fix(github-release): update release jdx/mise ( v2026.4.5 ➔ v2026.4.9 )

[renovate]

This PR contains the following updates:

Package	Update	Change	Pending
jdx/mise	patch	2026.4.5 → 2026.4.9	v2026.4.22 (+12)

---

Release Notes

jdx/mise (jdx/mise)

v2026.4.9: : Cross-device installs, deterministic lockfiles, and sandbox template support

Compare Source

This release fixes cross-device tool installation failures, makes lockfile provenance resolution deterministic across platforms, and adds sandbox field support to task templates. Several smaller fixes address env precedence in multi-environment setups and spurious warnings from tools=true module hooks.

Highlights

• Cross-device tool installation -- Installing bun, deno, erlang, java, or ruby no longer fails when the downloads directory and installs directory are on different filesystems (e.g., Docker cache mounts). mise now falls back to copy+remove when rename() returns a cross-device error.
• Deterministic lockfile provenance -- mise lock now resolves SLSA provenance URLs for all target platforms, not just the current host. This eliminates non-deterministic lockfile diffs when running mise lock on different machines.
• Sandbox fields in task templates -- Task templates now support all sandbox fields (deny_all, deny_read, deny_write, deny_net, deny_env, allow_read, allow_write, allow_net, allow_env), with deny fields composing restrictively and allow lists combining template and task-local values.

Fixed

• Cross-device tool installation -- When the downloads folder is on a different mount than the installs folder (common with Docker cache mounts or devcontainers), rename() fails with EXDEV. mise now uses a move_file helper that falls back to copy+remove, fixing installation of bun, deno, erlang, java, and ruby in these setups. #​9032 by @​bgeron

• Deterministic SLSA provenance in lockfiles -- mise lock previously only resolved full SLSA provenance URLs for the current host platform, writing provenance = "slsa" (short form) for cross-platform entries. Now both the GitHub and Aqua backends resolve provenance URLs for all target platforms, producing byte-for-byte identical lockfiles regardless of which machine generates them. #​8982 by @​cameronbrill

• Sandbox fields in task templates -- Task templates now accept sandbox configuration fields. Deny fields compose restrictively (OR with task-local settings), and allow lists combine template values with task-local values. #​9046 by @​risu729

  [task_templates.restricted]
  deny_net = true
  allow_env = ["CI"]
  
  [tasks.build]
  extends = "restricted"
  allow_env = ["NODE_ENV"]  # combined: ["CI", "NODE_ENV"]

• Env precedence for task config -- With multiple MISE_ENV values (e.g., MISE_ENV=prod,ci), task_config.includes and task_config.dir now correctly respect the documented last-env-wins precedence. Previously the order was reversed, causing the wrong profile's task config to take effect. #​9039 by @​risu729

• Spurious warnings from tools=true module hooks -- When a vfox backend tool triggered dependency_env(), it previously resolved all tools=true env modules with an incomplete PATH, causing "command not found" warnings. The dependency env now skips tools=true module resolution entirely. #​9011 by @​jdx

• Implicit self_update with rustls features -- Building mise with --features rustls or --features rustls-native-roots no longer implicitly enables the self_update feature. The self_update/rustls entries in these feature lists were redundant and caused the optional self_update dependency to be silently pulled in. #​9040 by @​salim-b

• JSON schema completeness -- Added missing fields to the mise JSON schema: sandbox fields on tasks, legacy top-level env_file/dotenv/env_path shortcuts (marked deprecated), and age encryption directive options with proper nesting. #​9044 by @​risu729

• Windows .exe in release checksums -- Release builds now publish the extracted mise.exe alongside the Windows .zip archives and include it in SHASUMS256.txt, enabling SHA256 verification of the standalone binary (e.g., by mise-action). #​8997 by @​zeitlinger

• granted registry entry -- Updated the granted tool to point to the new fwdcloudsec/granted repository after the project moved from common-fate/granted. #​9033 by @​risu729

New Contributors

• @​bgeron made their first contribution in #​9032
• @​salim-b made their first contribution in #​9040

Full Changelog: jdx/mise@v2026.4.8...v2026.4.9

v2026.4.8: : Task engine stability and Go subpath version resolution

Compare Source

This release brings significant stability improvements to the task runner -- fixing hangs, deadlocks, and panics across several edge cases in task dependency graphs and parallel execution. It also overhauls Go version resolution for subpath packages by querying the module proxy directly, and adds new configuration options for sandbox environment filtering and lockfile platform targeting.

Highlights

• Go subpath version resolution fixed -- Tools like go:github.com/foo/bar/cmd/baz that live under a subpath of their Go module now resolve versions correctly, eliminating persistent "no latest version found" warnings.
• Five task runner stability fixes -- Resolved hangs with skipped dependencies, deadlocks with MISE_JOBS=1, panics in replacing output mode, stale source caching in dependency chains, and warnings with remote tasks.
• Wildcard allow_env patterns -- Sandbox env filtering now supports globs like MYAPP_* to allow entire namespaces of environment variables.
• lockfile_platforms setting -- Restrict lockfile operations to only the platforms you care about, avoiding unnecessary checksum resolution.

Added

• Wildcard patterns in sandbox allow_env -- allow_env now supports glob wildcards (e.g., MYAPP_*) to pass through namespaces of environment variables in sandboxed tasks and exec. Works in both CLI flags and task config. #​8974 by @​jdx

  [task.build]
  allow_env = ["NODE_*", "npm_*", "MYAPP_*"]

• lockfile_platforms setting -- New setting to restrict which platforms are targeted during lockfile operations. When set, mise install, mise use, and mise lock only resolve checksums/URLs for the configured platforms instead of all common platforms. Explicit mise lock --platform flags still override this setting. #​8966 by @​cameronbrill

  [settings]
  lockfile_platforms = ["macos-arm64", "linux-x64"]

• Examples rendered in task --help -- #USAGE example directives in task scripts now appear in --help output, thanks to an upgrade to usage-lib v3. #​8890 by @​baby-joel

Fixed

• Go subpath package version resolution -- The Go backend previously used go list -m -versions to resolve versions, which returns an empty version list for subpath packages (e.g., github.com/ankitpokhrel/jira-cli/cmd/jira), making it impossible to resolve "latest". mise now queries the Go module proxy ($GOPROXY) directly, generating path prefix candidates and using HTTP responses to distinguish real modules from non-module subpaths. This respects the GOPROXY environment variable and falls back to go list for GOPROXY=direct. #​8968 by @​c22

• Task hang when skipped task has dependents -- When a task with sources/outputs was skipped (up-to-date), a race condition in the dependency graph could leave downstream dependents hanging indefinitely. The failed channel send now properly resets the task's "sent" state so it can be re-emitted on a new channel. #​8937 by @​jdx

• Dependent task source invalidation -- When a dependency task runs because its own sources changed, downstream tasks that depend on it now also re-run, even if their own sources haven't changed. Sourceless dependencies (which always run) do not trigger this invalidation, preserving the usefulness of sources on dependents. #​8975 by @​jdx

• Deadlock with MISE_JOBS=1 and sub-task references -- When MISE_JOBS=1 and a task's run array contains both sub-task references ({ task = "foo" }) and scripts, the parent task now temporarily releases its semaphore permit before waiting on the sub-task, preventing a classic deadlock. #​8976 by @​jdx

• Panic with parallel sub-tasks in replacing output mode -- Running parallel sub-tasks (via tasks = [...] in run steps) with output = "replacing" no longer panics. Dynamically injected sub-tasks are now lazily initialized in the progress reporter map. #​8986 by @​jdx

• Remote task warning with arguments -- Remote git task files are now fetched before parsing usage specs, fixing spurious "failed to parse task file" warnings when running remote tasks with arguments. #​8979 by @​jdx

• Tera templates in tool postinstall hooks -- Tool-level postinstall scripts (e.g., [tools.ripgrep] postinstall) now render Tera templates before execution, so variables like {{tools.ripgrep.path}} work correctly. #​8978 by @​jdx

• Missing env vars in tool postinstall hooks -- MISE_CONFIG_ROOT and MISE_PROJECT_ROOT are now set in tool-level postinstall hooks, matching the behavior of project-level hooks. #​8977 by @​jdx

• mise upgrade tool@version not updating lockfile -- mise upgrade tool@version and mise lock tool@version now properly update the lockfile with the specified version. When the version doesn't match the current config prefix (e.g., upgrading from "2" to 3.0.1), the config is auto-bumped to match while preserving the original version precision. #​8983 by @​jdx

• Bash 3.2 activation with set -u -- The bash activation script no longer fails with __MISE_FLAGS[@​]: unbound variable on macOS's default bash 3.2 when set -u (nounset) is enabled and no flags are set. #​8988 by @​jdx

New Contributors

• @​baby-joel made their first contribution in #​8890
• @​cameronbrill made their first contribution in #​8966
• @​c22 made their first contribution in #​8968

Full Changelog: jdx/mise@v2026.4.7...v2026.4.8

v2026.4.7: : Native ARM64 Python on Windows

Compare Source

This patch release fixes precompiled Python installation on Windows ARM64 machines. Previously, mise always downloaded the x86_64 Python build on Windows regardless of architecture, which caused failures when loading native ARM64 libraries. mise now correctly downloads the aarch64 build on Windows ARM64 systems.

Fixed

• Precompiled Python on Windows ARM64 -- On Windows ARM64, mise unconditionally selected the x86_64 precompiled Python build, ignoring the host architecture. This caused runtime errors such as [WinError 193] %1 is not a valid Win32 application when loading native ARM64 DLLs. mise now downloads the native aarch64-pc-windows-msvc build on ARM64 Windows while continuing to use x86_64 on x64 Windows. #​8961 by @​JohanLorenzo

New Contributors

• @​JohanLorenzo made their first contribution in #​8961

Full Changelog: jdx/mise@v2026.4.6...v2026.4.7

v2026.4.6: : Tera templates in miserc.toml, shim race condition fix, and SPM self-hosted support

Compare Source

This release adds Tera template support to .miserc.toml files for dynamic early-stage configuration, fixes a race condition during shim creation that affected multi-backend setups, and improves SPM backend compatibility with self-hosted GitHub Enterprise and GitLab instances. Several other bug fixes improve environment variable handling across tasks, redaction, and the vfox backend.

Highlights

• Tera templates in .miserc.toml -- Use environment variables, XDG directories, and OS-level functions like arch() and os() directly in your .miserc.toml configuration, enabling dynamic early-stage settings such as platform-specific ceiling paths.
• Shim race condition fixed -- Multi-backend setups where different plugins provide overlapping shims no longer intermittently fail during mise reshim or mise install.
• SPM self-hosted instance support -- The SPM backend now automatically derives the correct API URL for self-hosted GitHub Enterprise and GitLab instances from the tool URL.

Added

• Tera template support in .miserc.toml -- .miserc.toml files now support Tera templates with a limited context available during early initialization: OS environment variables, config_root, cwd, XDG directories, and built-in functions/filters. Templates that fail to render gracefully fall back to raw content. #​8867 by @​richardthe3rd

  # .miserc.toml
  ceiling_paths = ["{{ env.HOME }}"]
  ignored_config_paths = ["{{ xdg_config_home }}/mise/shared.toml"]

• sing-box added to the built-in registry -- Install the sing-box universal proxy platform via mise use sing-box. #​8944 by @​tony-sol

Fixed

• Shim race condition with overlapping backends -- When multiple plugins provide the same shim (e.g., nodejs via the default registry and asdf:nodejs), concurrent make_shim calls could race on file removal, producing intermittent "No such file or directory" errors. The file removal now tolerates already-deleted files. #​8947 by @​brander-john

• mise env --redacted missing tools-only redactions -- Env vars declared with both tools = true and redact = true were not included in the redaction filter for mise env --redacted. Both the standard and tools-only redaction sets are now checked. #​8956 by @​jakedgy

• SPM backend API URL for self-hosted instances -- When using the SPM backend with a full URL pointing to a self-hosted GitHub Enterprise or GitLab instance, mise now derives the correct API URL from the host instead of always falling back to api.github.com. Explicit api_url options still take precedence. #​8955 by @​ThomasDutartre

• vfox backend missing dependency env -- When a vfox backend plugin declared depends on another tool, the dependency's binaries were not available on PATH during plugin Lua hooks (BackendListVersions, BackendInstall, BackendExecEnv). Dependency environment is now properly propagated, matching the behavior of other backends. #​8952 by @​cprecioso

• Task usage Tera templates failing with flags -- Task usage field defaults using {{ env.VAR }} Tera templates would fail with "Variable not found in context" whenever any flags were passed. The task argument parser now uses the full computed environment instead of an empty map. #​8957 by @​jdx

• Clarified attestation settings placement -- The help messages for Python and Ruby attestation settings now specify that they must be placed under [settings] in mise.toml, not under [python] or [ruby] where they are silently ignored. #​8939 by @​fru1tworld

New Contributors

• @​ThomasDutartre made their first contribution in #​8955
• @​jakedgy made their first contribution in #​8956
• @​brander-john made their first contribution in #​8947
• @​fru1tworld made their first contribution in #​8939

Full Changelog: jdx/mise@v2026.4.5...v2026.4.6

---

Configuration

📅 Schedule: (in timezone Europe/Amsterdam)

• Branch creation
  • "every weekend,on Friday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.