v2026.6.11: : apk bootstrap, cleaner Windows shims, and aqua polish

Compare Source

A focused release that adds Alpine apk as a bootstrap package manager, stops the default Windows exe shims from leaking into WSL, and fixes a handful of aqua, HTTP cache, Rust, and Deno corners.

Added

• bootstrap: Alpine Linux apk joins apt, dnf, pacman, and brew as a supported [bootstrap.packages] manager. Specify packages as apk:name (with optional @version), or pass --manager apk explicitly; status, install, and upgrade all wire through the same paths as the other Linux managers (#​10476 by @​jdx).

  [bootstrap.packages]
  "apk:curl" = "*"
  "apk:git" = "@​2.45.2-r0"

• registry: Added pinniped to the registry (#​10456 by @​tony-sol).

Fixed

• task: mise run //projects/backend and mise run //... no longer behave like //projects/backend:* — the monorepo pattern parser now rejects path-only targets with a clear error pointing to //path:<task> or //path:* (#​10479 by @​jdx).
• shim (Windows): Default exe windows_shim_mode no longer writes a second, extension-less bash shim next to <tool>.exe. Git Bash / Cygwin / MSYS2 already resolve a bare gh to gh.exe, and dropping the extras stops them from leaking into WSL via /mnt/c/... PATH interop (the source of the mise: not found / infinite-recursion loops). file mode still emits the bash shim where it is required. Old extras are cleaned up on the next reshim (#​10475 by @​JamBalaya56562).
• aqua: format_overrides are now parsed from the aqua registry and applied to the compiled package model. They run after version overrides and before normal platform overrides — matching aqua's own ordering — so per-OS archive formats finally resolve correctly. Aqua registry caches will rebuild on first use due to a serialized-layout bump (#​10461 by @​risu729).
• aqua: Minisign asset templates such as {{.Asset}}.minisig now render against the selected package asset, fixing signature verification for packages like jedisct1/minisign 0.12 (#​10462 by @​risu729).
• deno: Deno's Windows .sha256sum files use PowerShell Get-FileHash multi-line output. mise now parses that format alongside the standard whitespace-delimited one, validates the algorithm/length, and stores hashes lowercased as "<algo>:<hash>" (#​10464 by @​risu729).
• http: Auto-detected strip_components is now resolved before HTTP archive cache lookup and folded into the http-tarballs cache key. Stripped and unstripped extractions of the same URL no longer share a cache entry, fixing tool-stub installs that re-used a previous bin_path-based extract (#​10468 by @​risu729).
• install: When resolving lockfiles, absolute symlink targets that live under mise-managed data/cache/download/install/shared dirs are no longer misclassified as mise link versions. External symlink targets remain classified as linked. This fixes mise install --locked idempotency for HTTP-backed tools (#​10463 by @​risu729).
• rust: rust-toolchain.toml profile, components, and targets are now stored on the generated ToolRequest, so install and lockfile-option resolution both read the same request.options() instead of re-parsing the file. As a side effect, lockfile keys are canonicalized: TOML arrays now match comma-separated strings, components/targets are sorted and deduplicated, and an empty profile no longer emits a spurious key (#​10178 by @​risu729).
• exec: COLORTERM is now passed through to child processes (alongside TERM), preserving 24-bit truecolor signalling in sandboxed environments (#​10451 by @​sschuberth).
• docs: The Tera task-argument deprecation page now says removal is in 2027.5.0, matching the warning emitted by the CLI (#​10453 by @​reitzig).
• docs: The minimum_release_age example uses 6mo (not 6m) for "6 months", matching jiff's friendly duration format (#​10193 by @​sisp).

Changed

• deps: Replaced the unmaintained fuzzy-matcher crate (archived, last published 2020) with nucleo-matcher for registry/task suggestion scoring and picker highlight indices (#​10467 by @​risu729).
• deps: Removed the os-release and sys-info crates in favor of mise's internal /etc/os-release parser, which is now shared by libc detection, env, Swift, and Erlang Linux fallbacks (#​10465 by @​risu729).

Aqua Registry

New packages: Latias94/merman, bitnami/sealed-secrets, coder/boo. Updated: suzuki-shunsuke/ghtkn.

New Contributors

• @​sschuberth made their first contribution in #​10451
• @​sisp made their first contribution in #​10193

Full Changelog: jdx/mise@v2026.6.10...v2026.6.11

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.6.10: : Env defaults, Unix 7z, and stale-PATH fixes

Compare Source

A focused release that adds a default shorthand for env vars, brings .7z archive support to Unix, and cleans up several long-standing PATH and shim edge cases on Linux, macOS, Windows, and WSL.

Added

• env: New { default = "fallback" } shorthand for [env] (and config/task [vars]). The default applies only when the variable is unset or empty; existing non-empty values from the process env or earlier config are preserved. Mixing default with value, required, or age now fails with a clear message (#​10441 by @​jdx).

  [env]
  EDITOR = { default = "vim" }       # only used if $EDITOR is unset/empty
  PORT   = { default = "3000" }

• backend: .7z archives now extract on Unix as well as Windows, and strip_components probing works cross-platform. Migrated from the unmaintained sevenz-rust to sevenz-rust2, and tightened extraction to reject directory traversal and absolute paths (#​10434 by @​risu729).

Fixed

• env: When env_shell_expand is enabled, ${VAR:-default} now follows POSIX semantics: empty strings are treated as missing (fallback applies), ${VAR-default} only substitutes when the variable is unset, and fallback text is recursively expanded (e.g. ${NONEXISTENT:-$OTHER}). Braced parsing is also stricter — unterminated ${… stays literal and } inside $(…) no longer closes the brace (#​10445 by @​jdx, fixes #​10444).
• env: mise x / run / env now strip mise-managed install directories from the inherited PATH when composing the child environment. Stale entries carried in from a frozen env snapshot (IDE terminals, CI wrappers, AI-agent harnesses) no longer sit ahead of the freshly injected bin dir, so subshells, #!/usr/bin/env shebangs, and package-manager workers all resolve the requested tool version (#​10422 by @​JamBalaya56562, addresses #​10345).
• vfox: Plugin install hooks that shell out via Lua os.execute now run under the same sanitized mise_env as cmd.exec. Combined with new resolution of tools = true env values during install, this fixes setups like gcloud depending on python where a single mise install previously left CLOUDSDK_PYTHON pointing at a nonexistent path (#​10432 by @​JamBalaya56562, fixes #​10282).
• shims: Windows extensionless bash shims now detect WSL (WSL_DISTRO_NAME / WSL_INTEROP / WSLInterop), drop their own dir from PATH, and exec the tool directly. This breaks the infinite mise x loop that happened when the Windows shims dir was exposed at /mnt/c/... inside WSL, and gives a clean <tool>: not found when no Linux tool is installed. file-mode shims are now also flagged version-stale so a normal reshim regenerates them on upgrade (#​10421 by @​JamBalaya56562, addresses #​10299).
• file: make_symlink on Unix now creates the link at a unique temp name in the destination dir and atomically rename(2)s it into place. This eliminates the noisy failed to ln -sf … File exists (os error 17) warnings that surfaced when several mise processes (shell hook-env, direnv, editor integrations) raced on the same tracked-config link, e.g. when spawning a new git worktree (#​10414 by @​JamBalaya56562, fixes #​10292).
• task: On Windows, script-task lookup now prefers Windows-native variants (e.g. .ps1) over their extensionless siblings, and extensionless takeover only applies when the match is unambiguous and stays within the same config family (#​10443 by @​jdx).

Changed

• deps: Replaced the unmaintained number_prefix (RUSTSEC-2025-0119) and stale humansize crates with bytesize. Size strings in generated tool-stub comments and mise cache prune output now use native bytesize IEC formatting — e.g. 821.69 KiB becomes 821.7 KiB and 2.15 MiB becomes 2.2 MiB (#​10438 by @​risu729).

Full Changelog: jdx/mise@v2026.6.9...v2026.6.10

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.6.9: : Release plumbing cleanup

Compare Source

A maintenance-only release. There are no user-facing changes — just a revert of the release workflow plumbing introduced last cycle, plus routine aqua registry updates.

Changed

• ci: Reverted the idempotent GitHub release asset helper added in the previous cycle. The release workflow now goes back to creating the draft release and uploading every artifact in a single gh release create --draft call, which avoids the tag-lookup failure that broke the v2026.6.8 publish run (GitHub returns an untagged-* URL for freshly created drafts) (#​10433 by @​jdx).

Full Changelog: jdx/mise@v2026.6.8...v2026.6.9

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.6.8: : Rolling zig@master and fresher Ruby builds

Compare Source

A small fix release: zig@master now behaves as a true rolling channel, and jdx/ruby precompiled installs always pick up the latest numbered build revision.

Fixed

• ruby: Precompiled installs from the default jdx/ruby source now require a numeric build-revision tag (e.g. 3.3.11-1, 3.3.11-2) and ignore the floating base release. Lockfiles already pin to a revision and the base tag is treated as revision 0, so unlocked installs land on the newest rebuilt binary instead of an older one. Custom ruby.precompiled_url GitHub sources keep the previous base-tag fallback (#​10428 by @​jdx).

• zig: zig@master is now treated as a rolling release channel. mise resolves it to the concrete nightly it currently points at (e.g. 0.17.0-dev.836+e357134f0) via ziglang.org/download/index.json, installs into a versioned directory rather than a frozen installs/zig/master, and reuses the latest installed nightly for the channel — never an unrelated stable release — when running offline or from hook-env. As a result, mise upgrade zig and mise outdated can finally track new nightlies (#​10423 by @​JamBalaya56562, addresses #​10251).

  mise use zig@master
  mise upgrade zig   # moves to the current nightly

Documentation

• Vertically center the social-link icons in the docs site header (#​10424 by @​smasato).

New Contributors

• @​smasato made their first contribution in #​10424

Full Changelog: jdx/mise@v2026.6.7...v2026.6.8

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.6.7: : pkgx backend, more bootstrap surface, and forge install fixes

Compare Source

Added

• pkgx: backend: install pkgx pantry packages natively (no pkgx CLI required), with checksum-verified bottles, dependency resolution, and lockfile support via pkgx_deps and a shared [pkgx-packages] section (#​10408 by @​jdx).
• [bootstrap.macos.launchd.agents] for declarative macOS user LaunchAgents, plus mise bootstrap launchd apply / status (#​10396 by @​jdx).
• [bootstrap.linux.systemd.units] for declarative systemd user services, plus mise bootstrap systemd apply / status (#​10399 by @​jdx).
• [bootstrap.hooks] to run shell commands at named bootstrap phases (pre-packages, post-dotfiles, post-tools, final, etc.), honoring --dry-run (#​10395 by @​jdx).
• Friendly macOS defaults sections: [bootstrap.macos.dock], [bootstrap.macos.finder], [bootstrap.macos.keyboard], [bootstrap.macos.trackpad] with curated keys like show_all_files and tap_to_click (#​10398 by @​jdx).
• mas: package manager for [bootstrap.packages] to install Mac App Store apps by ADAM ID (#​10397 by @​jdx).
• mise bootstrap --force-dotfiles to replace conflicting whole-file dotfile targets, plus no-force replacement of regular files whose contents match the symlink source (#​10410 by @​jdx).
• tbz recognized as an alias for tar.bz2 extraction (#​10403 by @​risu729).
• Registry: SQLcl (aqua:oracle.com/sqlcl) (#​10417 by @​jasonlyle88).

Fixed

• mise activate --shims no longer re-prepends the directory containing the mise executable (#​10394 by @​JamBalaya56562).
• Install script detects busybox tar and downloads .tar.gz, fixing tar: invalid tar magic on Alpine (#​10385 by @​JamBalaya56562).
• Tool postinstall hooks run against the just-installed version with fuzzy requests like version = "3" (#​10415 by @​JamBalaya56562).
• github: / forgejo: / gitlab: paginate past an all-prerelease first page (#​10420 by @​JamBalaya56562).
• GitHub asset matcher strips the tool name at a token boundary before OS/arch detection (#​10390, #​10391 by @​JamBalaya56562).
• dotnet: searches send semVerLevel=2.0.0, fixing lookups for tools like roslyn-language-server (#​10384 by @​JamBalaya56562).
• Exact task name matches take precedence over extension-stripped fallbacks (#​10393 by @​JamBalaya56562).
• Task header joins backslash-continued lines (#​10387 by @​JamBalaya56562).
• mise watch --wrap-process is now forwarded to watchexec (#​10392 by @​JamBalaya56562).
• Non-registry plugin URLs prompt before clone (#​10402 by @​risu729).
• Aqua: {{.AssetWithoutExt}} strips the full aqua format list including .zst (#​10104 by @​risu729).
• Aqua: unsupported formats (tar.br, br, tar.lz4, lz4, tar.sz, sz, rar) fail with clear errors (#​10409 by @​risu729).
• Erlang: precompiled lockfile URLs resolve for Linux/macOS/Windows without a prior install; kerl fallback mode is recorded in lock identity (#​10239 by @​risu729).
• Registry: ImageMagick aqua backend scoped to windows-x64 (#​10400 by @​risu729).

Documentation

• Document precompiled Ruby build revisions (#​10419 by @​jdx).

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.6.6: : Declarative machine bootstrap

Compare Source

Added

• mise bootstrap command for end-to-end machine setup — system packages, dotfiles, macOS defaults, login shell, tools, and an optional bootstrap task — with --yes, --dry-run, and --update (#​10365, #​10376 by @​jdx).
• Declarative dotfiles via [dotfiles] plus mise dotfiles add / apply / edit / status, supporting symlink, symlink-each, copy, and template modes, glob wildcards in source paths, and block/line edits to files mise doesn't own (#​10365, #​10368, #​10374, #​10376 by @​jdx).
• [bootstrap.macos.defaults] for declaratively managing macOS user defaults, applied through mise bootstrap macos-defaults apply with drift reporting in status and mise doctor (#​10363 by @​jdx).
• [bootstrap.user].login_shell to declare and converge the current user's login shell (chsh -s, updating /etc/shells when needed) (#​10377 by @​jdx).
• [bootstrap.brew.taps] and mise bootstrap packages brew tap / untap for third-party Homebrew taps, with tap context preserved through dependency resolution and source builds (#​10375, #​10383 by @​jdx).
• brew-cask: package manager that installs supported app-bundle casks directly from cask API metadata without requiring a local Homebrew install (#​10383 by @​jdx).
• Native Homebrew source builds: when no usable bottle exists, mise provisions Ruby, evaluates the formula with a built-in Formula DSL shim, and builds from source into the canonical prefix (#​10364 by @​jdx).
• mise oci build now bakes [dotfiles] and apt: [bootstrap.packages] into images as dedicated annotated OCI layers (#​10373 by @​jdx).
• Safe mise.toml files (no templates, only min_version and plain [tools] / [tasks] strings) auto-load without a trust prompt; everything else still requires trust (#​10360 by @​jdx).

Fixed

• CLI no longer panics on arguments containing invalid UTF-8; malformed bytes become U+FFFD and surface as a normal error (#​10386 by @​JamBalaya56562, fixes #​10056).
• GitHub 403 errors now include the response body, rate-limit headers, and whether the request was authenticated, replacing the bare 403 Forbidden message (#​10382 by @​jdx).
• Brew shim (shim.rb) is now included in the published crate, fixing cargo publish for the source-build path (#​10388 by @​jdx).

Changed

• MCP server, sandboxing, hooks/watch_files, monorepo tasks, task templates, native GitHub OAuth, custom vfox backends, Swift, and the dotnet/s3/spm backends are no longer experimental; the monorepo root key is now monorepo_root (with experimental_monorepo_root kept as a hidden alias) (#​10371 by @​jdx).
• Version lists for mise-versions are now fetched from /data/{tool}.toml so Cloudflare can serve them as static assets (#​10361 by @​jdx).
• Split archive extraction and single-file decompression into dedicated helpers (extract_archive, decompress_file), with clearer errors for unsupported formats (#​10274 by @​risu729).

Documentation

• Documented the 24h default for minimum_release_age (#​10366 by @​ThijsdeJong-TomTom).
• Link to all sponsors, add more tips-and-tricks entries, clarify contribution fit, and make the contributing guide canonical (#​10369, #​10370, #​10378, #​10380 by @​jdx).

New Contributors

• @​ThijsdeJong-TomTom made their first contribution in #​10366

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.6.5: : Trust hardening and aqua attestation fixes

Compare Source

This release closes several trust-bypass vectors where a local mise.toml or mise-tasks/ directory could run code before the user trusted a project, and brings aqua's GitHub attestation verification in line with what the registry asks for.

Fixed

• (config) Treat github.credential_command, gitlab.credential_command, and forgejo.credential_command as global-only. They are stripped from project/local config at parse time (with a warning) so an untrusted mise.toml cannot use a credential command to execute arbitrary shell when fetching tokens. Global config, CLI flags, and environment variables are unchanged (#​10356 by @​jdx).
• (config) Fix GHSA-436v-8fw5-4mj8 by ignoring ci, paranoid, trusted_config_paths, and yes when they come from local config files. A malicious mise.toml can no longer set trusted_config_paths = ["/"] or paranoid = false to auto-trust itself before _.source scripts run (#​10357 by @​jdx).
• (task) Require trust before loading default task include directories (mise-tasks/, .mise-tasks/, and related layouts) in repos with no local mise config. Previously, a clone with only a mise-tasks/ directory could render Tera templates (including exec()) in task descriptions before the user trusted the project. Global task include paths and includes declared from a trusted mise.toml are still exempt (#​10355 by @​jdx).
• (aqua) Model and forward github_artifact_attestations.predicate_type to GitHub during attestation detection and verification. Packages like foundry-rs/foundry and gleam-lang/gleam that pin an SPDX SBOM predicate now enforce that predicate instead of accepting whatever attestation happens to verify. Predicate-filtered requests bypass the digest-only versions-host attestation cache (#​10169 by @​risu729).
• (aqua) Canonicalize aqua var options across plain keys, nested vars tables, and literal "vars.<name>" backend-option keys into a single lock/cache identity. Duplicate final vars now fail with a source-neutral conflicting aqua var error rather than silently picking one spelling; normal higher-precedence config overrides still apply (#​10187 by @​risu729).
• (schema) Forbid hide, quiet, raw, interactive, and raw_args on [task_templates.*] in the JSON Schema, and drop the unused fields from TaskTemplate. Runtime never merged these into tasks (templates can't tell "unset" from false for plain bools), so editors no longer suggest keys that did nothing (#​10242 by @​risu729).
• (schema) Accept supported OS, architecture, and os-arch selectors on registry backend platforms entries and backends.options.platforms.* tables — for example windows-x64, linux-arm64, darwin-aarch64, macos-arm64 — fixing false schema errors reported in discussion #​10296 (#​10358 by @​risu729).

Full Changelog: jdx/mise@v2026.6.4...v2026.6.5

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.6.4: : Declarative system packages

Compare Source

Added

• (system) Declarative system packages ([system.packages]) for apt, dnf, pacman, and Homebrew core formulae (installed without a brew CLI) via new experimental mise system status / install commands (#​10326 by @​jdx).
• (system) New mise system use and mise system upgrade to write [system.packages] entries and refresh installed system packages (#​10346 by @​jdx).
• (github) Added matching (substring) and matching_regex asset options to the github, gitlab, and forgejo backends, applied before platform autodetection and scoped through SLSA provenance verification (#​10325 by @​devnulled).
• (oci) mise oci build --owner UID[:GID] plus [oci].user_id / [oci].group_id config for layer file ownership (#​10075 by @​ThomasK33).

Fixed

• (backend) --minimum-release-age=0s now correctly disables the release-age cutoff instead of falling back to the default, and stable fast-path metadata avoids an unnecessary full version-list fetch (#​10344 by @​jdx).
• (aqua) Route GitHub metadata through mise-versions only for mise-registry-backed Aqua tools, eliminating noisy 403 warnings for packages like aqua:aws/session-manager-plugin (#​10341 by @​jdx).
• (aqua) Support overrides[].envs selectors so platform-specific Aqua overrides for packages like apache/tomcat and eza-community/eza apply correctly (#​10200 by @​risu729).
• (task) Resolve monorepo-relative task refs (:task, //pkg:task, aliases) the same way at validation time as runtime, so mise tasks validate no longer reports false missing-dependency errors (#​10342 by @​jdx).
• (task) Forwarded args now reach inline bash -c tasks on Windows instead of being assigned to $0 (#​10321 by @​JamBalaya56562).
• (task) Multiline task description values are surfaced in mise <task> --help and mise run <task> --help while task listings remain single-line (#​10204 by @​risu729).
• (tasks) Refactor editor (EDITOR / VISUAL) command handling to support values with arguments and improve error reporting (#​9752 by @​roele).
• (core) Preserve inner double quotes for the remaining cmd /c call sites on Windows (mise exec -c, tera exec(), watch_files, postinstall hooks, [deps], credential commands) (#​10323 by @​JamBalaya56562).
• (install) Skip unknown tools that are inactive on the current OS or disabled via disable_tools/enable_tools before raising registry errors (#​10206 by @​risu729).
• (java) Include the resolved shorthand_vendor in the lockfile identity for shorthand requests like java@17 (#​9989 by @​risu729).
• (dotnet) Include runtime in the core .NET plugin lockfile identity so SDK and runtime installs no longer share a lock entry (#​10175 by @​risu729).

Registry

• Added ghtkn (#​9967 by @​TyceHerrman) and antigravity-cli (#​10324 by @​rhanneken).

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.6.3: : auto_env, release-age polish, and lockfile fixes

Compare Source

This release smooths over follow-ups to v2026.6.2's built-in minimum_release_age cutoff, introduces opt-in platform-aware config environments, and tightens lockfile and Windows behavior for tasks and installs.

Added

• (config) New auto_env early-init setting (MISE_AUTO_ENV or .miserc.toml) that automatically activates platform-derived config environments — unix, {os} (linux / macos / windows), and {os}-{arch} (e.g. windows-x64, macos-arm64) — so files like mise.windows.toml, mise/config.macos-arm64.toml, and matching mise.<env>.lock lockfiles load automatically. Precedence is unix < {os} < {os}-{arch} < explicit MISE_ENV, and auto envs are deliberately not propagated through MISE_ENV or {{ mise_env }}. Off by default in this release; a transitional warning ships in 2026.12.0 and the default flips on in 2027.6.0 (#​10316 by @​jdx).
• (github) mise token github --oauth --refresh (and the hidden mise github token alias) forces a fresh OAuth token mint even when the cached token is still time-valid. The refresh-token grant is tried first with no user interaction, falling back to a new device-code flow. Useful when you authorize the app first and install it on a repo afterwards and the cached token still has the pre-installation permissions (#​10317 by @​jdx).
• (backend) version_expr can now post-process version_regex results as a pipeline — when both are set, regex output is exposed as a versions variable to expr. This fixes oc and openshift-install latest resolution (now 4.22.0 instead of 4.9.9) by sorting the lexicographic HTML listing from mirror.openshift.com via version_expr = 'sortVersions(versions)' (#​10302 by @​konono).
• (deps) First-class Deno support in mise deps — automatic detection plus list, install, add, and remove (#​10291 by @​felipecrs).
• (registry) Added imagemagick (aqua:ImageMagick/ImageMagick) (#​10118 by @​thernstig) and vscode-cli (aqua:microsoft/vscode/code) (#​10314 by @​felipecrs).

Fixed

• (config) The built-in 24h default minimum_release_age introduced in v2026.6.2 no longer disables installed-version fast paths, fixing a regression where shell startup grew from ~2.5s to ~65s because every mise which / mise hook-env invocation fetched remote version lists. Cutoff resolution now tracks provenance (Default / Provided / Explicit): the default only gates remote picks at install time, while explicit CLI / setting / per-tool cutoffs keep their date-aware semantics (#​10315 by @​jdx).
• (backend) minimum_release_age = "0s" is now correctly treated as disabling the cutoff. Backends can also expose fast-path latest release metadata (with created_at), so the canonical latest can pass an age check even when cached remote version lists are stale (#​10310 by @​jdx).
• (python) Core Python remote versions now carry release timestamps — python-build-standalone dates for precompiled listings and python-build definition commit timestamps for source-build listings — so minimum_release_age actually filters them (#​10311 by @​jdx).
• (lock) Tools resolved from idiomatic version files (.node-version, .python-version, …) are now written to the project mise.lock instead of a phantom sibling lockfile, so mise install --locked no longer rejects them as missing (#​10309 by @​jdx). When multiple base configs share a project root, lockfile selection is now deterministic and picks the highest-precedence config — e.g. colocated mise.toml and .mise/config.toml consistently target .mise/mise.lock (#​10319 by @​jdx).
• (task) Tasks loaded via task_config.includes now receive the collected task_templates map, so a task that only has extends = "template:..." actually inherits its run entries instead of silently exiting successfully (#​10312 by @​jdx).
• (task) On Windows, inline tasks and [hooks] commands routed through cmd /c preserve inner double quotes. Previously, the std argv serializer produced \"-escaped strings that cmd.exe passed through literally, so e.g. uv run --no-project python -c "import pathlib; print(pathlib.Path.home())" failed with SyntaxError: unterminated string literal. Commands are now built verbatim via cmd /s /c "...", with forwarded args still MSVCRT-quoted inside (#​10301 by @​JamBalaya56562).
• File renames during install now retry up to 5 times on Windows for transient ERROR_ACCESS_DENIED (5) and ERROR_SHARING_VIOLATION (32) errors (typically Windows Defender holding extracted files), with exponential backoff from 50ms to 800ms (#​10300 by @​jhult).
• (completions) Require usage 3.5 in the generated usage spec to pick up zsh colon completion fixes; the zsh completion script now consumes three tab-separated fields and uses compadd (#​10313 by @​jdx).
• (registry) podman now points at its new GitHub organization after the upstream rename on 2026-06-01 (#​10288 by @​TyceHerrman).

New Contributors

• @​felipecrs made their first contribution in #​10314
• @​jhult made their first contribution in #​10300

Full Changelog: jdx/mise@v2026.6.2...v2026.6.3

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.6.2: : Supply-chain defaults and clearer install warnings

Compare Source

This release tightens mise's default supply-chain posture: fuzzy version resolution now waits 24 hours after a release by default on timestamp-aware backends, with new excludes, opt-outs, and warnings so it stays out of your way when you don't want it. A couple of long-standing GitHub-attestation and npm-install rough edges are smoothed over as well.

Added

• (config) Apply a built-in 24-hour minimum_release_age when no global or per-tool value is set, for backends that expose release timestamps (core, aqua, github, npm, pipx, etc.). Asdf/vfox/plugin-style tools without release metadata are unaffected. mise ls-remote now reports how many releases were hidden, and mise upgrade warns when a newer release is being ignored by the cutoff, e.g.:

  newer jq release 1.7.2 ignored by minimum_release_age
  

  Set minimum_release_age = "0s" to disable the default. Pinned exact versions still bypass the filter. (#​10279 by @​jdx)

• (config) New minimum_release_age_excludes setting to skip the global (and built-in) release-age policy for selected tools or whole backends. Entries may be tool shorthands, full backend IDs, or backend wildcards:

  [settings]
  minimum_release_age = "24h"
  minimum_release_age_excludes = ["jq", "npm:prettier", "npm:*"]

  Per-tool minimum_release_age and CLI --minimum-release-age still take precedence as before. (#​10277 by @​jdx)

• (registry) cargo-msrv is now available in the registry, installed via aqua (foresterre/cargo-msrv) with a cargo:cargo-msrv fallback (#​10276 by @​jdx).

Fixed

• (github) GitHub artifact attestation detection and verification now respect the existing registry/default-backend gate, so custom github: repos and non-registry aqua packages talk to GitHub directly instead of routing through the mise-versions host. Python precompiled builds still use the versions host; Ruby precompiled attestations use it only for the default jdx/ruby source (#​10260 by @​jdx).
• (npm) After global npm installs, mise warns when the package declares lifecycle scripts (preinstall / install / postinstall) that were skipped because mise still passes --ignore-scripts=true. Setting npm_args = "--ignore-scripts=false" (or --no-ignore-scripts) correctly suppresses the warning, with later flags winning (#​10280 by @​jdx).

Changed

• (registry) aube and pitchfork now resolve to jdx/aube and jdx/pitchfork in both the mise registry and the vendored aqua registry, with endevco/* aliases retained for compatibility. Aube <= 1.18.1 skips GitHub artifact attestations to match the upstream aqua registry change (#​10285 by @​jdx).

Documentation

• (security) A new Security page consolidates software verification and supply-chain guidance, documents the 24h minimum_release_age default and 0s opt-out, and clarifies that only npm: and pipx: currently forward the cutoff to transitive dependency resolution (#​10278 by @​jdx).
• (settings) Examples and CLI hints prefer the shorter mise settings set key=value form (#​10271 by @​jdx).
• Debian/Ubuntu install instructions now recommend extrepo, since mise's deb repository was added to Debian extrepo (#​10262 by @​okulev).
• Sponsor logos on the docs site now have better contrast (#​10270 by @​jdx).

New Contributors

• @​okulev made their first contribution in #​10262

Full Changelog: jdx/mise@v2026.6.1...v2026.6.2

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.6.1: : aqua multi-registry, SOPS TOML, and a GitHub backend tune-up

Compare Source

Added

• (aqua) Support multiple custom registries via aqua.registries; deprecates single-string aqua.registry_url (#​10179 by @​risu729).
• (env) Decrypt SOPS-encrypted TOML env files (.env.toml) through rops (#​10201 by @​risu729).
• (hooks) Add run_windows for Windows-specific inline hook commands (#​10202 by @​risu729).
• (task) Render task_config.includes with the Tera config context and expand ~/ for local includes (#​10225 by @​risu729).
• (task) Support standalone .toml task files via git:: directory includes (#​10219 by @​davidolrik).
• (aqua) Extract 7z archives, including auto-detection of .7z assets (#​10224 by @​risu729).

Fixed

• (env) Include the uv venv (uv.lock + .venv) in the env_cache key so VIRTUAL_ENV no longer leaks across sibling directories when env_cache=true and python.uv_venv_auto is set (#​10217 by @​Nagato-Yuzuru).
• (task) Resolve dependency sources relative to each task's directory and pass per-dependency --watch paths to watchexec (#​10054 by @​43081j).
• (ruby) Include resolved Ruby install options (compile mode, installer, build repo, precompiled URL, patch inputs) in lock identity (#​9992 by @​risu729).
• (elixir) Resolve lockfile URL and SHA-256 from builds.hex.pm metadata; locked installs reuse the lockfile URL (#​10226 by @​risu729).
• (github) Accept GitHub-canonicalized owner/repo casing when validating mise-versions release asset URLs (#​10240 by @​risu729).
• (github) Detect 401 responses on cached native OAuth tokens, refresh once, and retry transparently (#​10246 by @​jdx).
• (github) Warn when mise-versions GitHub metadata lookups hit rate limits or non-404 errors (#​10254 by @​jdx).
• (github) Skip the versions host for non-registry github: tools (#​10255 by @​jdx).
• (github) Emit logfmt-style structured fields for versions-host calls, with credentials and query stripped from URLs (#​10256 by @​jdx).
• Nix flake build test failure by adding git to nativeCheckInputs (#​10243 by @​okuuva).

Security

• (http) Sanitize HTTP backend version names in install symlink paths to prevent repository-controlled versions from escaping the installs directory (GHSA-f94h-j2qg-fxw3) (#​10245 by @​jdx).

Documentation

• Recommend the stable Snap channel for Linux installation (#​10250 by @​salim-b).

Registry

• Prefer aqua:endevco/aube for aube so glibc/musl libc variant

✂ Note

PR body was truncated to here.