still string-only — to spawn multiple inline commands, use a list of { run = "..." } entries or one multiline run string.

Fixed

• (env) PATH entries under mise's installs directory are now treated as mise-managed during hook-env reactivation, so an inactive install path like installs/node/24/bin inherited from a parent shell can no longer sit ahead of the active project's installs/node/22.17.1/bin (#​10162 by @​risu729).
• (config) .miserc.toml discovery now stops at raw MISE_CEILING_PATHS entries (without recursing through the lazy fallback), preventing a parent .miserc.toml above the ceiling from injecting MISE_ENV (#​10165 by @​risu729).
• (task) mise tasks ls --json, tasks info --json, and the MCP tasks resource now serialize full run entries — including single task refs and task groups — instead of script-only strings (#​10163 by @​risu729).
• (task) Bump usage-lib to 3.4.0 and update the zsh completion to read display<TAB>insert pairs from usage complete-word, restoring task completions after the usage-cli 3.4.0 output change (#​10181 by @​jdx).
• (installer) Add the missing warn helper used by the standalone installer's checksum fallback paths (#​10157 by @​risu729, recreating @​olfway's original fix).

Lock identity

A batch of fixes ensures mise lock selects entries by an identity that actually reflects the installed result, so toggling an option no longer silently reuses a stale lock entry:

• (conda) Include the conda channel — the same tool@version resolved against conda-forge, bioconda, or a private channel can produce entirely different builds and checksums (#​9984 by @​risu729).
• (rust) Include rustup profile, components, and targets, read from both tool options and rust-toolchain.toml, with stable sorting (#​9988 by @​risu729).
• (github) Include target artifact selectors (api_url, version_prefix, per-platform asset_pattern, direct url, no_app) for GitHub, GitLab, and Forgejo backends, resolved per target platform (#​9985 by @​risu729).
• (python) Include non-default patch_sysconfig = false (the interpreter tree differs after install); virtualenv stays out as an activation-only overlay (#​10161 by @​risu729).

Changed

• (npm) mise is now published to npm under the unscoped mise package, so npm install -g mise and npx mise work directly. The legacy @jdxcode/mise scoped package continues to be published, and the new wrapper reuses the existing @jdxcode/mise-<os>-<arch> platform tarballs (#​10183 by @​jdx).

Full Changelog: jdx/mise@v2026.5.17...v2026.5.18

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.17: : Custom aqua registry cache and Windows fixes

Compare Source

A catch-up release for the tag that shipped the compiled custom aqua registry cache, several Windows task/shim fixes, and a handful of backend install improvements. This release is backfilled without binary assets; use v2026.5.18 or newer for downloadable artifacts.

Added

• (aqua) Add a compiled custom registry cache to speed up aqua registry lookups and reduce repeated parsing work (#​9583 by @​jdx).

Fixed

• (upgrade) Handle a lone v prefix in --bump latest queries (#​10130 by @​jdx).
• (env) Force the Unix environment key to uppercase PATH, avoiding mixed-case path handling surprises (#​9927 by @​jdx).
• (http) Limit fallback retries against the shared versions host (#​10142 by @​jdx).
• (bun) Use Bun's native windows-arm64 build for Bun 1.3.10 and newer (#​10150 by @​M1noa).
• (task) Honor explicit and quoted shell paths on Windows (#​10148 by @​M1noa).
• (task) Convert PATH to /cygdrive form for Cygwin bash tasks on Windows (#​10147 by @​M1noa).
• (ui) Honor color settings in interactive prompt themes (#​10151 by @​M1noa).
• (pipx) Upgrade the shared pip environment when using version constraints (#​10138 by @​jdx).
• (shim) Refresh stale Windows shims after a mise version update (#​10152 by @​M1noa).
• (completion) Keep global -C/--cd usable in task argument completion (#​10153 by @​M1noa).
• (github) Handle x86 release assets as x64 fallbacks where upstreams publish mismatched naming (#​10103 by @​jdx).
• (github) Strip OpenGrep platform suffixes before asset matching (#​10166 by @​jdx).
• (github) Penalize certificate assets as metadata so they are not selected as install archives (#​10158 by @​jdx).

Changed

• Registry: add herdr via github:ogulcancelik/herdr (#​10154 by @​ogulcan).
• Registry: add databricks-cli via aqua:databricks/cli (#​10072 by @​nstrug).
• (spm) Parse SwiftPM tool options locally (#​9959 by @​jdx).

Documentation

• Split glossary aliases into Tool Aliases and Shell Aliases (#​9983 by @​BenjaminChr).
• Update the webpage tooling copy to use current tools (#​10170 by @​jdx).

Full Changelog: jdx/mise@v2026.5.16...v2026.5.17

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.16: : versions-host metadata, fork-bomb fixes, and friendlier upgrades

Compare Source

Added

• (github) Use the shared mise-versions host for release metadata and artifact attestations before falling back to api.github.com, dramatically cutting anonymous GitHub API usage in CI/Docker (#​10127 by @​jdx).
• (node) New node.npm_shim setting (MISE_NODE_NPM_SHIM) to opt out of the bundled npm wrapper, letting corepack manage bin/npm cleanly (#​10082 by @​jjb).
• (npm) New allow_builds tool option for npm-backend installs that expands to --allow-build=<pkg> for aube and pnpm, accepting a string, array, or true for all builds (#​10116 by @​jdx).

Fixed

• (backend) Strip the system shims dir from dependency_env PATH to prevent npm/go shim re-entry fork-bombs in devcontainer/Docker setups using mise install --system (#​10019 by @​andrewjamesbrown).
• (backend) Improve libc detection on musl distros so installing gcompat on Alpine no longer flips mise to glibc binaries (#​10020 by @​thespags).
• (aqua) Skip in-place link creation when src and dst alias the same inode (fixes godot install on macOS/APFS) (#​10012 by @​tvararu).
• (aqua) Lock github_content packages using raw GitHub content URLs instead of archive URLs (#​10102 by @​risu729).
• (toolset) hook-env and other prefer-offline flows no longer fetch remote versions to resolve concrete/latest/prefix:* specs, speeding up shells with many fuzzy tools (#​10098 by @​jdx).
• (upgrade) Preserve installed versions still pinned by other tracked project lockfiles during upgrade cleanup (#​10114 by @​jdx).
• (upgrade) Improve current version detection so prefix requests like go = "1.25" show the best matching installed version in summaries (#​9973 by @​jdx).
• (lock) Allow mise lock and mise upgrade to refresh mise.lock even when locked = true is set (#​10111 by @​jdx).
• (install) Reject install requests whose resolved backend is in disable_backends, including explicit syntax like ubi:owner/repo (#​9905 by @​risu729).
• (use) Reject tool version strings that start with - (e.g. mise use dummy@--version) (#​10113 by @​jdx).
• (en) Preserve MISE_ENV / -E profile when an activated subshell sources mise activate (#​10124 by @​jdx).
• (unset) Respect MISE_GLOBAL_CONFIG_FILE when running mise unset from $HOME, matching mise set/use (#​10105 by @​jdx).
• (task) Set config_root on tasks loaded from global config so {{config_root}} renders correctly (#​10106 by @​jdx).
• (task) Render templates and expand ~/ in sandbox allow_read / allow_write paths (#​10112 by @​jdx).
• (shim) Skip dot-prefixed (hidden) executables when generating shims (#​10123 by @​jdx).
• (pipx) Combine --pip-args=VALUE into a single argv element so pipx's argparse accepts values starting with -- (#​10120 by @​iloveitaly).
• (security) Apply url_replacements to the GitHub attestations API base URL (#​9971 by @​SlaterByte).
• Show the mise version in friendly error output (#​10109 by @​jdx).
• (copr) Increase build timeout (#​10071 by @​jdx).

Performance

• Cache repeated successful path canonicalization across hot PATH/shim/activation lookups (#​10068 by @​jdx).

Changed

• Registry: use the npm backend for npm on Windows (aqua's standalone npm/cli tarball is broken on Windows) (#​10101 by @​risu729).
• Registry: allow narrow dependency builds for npm-primary tools (wrangler, gemini-cli, vercel, codebuff, jules, orval, serverless), and drop npm fallbacks for ast-grep, lefthook, claude, code (#​9916 by @​risu729).
• Registry: add modem-dev/hunk (#​10051 by @​naoki-mizuno), wacli (#​10043 by @​dovocoder), liquibase via the github backend (#​10052 by @​benberryallwood), longbridge-terminal (#​10073 by @​hogan-yuan), and make aube more resilient (#​10092 by @​bgeron, #​10110).

Documentation

• Fix Scoop installation section (#​10059 by @​ofek).
• Clarify untrusted config behavior (#​10097 by @​jdx).
• Remove outdated terraform main.tf reference (#​10099 by @​risu729).
• Remove broken "How I Use mise" link (#​10081 by @​HYP3R00T).

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.15: : loongarch64 and riscv64 support

Compare Source

A small release that recognizes loongarch64 and riscv64 as valid platform arches and refreshes the conda (rattler) backend.

Fixed

• Add loongarch64 and riscv64 to the set of arches accepted by Platform::validate(). Previously, lockfiles targeting linux-riscv64 or linux-loongarch64 would fall back to the common platform set instead of resolving to the requested single platform, so installs on those machines couldn't use lockfile-authoritative platform selection (#​10038 by @​k0tran).

Changed

• Bump rattler (used by the conda backend) from 0.42 to 0.43, picking up upstream fixes for missing symlinks during Windows installs, deterministic path ordering from link_package_sync, and accepting full URLs as the OAuth issuer host (#​10030).

New Contributors

• @​k0tran made their first contribution in #​10038

Full Changelog: jdx/mise@v2026.5.14...v2026.5.15

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.14: : Reject wrong-arch release assets

Compare Source

A small fix release that hardens GitHub release asset auto-selection against picking binaries for the wrong CPU architecture.

Fixed

• (github) Asset auto-selection now hard-rejects any candidate whose filename explicitly declares a non-matching architecture, even when other scoring bonuses (preferred name, archive type, libc match) would otherwise rank it first. This fixes cases like cargo-msrv on aarch64 Linux, where cargo-msrv-x86_64-unknown-linux-gnu-*.tgz was being chosen over no-match-better-than-wrong-match. Explicit asset_pattern configuration is unchanged (#​10018 by @​jdx).

Full Changelog: jdx/mise@v2026.5.13...v2026.5.14

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.13: : Safer npm installs, faster shell completions

Compare Source

A focused release that tightens npm install safety by default, removes network calls from shell completion generation, and fixes asset picking so primary release binaries beat related sub-archives.

Added

• (npm) The npm backend now passes --ignore-scripts=true by default when installing through npm, and no longer adds Bun's --trust flag automatically. npm_args and bun_args remain the user escape hatches and are appended after the defaults, so you can opt back in per tool (#​9913 by @​risu729):

  [tools]
  # opt back into npm lifecycle scripts for one tool
  "npm:some-tool" = { version = "latest", npm_args = "--ignore-scripts=false" }
  # opt into Bun's broad install-time script trust
  "npm:other-tool" = { version = "latest", bun_args = "--trust" }

  For dependency build approvals, prefer aube or pnpm with --allow-build=<pkg>; see the refreshed npm backend docs.

Fixed

• (completion) mise completion is often invoked on shell init. It no longer refreshes remote version metadata while building the toolset, so slow networks and timeouts don't delay every new shell (#​10010 by @​sargunv-headway).
• (github) Auto-detection scoring now gives a small bonus to assets whose platform-stripped filename matches the repo/tool name, and treats manylinux* / musllinux* asset names as Linux with the right glibc/musl libc. This fixes installs like opengrep/opengrep, where opengrep-core_linux_aarch64.tar.gz was previously winning over the primary opengrep_* binary. Explicit asset_pattern configuration is unchanged (#​10008 by @​risu729).
• (shim) Optioned tool aliases (e.g. GitHub tool_alias entries with per-alias asset_pattern / bin_path) are now visible to runtime symlink and shim rebuilds. Previously these alias backends bypassed the global backend cache and could be missed after install, leaving latest symlinks or executable shims unbuilt (#​9848 by @​risu729).
• (release) The embedded mise-plugins vfox plugin set now includes vfox-groovy, vfox-php, and vfox-scala as fallbacks after the default asdf backend (#​9832 by @​risu729).
• (doctor) The mise doctor version-check request now uses the regular HTTP client and the configured http_timeout (controllable via MISE_HTTP_TIMEOUT), instead of an unconfigurable 3s timeout. Timeout error messages now point at the real setting (#​9977 by @​risu729).
• (config) Tool options coming from the install manifest are tracked as their own source layer, kept below config and inline backend args in precedence, and no longer serialized back out as inline backend args (#​9958 by @​risu729).

Changed

• (registry) vector now uses the aqua backend, which has Vector-specific vdev-* release filtering. This avoids resolving stray vdev-* GitHub releases as the latest Vector (#​10011 by @​jdx).
• (registry) vale now tracks its updated aqua-registry location (#​10002 by @​eread).
• (dotnet) The .NET backend reads prerelease (and other tool options) through a local typed option reader, with the legacy package-flag fallback preserved (#​9962 by @​risu729).

Full Changelog: jdx/mise@v2026.5.12...v2026.5.13

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.12: : minimum-release-age, global edit, and install_env fixes

Compare Source

A focused release that renames the release-age cutoff flag to something more discoverable, deprecates the legacy default_packages_file mechanism, and fixes several install_env propagation gaps across backends.

Added

• (cli) mise edit --global / -g opens the global config file (~/.config/mise/config.toml, or $MISE_GLOBAL_CONFIG_FILE if set), bringing mise edit in line with mise use --global, mise settings set --global, and other commands. A positional path still wins over the flag (#​9953 by @​fru1tworld).

• (cli) The release-age cutoff flag on mise install, use, upgrade, and latest has been renamed from --before to --minimum-release-age, matching the per-tool option and global setting of the same name. The old --before spelling is kept as a hidden alias so existing scripts keep working (#​9768 by @​risu729):

  mise latest node --minimum-release-age 2024-01-01
  mise install --minimum-release-age 90d

Fixed

• (aqua) Verify cosign bundles that ship a long-lived public key via cosign.opts --key locally, instead of routing them through sigstore-verify's unsupported public-key bundle path. This fixes installs like aqua:stackrox/kube-linter@0.8.3, which previously failed with public key verification not yet supported (#​9972 by @​jdx).
• (backend) Per-tool install_env is now passed into tool-level postinstall hook commands (#​9930 by @​risu729) and applied to command-backed install paths across package-manager backends, vfox cmd.exec hooks, SPM build/probe commands, and core language install-time commands (#​9929 by @​risu729).
• (cargo) Fall back to cargo install (instead of cargo-binstall) when tool options require source-build feature selection. cargo-binstall is still used for compatible options such as bin, crate, and locked (#​9928 by @​risu729).
• (config) Restore the env_file setting and the MISE_ENV_FILE env var, which had been incorrectly marked deprecated. env._.file in mise.toml is the right replacement for legacy top-level env_file entries, but it's not behaviorally equivalent to MISE_ENV_FILE=.env, which uses FindUp from the current directory (#​9903 by @​risu729).

Changed

• (core) Default package files are now on a deprecation timeline (#​9970 by @​jdx). The settings go.default_packages_file, node.default_packages_file, python.default_packages_file, and ruby.default_packages_file (i.e. ~/.default-go-packages, ~/.default-npm-packages, ~/.default-python-packages, ~/.default-gems) will start emitting a warning in 2026.11.0 and be removed in 2027.11.0. The recommended replacements are package-manager backends for CLIs:

  [tools]
  "npm:typescript" = "latest"
  "pipx:black"     = "latest"
  "gem:rubocop"    = "latest"
  "go:github.com/jesseduffield/lazygit" = "latest"

  or a tool-level postinstall hook for packages that really should be installed into every runtime version:

  [tools]
  node = { version = "22", postinstall = "npm install -g typescript" }

• (cli) User-facing help, docs, and the man page now use tool/backend wording instead of plugin/runtime where tools are not necessarily plugins, including renaming MISE_${PLUGIN}_VERSION references to MISE_${TOOL}_VERSION. mise tool-alias now prefers --tool as the primary long flag, with --plugin retained as an alias (#​9906 by @​risu729).

• (registry) The qsv shorthand now resolves to aqua:dathere/qsv first, falling back to the existing github:dathere/qsv and asdf:vjda/asdf-qsv entries (#​9910 by @​risu729).

• (snap) The snap package is now built and published for arm64 in addition to amd64, so snap install mise works on arm64 desktops (#​9948 by @​jnsgruk).

New Contributors

• @​jnsgruk made their first contribution in #​9948
• @​fru1tworld made their first contribution in #​9953

Full Changelog: jdx/mise@v2026.5.11...v2026.5.12

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.11: : Provenance verification at lock time

Compare Source

Added

• (security) Verify and record provenance during mise lock, with a new provenance_api_failures_fatal setting to control whether GitHub attestation API failures are fatal (#​9945 by @​jdx).
• (security) Fall back to verifying archive contents when SLSA provenance attests every file inside an archive but not the archive itself, fixing releases like github:prefix-dev/pixi@0.68.1 (#​9898 by @​sargunv).
• **(pl

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.