Skip to content

fix(github-release): update release jdx/mise ( v2026.5.5 ➔ v2026.5.8 )#361

Merged
renovate[bot] merged 1 commit into
mainfrom
renovate/mise
May 28, 2026
Merged

fix(github-release): update release jdx/mise ( v2026.5.5 ➔ v2026.5.8 )#361
renovate[bot] merged 1 commit into
mainfrom
renovate/mise

Conversation

@renovate

@renovate renovate Bot commented May 28, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Update Change Pending
jdx/mise patch 2026.5.52026.5.8 v2026.5.16 (+7)

Release Notes

jdx/mise (jdx/mise)

v2026.5.8: : Patrons, cleaner task output, and sigstore-rust

Compare Source

A small release: a new mise patrons command, cleaner task command output when scripts start with a shebang, and a fix for mise upgrade summaries getting wiped by progress cleanup. Under the hood, signature verification moves to the modern sigstore-rust stack.

Added

  • (patrons) New mise patrons subcommand lists individuals on the Patron tier supporting mise development (#​9841) by @​jdx. Data is fetched from the en.dev patrons feed, cached for 24h, and falls back to stale cache on network failure. Each patron's name renders as a clickable OSC 8 hyperlink in supporting terminals.

    $ mise patrons
    mise is supported by these patrons — thank you
    
      • Ronald Gierlach
      • youfoundron
    
    Become a patron: https://en.dev/sponsor
    

    Flags: -J/--json, --refresh.

  • (registry) Add a racket shorthand backed by the aqua racket/racket/minimal package, exposing both racket and raco from the official racket-lang.org release artifacts (#​9784) by @​albertnetymk.

Fixed

  • (task) When a task's run body starts with #!/usr/bin/env bash or set -Eeuo pipefail, the echoed command line would show only that boilerplate and hide the rest of the script. Leading shebang, blank, and set ... lines are now skipped when building the displayed command, so the first real command shows up. Execution is unchanged (#​9844) by @​jdx. Fixes #​9842.

    # before
    [generate-completions] $ #!/usr/bin/env bash
    
    # after
    [generate-completions] $ fzf --fish > ~/.config/fish/completions/fzf.fish
    
  • (upgrade) mise upgrade could erase its own Upgraded N tools: summary detail lines when an upgrade also performed an uninstall — fresh progress jobs registered for the cleanup phase were still active at shutdown, so stop_clear() wiped them along with the summary. Progress jobs are now finished and reset before the summary prints (#​9860) by @​risu729. Regression from #​9779; addresses #​9856.

Changed

  • (security) Sigstore verification (verify_github_attestation, verify_cosign_signature, verify_slsa_provenance, detect_attestations) now runs on a local mise-sigstore adapter built on sigstore-verify 0.7 from sigstore-rust, replacing the previous sigstore-verification 0.2 dependency (#​9260) by @​jdx. The mise call sites and helper API are unchanged. The new adapter still covers legacy cosign v1 bundles (e.g. goreleaser-signed releases) and raw DSSE *.intoto.jsonl envelopes (slsa-github-generator) that the upstream Bundle::from_json rejects.

Deprecated

  • (config) The top-level env_file setting (and MISE_ENV_FILE) is now marked deprecated. Use env._.file in mise.toml instead (#​9862) by @​risu729. The JSON Schema gains the deprecated keyword, a warning is scheduled for 2026.11.0, and removal is planned for 2027.11.0.

    # before
    env_file = ".env"
    
    # after
    [env]
    _.file = ".env"

New Contributors

Full Changelog: jdx/mise@v2026.5.7...v2026.5.8

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.7: : Lazy GitHub tokens, hardened version parsing, and faster task freshness

Compare Source

A round of correctness and performance fixes: vfox-managed tools no longer prompt your password manager on every shell hook, mise upgrade stops double-printing its summary, mise settings get finally distinguishes typos from unset values, and conda installs that pulled in adwaita-icon-theme are unstuck. Plus a security pass that hardens version-string parsing against shell injection.

Fixed

  • (vfox) GitHub tokens are now resolved lazily inside Lua plugins. Previously, mise hook-env, mise activate, mise completion, and even mise --help would call github.credential_command for every installed vfox tool — potentially unlocking a password manager on every prompt. The resolver is now only invoked when a Lua plugin actually issues an HTTP request to a GitHub API URL, e.g. during an install (#​9816) by @​jdx. Fixes #​9797.

  • (upgrade) mise upgrade (and mise up) no longer prints the installed-tools block twice when an upgrade also needs to uninstall an older version. The shared progress-job registry is now cleared after each phase so the subsequent uninstall renders cleanly (#​9779) by @​jdx. Fixes #​9774.

  • (settings) mise settings get distinguishes between a known setting that hasn't been set and a typo:

    $ mise settings get python.compile
    mise ERROR Setting [python.compile] is not set
    $ mise settings get not.a.real.setting
    mise ERROR Unknown setting: not.a.real.setting

    Previously both returned Unknown setting, since Option<T> fields skipped by TOML serialization were indistinguishable from missing keys (#​9818) by @​jdx.

  • (backend) Several backends (aqua, github/gitlab/forgejo, http, s3, ubi, vfox, conda, Windows npm) reported bin-paths pointing at the concrete resolved install dir (e.g. installs/tiny/1.0.0/...) instead of the stable runtime symlink for the requested label (e.g. installs/tiny/latest/...). A new runtime_path_for_install_path helper remaps backend-discovered absolute paths onto the runtime path while leaving explicit relative bin_path values alone (#​9606) by @​risu729.

  • (conda) mise use -g imagemagick (and other tools pulling in adwaita-icon-theme) failed with conda solve failed: encountered duplicate records for adwaita-icon-theme-40.1.1-.... rattler-solve detects duplicates by DistArchiveIdentifier rather than URL, so when conda-forge served the same archive under multiple CDN URLs, the existing URL-based dedup wasn't enough. Dedup now uses r.identifier, the exact key the solver uses (#​9831) by @​jdx. Fixes #​9829.

Added

  • (github) github.credential_command now runs through the configured default inline shell (instead of hardcoded sh -c) and is invoked with MISE_CREDENTIAL_HOST and MISE_CREDENTIAL_PROVIDER in the environment. The deprecated $1 / ${1} hostname positional argument continues to work for sh-compatible shells (ash, bash, dash, ksh, sh, zsh); a deprecation warning lands in 2026.11.0 and removal is planned for 2027.11.0 (#​9664) by @​risu729.

Performance

  • (aqua) The baked aqua standard-registry package and alias lookup tables are now generated as static phf::Maps at build time via phf_codegen, instead of lazy runtime HashMaps. Warmed lookup is comparable, but first-use no longer allocates ~115 KiB of heap or builds a 2,179-entry bucket table (#​9763) by @​risu729.

  • (task) When task.source_freshness_hash_contents = true, mise now caches each source file's blake3 hash keyed by (size, mtime_secs, mtime_nanos) — git's stat-info trick — in a per-task file under STATE/task-sources/. Unchanged files are skipped on subsequent runs; entries for files removed from sources are pruned automatically (#​9819) by @​jdx. See discussion #​9802.

Security

  • Reject shell metacharacters in version strings at the ToolRequest boundary (#​9814) by @​jdx. ToolRequest::new now validates version, prefix, ref/*, sub-*, and path: requests, rejecting $, backticks, quotes, \, control chars, and .. traversal. This single change neutralizes the CRITICAL RCE class flagged against vfox-ag, vfox-bfs, vfox-bpkg, vfox-chezscheme, vfox-redis, vfox-yarn, and shell-injection findings on clickhouse, leiningen, pipenv, poetry, azure-functions-core-tools, carthage, and android-sdk, since no Lua hook can observe a hostile ctx.version / ctx.rootPath. Real-world strings like 1.2.3-beta, lts/hydrogen, 3.12.0a1, and nightly continue to validate. The PR also tightens workflow_dispatch input validation in the COPR, PPA, npm-publish, and Docker workflows.

Registry

  • Replace unsupported exe = ... options across ~30 GitHub/GitLab registry entries (astro, babashka, coursier, glab, odin, openbao, purescript, and many more) (#​9587) by @​risu729. Two entries gained real config to fix Linux installs:
    • solidity now uses bin = "solc" so the installed binary matches the upstream solc-static-linux asset.
    • sourcery now uses format = "tar.gz" because the upstream Linux asset is gzip-compressed despite its .tar.xz filename.
  • Update pi to earendil-works/pi (#​9792) by @​garysassano.

Documentation

  • (aliases) Fix the Aliased Versions example and drop the stale asdf callout (#​9830) by @​jdx.

Full Changelog: jdx/mise@v2026.5.6...v2026.5.7

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.6: : Native GitHub OAuth, project-scoped OCI builds, faster registries

Compare Source

A mix of features and correctness work: a native GitHub OAuth token source (experimental) that drops the dependency on gh/ghtkn, mise oci commands scoped to the current project by default, and two registry-lookup performance wins — plus fixes across activate, exec, java, lock, pipx, and vfox.

Added
  • (cli) Add --before <date> to mise ls-remote and mise lock for release-date-aware version discovery (#​9269) by @​risu729

  • (config) Hooks can now be defined as a table — { run = "...", shell = "bash -c" } — to pick a shell inline, alongside the existing string form (#​9718) by @​risu729

  • (github) Add native GitHub OAuth device-flow token source (experimental) — no dependency on gh/ghtkn (#​9654) by @​jdx. Create a GitHub App with device flow enabled, then authorize once:

    mise settings set experimental true
    mise settings set github.oauth_client_id Iv1.yourgithubappclientid
    mise token github --oauth

    mise caches and refreshes the token for its own GitHub API calls, and auto-exports it as GITHUB_TOKEN to shells started under mise activate/exec so gh, git, and other GitHub-aware tools pick it up too. See GitHub Tokens → Native GitHub OAuth for the full setup.

  • (oci) mise oci build/run/push are now scoped to the current project's config by default; pass --include-global to opt back into the previous behavior of including global config (#​9766) by @​jdx

  • (outdated) Prefixed-version requests now resolve to the latest within the prefix — e.g. temurin-17.0.19+10 for a temurin-17.x request, instead of jumping ahead to temurin-26.x (#​9767) by @​roele

Fixed
  • (activate) Guard bash chpwd_functions expansion under set -u so activated shells no longer fail with chpwd_functions[@&#8203;]: unbound variable (#​9716) by @​risu729
  • (backend) Date-check the latest_stable_version fast path when --before or minimum_release_age is active, instead of returning a too-new version (#​9650) by @​risu729
  • (config) Parse core tool options consistently between table and bracket syntax, so [depends=...] and os= set the named core fields (#​9742) by @​risu729
  • (exec) Nested mise -C <dir> exec correctly resolves the inner toolset's tools again — __MISE_DIFF is now propagated to children so the child no longer inherits a mutated PATH that hides its own tools (#​9765) by @​jdx
  • (forgejo) Include prereleases when prerelease = true / MISE_PRERELEASES=1 is set (#​9717) by @​risu729
  • (github) Avoid caching empty release-asset responses, refetching instead (#​9616) by @​risu729
  • (java) Resolve core:java lockfile URLs/checksums from mise Java metadata, fixing mise install --locked for Java (#​9719) by @​risu729
  • (lock) Cache github_attestations = "unavailable" so locked installs stop hitting the GitHub attestation API for artifacts known to have none (#​9741) by @​risu729
  • (pipx) Preserve uvx_args/pipx_args/extras/uvx = false when pipx tools are reinstalled after a Python upgrade (#​9663) by @​risu729
  • (python) Skip redundant GitHub attestation re-verification when the lockfile already has checksum + provenance = "github-attestations" (#​9739) by @​risu729
  • (vfox) Run vfox plugin pre_uninstall hooks before removing install directories (#​9662) by @​risu729
  • Quote program and args in cmd::cmd(..) debug output so logged commands are unambiguous (#​9777) by @​ktetzlaff
Performance
  • (aqua) Bake aqua registry packages as rkyv blobs for much faster lookup (#​9535) by @​risu729
  • (registry) Use phf for the mise registry lookup table, around 3.3x faster than the previous BTreeMap path (#​9769) by @​risu729
Registry
New Contributors

Full Changelog: jdx/mise@v2026.5.5...v2026.5.6

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.


Configuration

📅 Schedule: (in timezone Europe/Amsterdam)

  • Branch creation
    • "every weekend,on Friday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from DevSecNinja as a code owner May 28, 2026 23:40
@renovate renovate Bot enabled auto-merge (squash) May 28, 2026 23:40
@renovate renovate Bot merged commit b79361e into main May 28, 2026
13 checks passed
@renovate renovate Bot deleted the renovate/mise branch May 28, 2026 23:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants