deps: update dependency jdx/mise to v2026.4.18

[renovate]

This PR contains the following updates:

Package	Update	Change
jdx/mise	patch	2026.4.7 → 2026.4.18

---

Release Notes

jdx/mise (jdx/mise)

v2026.4.18: : Deps management, aube support, and vfox plugin dependencies

Compare Source

A feature-packed release that renames mise prepare to mise deps with new package management subcommands, adds aube as an npm backend package manager, enables vfox plugins to declare their own dependencies, and ships several important fixes for version resolution, lockfile concurrency, and GitHub Enterprise attestation verification.

Highlights

• mise prepare renamed to mise deps with add/remove subcommands -- The experimental dependency management command is now mise deps, with new mise deps add npm:react and mise deps remove npm:lodash subcommands for managing individual packages. All config keys, settings, state files, and CLI flags have been updated accordingly ([prepare] to [deps], --no-prepare to --no-deps).
• Aube package manager support for npm backend -- npm.package_manager now defaults to "auto", which prefers the aube package manager when available and falls back to npm. Explicit npm.package_manager = "aube" is also supported.
• vfox plugins can declare dependencies -- Plugin authors can now specify PLUGIN.depends = {"node", "python"} in metadata.lua, so mise resolves installation order automatically without users needing depends = [...] in their config.
• Stale versions host cache bypassed for package-registry backends -- npm, pipx, cargo, gem, go, and http/s3 backends with version_list_url now query their upstream sources directly, fixing the issue where tools like Flutter showed outdated versions.

Added

• mise deps command with add/remove subcommands -- The experimental mise prepare command has been renamed to mise deps. New mise deps add and mise deps remove subcommands let you manage individual packages using ecosystem:package syntax. Currently supports npm, yarn, pnpm, and bun ecosystems. Bare mise deps defaults to mise deps install (the previous mise prepare behavior). #​9056 by @​jdx

  mise deps add npm:react           # add a dependency
  mise deps add -D npm:vitest       # add as dev dependency
  mise deps remove npm:lodash       # remove a dependency
  mise deps                         # install all project dependencies

  # Configuration uses [deps] instead of [prepare]
  [deps.npm]
  auto = true

• --before flag for mise latest -- One-off latest-version lookups can now be constrained by release date. Supports absolute dates (2024-06-01) and relative durations (90d, 1y). Overrides per-tool install_before options and the global install_before setting. #​9168 by @​risu729

  mise latest node --before 2024-01-01
  mise latest node --before 90d

• Aube package manager support for npm backend -- The npm backend now supports aube as an alternative package manager. The new default npm.package_manager = "auto" prefers aube when it is available in the active toolset and falls back to npm otherwise. #​9256 by @​jdx

• filter_bins option for SPM backend -- Restrict which executable products are built and linked from a Swift package. Filtering happens before swift build, so unwanted products are never compiled. #​9253 by @​jdx

  [tools]
  "spm:swiftlang/swiftly" = { version = "latest", filter_bins = ["swiftly"] }

• vfox plugin-declared dependencies via metadata.lua -- Plugin authors can now declare tool dependencies directly in their plugin's metadata.lua. User-specified depends in mise.toml remains additive. #​9051 by @​ahemon

  -- metadata.lua
  PLUGIN = {}
  PLUGIN.name = "my-tool"
  PLUGIN.version = "1.0.0"
  PLUGIN.depends = {"node", "python"}

• Registry: bitwarden-secrets-manager -- Now available via the aqua backend (aqua:bitwarden/sdk-sm), replacing the legacy asdf plugin for better checksum/SLSA verification. #​9255 by @​msuzoagu

Fixed

• Stale version listings for package-registry backends -- Backends with canonical upstream sources (npm, pipx, cargo, gem, go, and http/s3 with version_list_url) now skip the mise-versions.jdx.dev cache and query upstream directly. This fixes the issue where tools like Flutter showed outdated versions until users set MISE_USE_VERSIONS_HOST=0. #​9245 by @​jdx

• Concurrent lockfile save race condition -- Fixed ENOENT errors when multiple mise processes updated the same lockfile simultaneously (commonly seen with parallel tool installs in CI via hk). Each save now uses a uniquely named temp file instead of a fixed mise.lock.tmp path. #​9250 by @​jdx

• GitHub Enterprise attestation verification -- Artifact attestation verification now routes to the configured api_url instead of always hitting api.github.com, fixing 401 Unauthorized errors for GHES users. #​9254 by @​jdx

• Noisy third-party debug/trace logs suppressed -- Debug and trace logs from dependency crates (h2, hyper, reqwest, rustls, etc.) are now filtered out of -v/-vv output. Set MISE_LOG_VERBOSE_DEPS=1 to restore them. #​9248 by @​jdx

• Animated progress UI disabled in CI -- CI environments no longer show animated progress frames even when stderr is allocated as a TTY, preventing thousands of duplicate log lines. #​9249 by @​jdx

• mise use respects --quiet and --silent -- The "tools:", "removed:", and "would update" messages are now suppressed when --quiet or --silent is passed. #​9251 by @​jdx

• --locked works for vfox backend plugins -- Custom Lua backend plugins that cannot provide download URLs no longer fail with "No lockfile URL found" when using mise install --locked. #​9252 by @​jdx

New Contributors

• @​ahemon made their first contribution in #​9051
• @​msuzoagu made their first contribution in #​9255

Full Changelog: jdx/mise@v2026.4.17...v2026.4.18

v2026.4.17: : install_before fixes, lockfile repair, and new registry tools

Compare Source

A fix-heavy release that addresses several install_before edge cases across npm, pipx, and backend latest lookups, repairs lockfile generation for aqua tools with custom version prefixes, and adds six new tools to the registry.

Highlights

• install_before now works consistently across backends -- The date-based version cutoff is now respected in direct latest lookups, npm no longer drifts by a day due to double timestamp sampling, and pipx/uv installs forward the cutoff via --exclude-newer / --uploaded-prior-to.
• Lockfile fix for aqua tools with version prefixes -- mise lock now correctly propagates version_prefix (e.g. jq-) to GitHub release lookups, fixing empty platform URLs that broke --locked mode.
• Deprecation warnings for legacy config keys and mise b -- env_file, dotenv, env_path, and the mise b shorthand now emit deprecation warnings with removal scheduled for 2027.4.0.

Fixed

• install_before respected in backend latest lookups -- Direct calls like mise latest npm:prettier now apply the effective install_before cutoff, not just install/upgrade flows. #​9193 by @​risu729

• tool@latest routes through stable lookup -- An explicit @latest suffix now follows the same backend-specific fast path as an unqualified tool name, so both forms return the same version. #​9228 by @​risu729

• npm install_before day drift -- Fixed an off-by-one where install_before = "3d" could compute --min-release-age=4 due to a second Timestamp::now() call drifting past the day boundary. A stable per-process timestamp and a 60-second tolerance window eliminate the issue. #​9157 by @​risu729

• install_before forwarded to pipx and uv installs -- pipx: tools now pass --exclude-newer to uv and --uploaded-prior-to (via --pip-args) to pipx, so Python package installs respect the date cutoff. #​9190 by @​risu729

• Warning for old bun/pnpm with install_before -- When install_before is active and the detected bun or pnpm version is below the minimum that supports release-age flags, mise now warns instead of silently ignoring the cutoff. #​9232 by @​risu729

• Lockfile version prefix propagation -- mise lock now uses version_prefix when looking up GitHub releases for aqua tools, fixing empty platform URLs that caused --locked installs to fail. #​9242 by @​effati

• shfmt available on Windows -- The shfmt registry entry no longer restricts to Linux/macOS, so mise use shfmt works on Windows via the aqua backend. #​9191 by @​zeitlinger

• GitLab expired OAuth2 token warning -- When mise reads a GitLab token from glab's config and the OAuth2 expiry has passed, it now warns the user to refresh (e.g. glab api user) instead of failing silently. #​9195 by @​stanhu

• GitHub auth skipped on release asset downloads -- Token lookup is now skipped for GitHub release asset CDN hosts (objects.githubusercontent.com, etc.), avoiding unnecessary authentication failures on public downloads. #​9060 by @​risu729

• Empty enable_tools disables all tools -- An explicitly empty enable_tools list now means "disable all tools" rather than "no filter", matching user expectations as an allowlist. #​9108 by @​risu729

• Deprecation warnings for legacy env keys -- env_file, dotenv, and env_path now warn when used, directing users to env._.file and env._.path. Removal is scheduled for 2027.4.0. #​9205 by @​risu729

• mise b shorthand deprecated -- The mise b alias for mise backends now emits a deprecation warning with removal scheduled for 2027.4.0. #​9234 by @​risu729

Added

• Registry: sheldon -- sheldon is a fast, configurable shell plugin manager. #​9104 by @​3w36zj6
• Registry: pocketbase -- pocketbase is an open-source backend in a single file. #​9123 by @​ranfdev
• Registry: worktrunk -- worktrunk provides a CLI for git worktree management, designed for running AI agents in parallel. #​8796 by @​edouardr
• Registry: dependency-check -- dependency-check detects publicly disclosed vulnerabilities in application dependencies. #​9204 by @​kapitoshka438
• Registry: janet -- janet is a lightweight, expressive programming language. #​9241 by @​ranfdev
• Registry: aube -- #​9244 by @​jdx

New Contributors

• @​ranfdev made their first contribution in #​9123
• @​stanhu made their first contribution in #​9195
• @​effati made their first contribution in #​9242
• @​jjt made their first contribution in #​9233
• @​marianwolf made their first contribution in #​9208
• @​edouardr made their first contribution in #​8796

Full Changelog: jdx/mise@v2026.4.16...v2026.4.17

v2026.4.16: : Tera templates in inline tasks, raw_args passthrough, and runtime symlink paths

Compare Source

A feature-rich release with two new task runner capabilities, an important fix for how mise exposes tool paths in the environment, and a batch of task system improvements.

Inline table run tasks (run = [{ task = "...", args = [...] }]) now support Tera templates, so you can pass parsed usage arguments into sub-task calls. A new raw_args option lets proxy tasks forward all flags -- including --help -- directly to the underlying command without mise intercepting them. On the tooling side, fuzzy version requests like python = "3.14" now put the stable runtime symlink on PATH instead of the resolved patch directory, so virtualenvs and other tools that cache interpreter paths survive patch upgrades.

Highlights

• Tera templates in inline run tasks -- args and env in table-style run entries can now use {{usage.*}} variables, connecting usage-parsed arguments to sub-task invocations.
• raw_args for proxy tasks -- Tasks that wrap tools with their own CLI (Django manage.py, Next.js, argparse scripts) can set raw_args = true so mise never intercepts --help or rewrites flags.
• Runtime symlink paths for fuzzy versions -- PATH entries now use the requested-version symlink (e.g. .../installs/python/3.14/bin) rather than the concrete patch directory, so downstream tools that cache paths are not broken by patch upgrades.
• TOML task metadata merges into file tasks -- A [tasks.my-script] block in mise.toml now overlays env, description, dir, and other metadata onto a same-named file task instead of being silently dropped.

Added

• Tera template support for inline table run tasks -- args and env values in run = [{ task = "greet", args = ["{{usage.name}}"] }] are now rendered through the Tera engine, allowing usage-parsed arguments and environment variables to flow into sub-task calls. #​9079 by @​iamkroot

• raw_args task option -- Set raw_args = true on a task definition (TOML or file header) to skip mise's argument parsing entirely. All arguments, including --help and -h, are forwarded verbatim to the underlying command. Additionally, mise run task -- --help now bypasses the usage parser even without raw_args, restoring the documented escape hatch. #​9118 by @​jdx

  [tasks.manage]
  raw_args = true
  run = 'python manage.py'

  mise run manage --help            # forwarded to manage.py
  mise run manage migrate --fake    # all flags reach manage.py unchanged

• .perl-version support for perl -- The perl registry entry now recognizes .perl-version files for both auto-detection and idiomatic version file reading (when idiomatic_version_file_enable_tools includes "perl"), matching the pattern used by plenv. #​9102 by @​ergofriend

• Registry: ibmcloud -- IBM Cloud CLI is now available via mise use ibmcloud. #​9139 by @​dnwe

• Registry: rush -- rush, a cross-platform tool for executing jobs in parallel (similar to GNU parallel), is now available via mise use rush. #​9146 by @​jdx

Fixed

• Runtime symlink paths for fuzzy versions -- When a fuzzy version like python = "3.14" resolved to 3.14.4, PATH used the concrete install directory (.../installs/python/3.14.4/bin). Now mise uses the stable requested-version symlink (.../installs/python/3.14/bin), so tools that cache interpreter paths (e.g. virtualenvs) survive patch upgrades without breaking. #​9143 by @​jdx

• Go subpath packages reinstalling on every upgrade -- A stale workaround in the Go backend overrode the version to "latest" for subpath packages, causing mise up to reinstall them every time because the resolved version directory didn't match. This workaround has been removed now that proxy-based resolution handles subpath packages correctly. #​9135 by @​c22

• Missing task suggestions -- mise run <missing-task> now suggests similar task names and shows a compact table of available tasks (up to 20), making it easier to find the right name. #​9141 by @​jdx

• Task prefix colors no longer use red/yellow -- Red and yellow were removed from the task prefix color palette because they could be confused with errors and warnings. The palette now uses 16 styles: 4 base colors (blue, magenta, cyan, green) combined with 4 modifiers (regular, bold, dim, bright). #​8782 by @​lechuckcaptain

• TOML task block merged into same-named file task -- A [tasks.my-script] block in mise.toml was silently discarded when a file task with the same name existed. Now the TOML block overlays env, description, dir, aliases, depends, and other metadata onto the file task. Additionally, mise tasks ls --json now reports the resolved task directory instead of null. #​9147 by @​jdx

• npm install_before respected for dist-tag resolution -- mise latest and similar commands that resolve npm dist-tags now honor the install_before date filter instead of always returning the absolute latest version. #​9145 by @​webkaz

• GitHub attestation verification uses full token chain -- Attestation verification was only using the GITHUB_TOKEN environment variable, ignoring tokens configured via credential_command, github_tokens.toml, the gh CLI, or git credential fill. This caused unauthenticated rate-limit hits even when a valid token was configured. #​9154 by @​jdx

• Tool option serialization round-trips correctly -- Comma-containing string values in tool options (e.g. [tool_options]) no longer get split into fake extra keys during re-serialization, and empty brackets are no longer emitted when all remaining options are filtered out. #​9124 by @​atharvasingh7007

• vfox backend falls back to absolute bin path -- When a vfox plugin does not set env_keys, mise now falls back to the absolute bin path instead of failing. #​9151 by @​80avin

• mise self-update available in stub builds -- When compiled without the self_update Cargo feature, the subcommand was completely missing from the CLI. It now shows a stub message explaining the feature is unavailable. #​9144 by @​salim-b

New Contributors

• @​80avin made their first contribution in #​9151
• @​atharvasingh7007 made their first contribution in #​9124
• @​lechuckcaptain made their first contribution in #​8782
• @​ergofriend made their first contribution in #​9102
• @​dnwe made their first contribution in #​9139

Full Changelog: jdx/mise@v2026.4.15...v2026.4.16

v2026.4.15: : Windows path separator fix and improved GitHub token detection

Compare Source

A small release with an important Windows fix and an improved GitHub rate-limit warning. Path-list environment variables now use the correct OS-native separator on Windows, and the 403 rate-limit warning now checks all configured GitHub token sources instead of only the GITHUB_TOKEN environment variable.

Fixed

• Path-list environment variables broken on Windows -- Settings that accept colon-separated path lists (MISE_TRUSTED_CONFIG_PATHS, MISE_IGNORED_CONFIG_PATHS, MISE_CEILING_PATHS, MISE_SHARED_INSTALL_DIRS, MISE_TASK_DISABLE_PATHS) always split on :, which conflicts with Windows drive letters (e.g. C:\foo). These settings now use the OS-native path separator (: on Unix, ; on Windows) via std::env::split_paths, matching how PATH itself is handled. #​9058 by @​richardthe3rd

• GitHub 403 warning shown even when a token is configured -- The rate-limit warning that appears on GitHub API 403 errors previously only checked the GITHUB_TOKEN environment variable. Users who configured a token via gh CLI, github_tokens.toml, credential_command, or git credential would still see the misleading "GITHUB_TOKEN is not set" hint. The warning now checks all supported token sources and links to the GitHub tokens documentation. #​9121 by @​jdx

Added

• Registry: podlet -- podlet generates Podman Quadlet files from a Podman command, compose file, or existing object. #​9134 by @​tony-sol
• Registry: maturin -- maturin builds and publishes Rust crates as Python packages with pyo3, cffi, and uniffi bindings. #​9113 by @​Bing-su

New Contributors

• @​Bing-su made their first contribution in #​9113

Full Changelog: jdx/mise@v2026.4.14...v2026.4.15

v2026.4.14: : Fix GitHub attestation verification for some tools

Compare Source

A small patch release that fixes GitHub artifact attestation verification failures affecting some tools installed via the github: backend.

Fixed

• GitHub artifact attestation verification failing for some tools -- Tools installed via the github: backend that use GitHub release attestations (e.g. github:jdx/communique@0.1.9, github:jdx/fnox@1.20.0) could fail verification because the upstream sigstore-verification library did not handle GitHub release attestation certificates whose Subject Alternative Name (SAN) URL lacked a trailing slash. The dependency has been bumped from 0.2.3 to 0.2.5, which includes the upstream fix. #​9128 by @​jdx

Full Changelog: jdx/mise@v2026.4.13...v2026.4.14

v2026.4.13: : Remote version cache, Go install_before, and task tool objects

Compare Source

This release fixes several backend and schema edge cases, including stale GitHub/GitLab/Forgejo version caches, go: module install_before filtering, vfox plugins pinned to Git commit hashes, and task-local tool options.

Highlights

• Remote version cache settings now apply consistently to GitHub, GitLab, and Forgejo backends, so users can bypass stale release data when needed.
• go: module versions now carry release timestamps, allowing install_before to filter them correctly.
• Task-level tools now accepts object syntax, matching top-level tool declarations for options like Rust targets.

Added

• Object syntax for task-level tools -- Task-local tools entries now support map/object values in addition to strings, matching top-level [tools] behavior. This allows task-specific tool options such as Rust cross-compilation targets without requiring those options globally. #​9087 by @​Binlogo

  [tasks.example]
  tools = { rust = { version = "nightly-2024-12-14", targets = "aarch64-linux-android" } }

Fixed

• MISE_FETCH_REMOTE_VERSIONS_CACHE ignored by GitHub, GitLab, and Forgejo backends -- These backends previously hardcoded a daily API cache duration, ignoring fetch_remote_versions_cache, MISE_FETCH_REMOTE_VERSIONS_CACHE=0, and prefer_offline. They now use the shared setting, matching other backends and allowing users to bypass stale release caches. #​9096 by @​mcncl

• go: module versions ignored install_before -- The Go backend now populates version metadata with release timestamps from the module proxy and go list -m -json, allowing install_before to filter module versions correctly instead of falling back to untimestamped candidates. #​9097 by @​mariusvniekerk

• vfox plugins pinned to Git commit hashes in mise.toml -- mise install could fail for vfox plugins declared with Git URLs and commit hashes because ensure_installed did not share the same install path as mise plugin install. vfox plugin installation now reuses the plugin install logic so both flows behave consistently. #​9099 by @​Oyami-Srk

• Schema support for OS/architecture filters -- The JSON schemas now share reusable tool os filter definitions, including compound os/arch entries such as macos/arm64 and linux/x64, across top-level tools and task-local tools. #​9095 by @​risu729

Changed

• cargo-deny advisory checks unblocked -- Removed a stale RustSec ignore, updated rustls-webpki on the modern rustls stack, and adjusted advisory ignores for the older transitive AWS rustls dependency chain so advisory checks can pass again. #​9112 by @​jdx

New Contributors

• @​Binlogo made their first contribution in #​9087
• @​mariusvniekerk made their first contribution in #​9097
• @​mcncl made their first contribution in #​9096
• @​Oyami-Srk made their first contribution in #​9099

Full Changelog: jdx/mise@v2026.4.12...v2026.4.13

v2026.4.12: : OS/arch filtering, task confirmation defaults, and npm supply chain improvements

Compare Source

This release adds OS/architecture compound filtering for tool configuration, lets task confirmation prompts default to "no" for destructive actions, and upgrades npm supply chain protection to use the recommended --min-release-age flag. It also fixes several bugs including a panic on empty config filename overrides and circular shim symlinks.

Highlights

• Tool os field now supports os/arch compound entries like "macos/arm64" or "linux/x64", letting you restrict tools to specific platform and architecture combinations.
• Task confirm can now default to "no", so destructive tasks require the user to explicitly opt in rather than just pressing Enter.
• npm supply chain protection now uses the purpose-built --min-release-age flag on npm 11.10.0+, aligning with npm's recommended approach.

Added

• OS/architecture compound syntax in tool filtering -- The os field on tool entries now accepts os/arch entries (e.g. os = ["linux", "macos/arm64"]). When an entry contains /, both the OS and architecture must match. Plain OS entries continue to match any architecture. OS aliases (darwin to macos) and arch aliases (aarch64 to arm64, x86_64/amd64 to x64) are normalized automatically. #​9088 by @​RobertDeRose

  [tools]
  # Install on all Linux machines and Apple Silicon Macs, but skip Intel Macs
  hk = { version = "latest", os = ["linux", "macos/arm64"] }

• Task confirmation default -- The confirm field on tasks now accepts a map with message and default keys, allowing you to set whether the prompt defaults to "yes" or "no". This is useful for destructive tasks where you want the user to explicitly confirm. The existing string syntax continues to work and defaults to "yes" for backwards compatibility. #​9089 by @​roele

  [tasks.release]
  confirm = { message = "Are you sure you want to cut a release?", default = "no" }
  run = "scripts/release.sh"

• npm --min-release-age for supply chain protection -- When install_before is configured, mise now uses npm's --min-release-age=<days> flag for npm 11.10.0+, which is the flag npm recommends for supply chain protection. Older npm versions continue to use --before. Sub-day windows also fall back to --before since --min-release-age is day-granular. #​9072 by @​webkaz

• New registry entries -- Added openfga (#​9084 by @​mnm364), copilot (#​9082 by @​risu729), and trzsz-go (#​9083 by @​ZeroAurora).

Fixed

• Panic on empty MISE_OVERRIDE_CONFIG_FILENAMES -- Setting MISE_OVERRIDE_CONFIG_FILENAMES="" (e.g. to clear it for a child process) caused a panic because the empty string was injected as a config path, which resolved to the filesystem root and had no parent directory. Empty segments from empty strings, leading/trailing colons, and consecutive colons are now filtered out. #​9076 by @​baby-joel

• Circular shim symlinks when shims are on PATH -- When mise activate --shims put the shims directory on PATH and a mise shim existed (e.g. from having core:rust in the toolset after a cargo install), reshim would create shims pointing to the mise shim instead of the real binary, including a circular mise to mise symlink that broke all shims. doctor would also falsely report all shims as "missing". Both now use which_no_shims to resolve the real mise binary. #​9071 by @​kevinswiber

• __MISE_EXE not exported in bash activate -- The __MISE_EXE variable was not exported in the bash activation script, so child shells couldn't access it and the mise function failed. Additionally, when ARGV0 was a bare name (e.g. mise) instead of an absolute path, PATH changes could break execution. The variable is now properly exported and bare names are resolved via which. #​9081 by @​fru1tworld

• Aliased installs sharing a backend were deduplicated -- When multiple tool aliases (e.g. iii and iii-console) resolved to the same backend and version (e.g. github:iii-hq/iii@latest), the install scheduler collapsed them into a single job and skipped the second install. The dependency graph now keys on the configured tool name plus version, so alias-specific options like asset_pattern and bin_path are preserved. #​9093 by @​jdx

New Contributors

• @​kevinswiber made their first contribution in #​9071
• @​webkaz made their first contribution in #​9072
• @​RobertDeRose made their first contribution in #​9088

Full Changelog: jdx/mise@v2026.4.11...v2026.4.12

v2026.4.11: : Task dependency templates and npm semver range support

Compare Source

A small release with two meaningful bug fixes: task dependency templates with {{usage.*}} references now resolve correctly even when the task is called without arguments, and package.json devEngines version fields are now parsed as full npm semver ranges instead of being simplified into prefix matches.

Fixed

• Task dependency templates now render without arguments -- When a task declared dependencies using {{usage.*}} templates (e.g. depends = ["child {{usage.app}}"]), those templates were only rendered if the task received explicit CLI arguments. If the usage spec defined defaults but no args were passed, the templates were left unresolved and the dependencies were silently dropped, causing the task to run with no dependencies at all. The guard now checks whether dependencies contain usage references rather than whether args are non-empty. #​9062 by @​MatthiasGrandl

• npm semver ranges in devEngines -- mise previously simplified package.json devEngines version fields by stripping range operators (>=, ^, ~) and trimming trailing .0 segments to produce a prefix for fuzzy matching. This was lossy and incorrect in many cases (e.g. ^20.0.1 was simplified to 20, matching 20.0.0). mise now preserves the original range string and resolves it against available versions using proper npm semver semantics via the nodejs-semver crate. Compound ranges (>=20 <21 || >=22), caret/tilde ranges, and wildcard segments all work correctly. #​9061 by @​risu729

• Documentation typo in Go backend -- The docs for Go build tags incorrectly showed --tags instead of the correct -tags flag. #​9065 by @​dolmen

New Contributors

• @​dolmen made their first contribution in #​9065
• @​MatthiasGrandl made their first contribution in #​9062

Full Changelog: jdx/mise@v2026.4.10...v2026.4.11

v2026.4.10: : Fix spurious warnings from postinstall hooks running tasks

Compare Source

A small patch release that fixes a single bug affecting tool postinstall hooks.

Fixed

• Spurious warnings from postinstall hooks running tasks -- When a tool-level postinstall hook ran a nested mise run, the child process inherited the MISE_TOOL_VERSION environment variable set during hooks. ToolsetBuilder was incorrectly parsing this as a request to install a tool named tool at the given version via the MISE_<TOOL>_VERSION convention, producing spurious registry warnings before the task executed. mise now ignores MISE_TOOL_VERSION in the same way it already ignored MISE_INSTALL_VERSION. #​9050 by @​risu729

Full Changelog: jdx/mise@v2026.4.9...v2026.4.10

v2026.4.9: : Cross-device installs, deterministic lockfiles, and sandbox template support

Compare Source

This release fixes cross-device tool installation failures, makes lockfile provenance resolution deterministic across platforms, and adds sandbox field support to task templates. Several smaller fixes address env precedence in multi-environment setups and spurious warnings from tools=true module hooks.

Highlights

• Cross-device tool installation -- Installing bun, deno, erlang, java, or ruby no longer fails when the downloads directory and installs directory are on different filesystems (e.g., Docker cache mounts). mise now falls back to copy+remove when rename() returns a cross-device error.
• Deterministic lockfile provenance -- mise lock now resolves SLSA provenance URLs for all target platforms, not just the current host. This eliminates non-deterministic lockfile diffs when running mise lock on different machines.
• Sandbox fields in task templates -- Task templates now support all sandbox fields (deny_all, deny_read, deny_write, deny_net, deny_env, allow_read, allow_write, allow_net, allow_env), with deny fields composing restrictively and allow lists combining template and task-local values.

Fixed

• Cross-device tool installation -- When the downloads folder is on a different mount than the installs folder (common with Docker cache mounts or devcontainers), rename() fails with EXDEV. mise now uses a move_file helper that falls back to copy+remove, fixing installation of bun, deno, erlang, java, and ruby in these setups. #​9032 by @​bgeron

• Deterministic SLSA provenance in lockfiles -- mise lock previously only resolved full SLSA provenance URLs for the current host platform, writing provenance = "slsa" (short form) for cross-platform entries. Now both the GitHub and Aqua backends resolve provenance URLs for all target platforms, producing byte-for-byte identical lockfiles regardless of which machine generates them. #​8982 by @​cameronbrill

• Sandbox fields in task templates -- Task templates now accept sandbox configuration fields. Deny fields compose restrictively (OR with task-local settings), and allow lists combine template values with task-local values. #​9046 by @​risu729

  [task_templates.restricted]
  deny_net = true
  allow_env = ["CI"]
  
  [tasks.build]
  extends = "restricted"
  allow_env = ["NODE_ENV"]  # combined: ["CI", "NODE_ENV"]

• Env precedence for task config -- With multiple MISE_ENV values (e.g., MISE_ENV=prod,ci), task_config.includes and task_config.dir now correctly respect the documented last-env-wins precedence. Previously the order was reversed, causing the wrong profile's task config to take effect. #​9039 by @​risu729

• Spurious warnings from tools=true module hooks -- When a vfox backend tool triggered dependency_env(), it previously resolved all tools=true env modules with an incomplete PATH, causing "command not found" warnings. The dependency env now skips tools=true module resolution entirely. #​9011 by @​jdx

• Implicit self_update with rustls features -- Building mise with --features rustls or --features rustls-native-roots no longer implicitly enables the self_update feature. The self_update/rustls entries in these feature lists were redundant and caused the optional self_update dependency to be silently pulled in. #​9040 by @​salim-b

• JSON schema completeness -- Added missing fields to the mise JSON schema: sandbox fields on tasks, legacy top-level env_file/dotenv/env_path shortcuts (marked deprecated), and age encryption directive options with proper nesting. #​9044 by @​risu729

• Windows .exe in release checksums -- Release builds now publish the extracted mise.exe alongside the Windows .zip archives and include it in SHASUMS256.txt, enabling SHA256 verification of the standalone binary (e.g., by mise-action). #​8997 by @​zeitlinger

• granted registry entry -- Updated the granted tool to point to the new fwdcloudsec/granted repository after the project moved from common-fate/granted. #​9033 by @​risu729

New Contributors

• @​bgeron made their first contribution in #​9032
• @​salim-b made their first contribution in #​9040

Full Changelog: jdx/mise@v2026.4.8...v2026.4.9

v2026.4.8: : Task engine stability and Go subpath version resolution

Compare Source

This release brings significant stability improvements to the task runner -- fixing hangs, deadlocks, and panics across several edge cases in task dependency graphs and parallel execution. It also overhauls Go version resolution for subpath packages by querying the module proxy directly, and adds new configuration options for sandbox environment filtering and lockfile platform targeting.

Highlights

• Go subpath version resolution fixed -- Tools like go:github.com/foo/bar/cmd/baz that live under a subpath of their Go module now resolve versions correctly, eliminating persistent "no latest version found" warnings.
• Five task runner stability fixes -- Resolved hangs with skipped dependencies, deadlocks with MISE_JOBS=1, panics in replacing output mode, stale source caching in dependency chains, and warnings with remote tasks.
• Wildcard allow_env patterns -- Sandbox env filtering now supports globs like MYAPP_* to allow entire namespaces of environment variables.
• lockfile_platforms setting -- Restrict lockfile operations to only the platforms you care about, avoiding unnecessary checksum resolution.

Added

• Wildcard patterns in sandbox allow_env -- allow_env now supports glob wildcards (e.g., MYAPP_*) to pass through namespaces of environment variables in sandboxed tasks and exec. Works in both CLI flags and task config. #​8974 by @​jdx

  [task.build]
  allow_env = ["NODE_*", "npm_*", "MYAPP_*"]

• lockfile_platforms setting -- New setting to restrict which platforms are targeted during lockfile operations. When set, mise install, mise use, and mise lock only resolve checksums/URLs for the configured platforms instead of all common platforms. Explicit mise lock --platform flags still override this setting. #​8966 by @​cameronbrill

  [settings]
  lockfile_platforms = ["macos-arm64", "linux-x64"]

• Examples rendered in task --help -- #USAGE example directives in task scripts now appear in --help output, thanks to an upgrade to usage-lib v3. #​8890 by @​baby-joel

Fixed

• Go subpath package version resolution -- The Go backend previously used go list -m -versions to resolve versions, which returns an empty version list for subpath packages (e.g., github.com/ankitpokhrel/jira-cli/cmd/jira), making it impossible to resolve "latest". mise now queries the Go module proxy ($GOPROXY) directly, generating path prefix candidates and using HTTP responses to distinguish real modules from non-module subpaths. This respects the GOPROXY environment variable and falls back to go list for GOPROXY=direct. #​8968 by @​c22

• Task hang when skipped task has dependents -- When a task with sources/outputs was skipped (up-to-date), a race condition in the dependency graph could leave downstream dependents hanging indefinitely. The failed channel send now properly resets the task's "sent" state so it can be re-emitted on a new channel. #​8937 by @​jdx

• Dependent task source invalidation -- When a dependency task runs because its own sources changed, downstream tasks that depend on it now also re-run, even if their own sources haven't changed. Sourceless dependencies (which always run) do not trigger this invalidation, preserving the usefulness of sources on dependents. #​8975 by @​jdx

• Deadlock with MISE_JOBS=1 and sub-task references -- When MISE_JOBS=1 and a task's run array contains both sub-task references ({ task = "foo" }) and scripts, the parent task now temporarily releases its semaphore permit before waiting on the sub-task, preventing a classic deadlock. #​8976 by @​jdx

• Panic with parallel sub-tasks in replacing output mode -- Running parallel sub-tasks (via tasks = [...] in run steps) with output = "replacing" no longer panics. Dynamically injected sub-tasks are now lazily initialized in the progress reporter map. #​8986 by @​jdx

• Remote task warning with arguments -- Remote git task files are now fetched before parsing usage specs, fixing spurious "failed to parse task file" warnings when running remote tasks with arguments. #​8979 by @​jdx

• Tera templates in tool postinstall hooks -- Tool-level postinstall scripts (e.g., [tools.ripgrep] postinstall) now render Tera templates before execution, so variables like {{tools.ripgrep.path}} work correctly. #​8978 by @​jdx

• Missing env vars in tool postinstall hooks -- MISE_CONFIG_ROOT and MISE_PROJECT_ROOT are now set in tool-level postinstall hooks, matching the behavior of project-level hooks. #​8977 by @​jdx

• mise upgrade tool@version not updating lockfile -- mise upgrade tool@version and mise lock tool@version now properly update the lockfile with the specified version. When the version doesn't match the current config prefix (e.g., upgrading from "2" to 3.0.1), the config is auto-bumped to match while preserving the original version precision. #​8983 by @​jdx

• Bash 3.2 activation with set -u -- The bash activation script no longer fails with __MISE_FLAGS[@​]: unbound variable on macOS's default bash 3.2 when set -u (nounset) is enabled and no flags are set. #​8988 by @​jdx

New Contributors

• @​baby-joel made their first contribution in #​8890
• @​cameronbrill made their first contribution in #​8966
• @​c22 made their first contribution in #​8968

Full Changelog: jdx/mise@v2026.4.7...v2026.4.8

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.