fix(github-release): update release jdx/mise ( v2026.4.16 ➔ v2026.4.17 )

[renovate]

This PR contains the following updates:

Package	Update	Change	Pending
jdx/mise	patch	2026.4.16 → 2026.4.17	v2026.4.28 (+9)

---

Release Notes

jdx/mise (jdx/mise)

v2026.4.17: : install_before fixes, lockfile repair, and new registry tools

Compare Source

A fix-heavy release that addresses several install_before edge cases across npm, pipx, and backend latest lookups, repairs lockfile generation for aqua tools with custom version prefixes, and adds six new tools to the registry.

Highlights

• install_before now works consistently across backends -- The date-based version cutoff is now respected in direct latest lookups, npm no longer drifts by a day due to double timestamp sampling, and pipx/uv installs forward the cutoff via --exclude-newer / --uploaded-prior-to.
• Lockfile fix for aqua tools with version prefixes -- mise lock now correctly propagates version_prefix (e.g. jq-) to GitHub release lookups, fixing empty platform URLs that broke --locked mode.
• Deprecation warnings for legacy config keys and mise b -- env_file, dotenv, env_path, and the mise b shorthand now emit deprecation warnings with removal scheduled for 2027.4.0.

Fixed

• install_before respected in backend latest lookups -- Direct calls like mise latest npm:prettier now apply the effective install_before cutoff, not just install/upgrade flows. #​9193 by @​risu729

• tool@latest routes through stable lookup -- An explicit @latest suffix now follows the same backend-specific fast path as an unqualified tool name, so both forms return the same version. #​9228 by @​risu729

• npm install_before day drift -- Fixed an off-by-one where install_before = "3d" could compute --min-release-age=4 due to a second Timestamp::now() call drifting past the day boundary. A stable per-process timestamp and a 60-second tolerance window eliminate the issue. #​9157 by @​risu729

• install_before forwarded to pipx and uv installs -- pipx: tools now pass --exclude-newer to uv and --uploaded-prior-to (via --pip-args) to pipx, so Python package installs respect the date cutoff. #​9190 by @​risu729

• Warning for old bun/pnpm with install_before -- When install_before is active and the detected bun or pnpm version is below the minimum that supports release-age flags, mise now warns instead of silently ignoring the cutoff. #​9232 by @​risu729

• Lockfile version prefix propagation -- mise lock now uses version_prefix when looking up GitHub releases for aqua tools, fixing empty platform URLs that caused --locked installs to fail. #​9242 by @​effati

• shfmt available on Windows -- The shfmt registry entry no longer restricts to Linux/macOS, so mise use shfmt works on Windows via the aqua backend. #​9191 by @​zeitlinger

• GitLab expired OAuth2 token warning -- When mise reads a GitLab token from glab's config and the OAuth2 expiry has passed, it now warns the user to refresh (e.g. glab api user) instead of failing silently. #​9195 by @​stanhu

• GitHub auth skipped on release asset downloads -- Token lookup is now skipped for GitHub release asset CDN hosts (objects.githubusercontent.com, etc.), avoiding unnecessary authentication failures on public downloads. #​9060 by @​risu729

• Empty enable_tools disables all tools -- An explicitly empty enable_tools list now means "disable all tools" rather than "no filter", matching user expectations as an allowlist. #​9108 by @​risu729

• Deprecation warnings for legacy env keys -- env_file, dotenv, and env_path now warn when used, directing users to env._.file and env._.path. Removal is scheduled for 2027.4.0. #​9205 by @​risu729

• mise b shorthand deprecated -- The mise b alias for mise backends now emits a deprecation warning with removal scheduled for 2027.4.0. #​9234 by @​risu729

Added

• Registry: sheldon -- sheldon is a fast, configurable shell plugin manager. #​9104 by @​3w36zj6
• Registry: pocketbase -- pocketbase is an open-source backend in a single file. #​9123 by @​ranfdev
• Registry: worktrunk -- worktrunk provides a CLI for git worktree management, designed for running AI agents in parallel. #​8796 by @​edouardr
• Registry: dependency-check -- dependency-check detects publicly disclosed vulnerabilities in application dependencies. #​9204 by @​kapitoshka438
• Registry: janet -- janet is a lightweight, expressive programming language. #​9241 by @​ranfdev
• Registry: aube -- #​9244 by @​jdx

New Contributors

• @​ranfdev made their first contribution in #​9123
• @​stanhu made their first contribution in #​9195
• @​effati made their first contribution in #​9242
• @​jjt made their first contribution in #​9233
• @​marianwolf made their first contribution in #​9208
• @​edouardr made their first contribution in #​8796

Full Changelog: jdx/mise@v2026.4.16...v2026.4.17

---

Configuration

📅 Schedule: (in timezone Europe/Amsterdam)

• Branch creation
  • "every weekend,on Friday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.