test(deps): update dependency mise to v2026.4.18 (main)

[renovate]

This PR contains the following updates:

Package	Update	Change
mise	patch	2026.4.16 → 2026.4.18

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

jdx/mise (mise)

v2026.4.18: : Deps management, aube support, and vfox plugin dependencies

Compare Source

A feature-packed release that renames mise prepare to mise deps with new package management subcommands, adds aube as an npm backend package manager, enables vfox plugins to declare their own dependencies, and ships several important fixes for version resolution, lockfile concurrency, and GitHub Enterprise attestation verification.

Highlights

• mise prepare renamed to mise deps with add/remove subcommands -- The experimental dependency management command is now mise deps, with new mise deps add npm:react and mise deps remove npm:lodash subcommands for managing individual packages. All config keys, settings, state files, and CLI flags have been updated accordingly ([prepare] to [deps], --no-prepare to --no-deps).
• Aube package manager support for npm backend -- npm.package_manager now defaults to "auto", which prefers the aube package manager when available and falls back to npm. Explicit npm.package_manager = "aube" is also supported.
• vfox plugins can declare dependencies -- Plugin authors can now specify PLUGIN.depends = {"node", "python"} in metadata.lua, so mise resolves installation order automatically without users needing depends = [...] in their config.
• Stale versions host cache bypassed for package-registry backends -- npm, pipx, cargo, gem, go, and http/s3 backends with version_list_url now query their upstream sources directly, fixing the issue where tools like Flutter showed outdated versions.

Added

• mise deps command with add/remove subcommands -- The experimental mise prepare command has been renamed to mise deps. New mise deps add and mise deps remove subcommands let you manage individual packages using ecosystem:package syntax. Currently supports npm, yarn, pnpm, and bun ecosystems. Bare mise deps defaults to mise deps install (the previous mise prepare behavior). #​9056 by @​jdx

  mise deps add npm:react           # add a dependency
  mise deps add -D npm:vitest       # add as dev dependency
  mise deps remove npm:lodash       # remove a dependency
  mise deps                         # install all project dependencies

  # Configuration uses [deps] instead of [prepare]
  [deps.npm]
  auto = true

• --before flag for mise latest -- One-off latest-version lookups can now be constrained by release date. Supports absolute dates (2024-06-01) and relative durations (90d, 1y). Overrides per-tool install_before options and the global install_before setting. #​9168 by @​risu729

  mise latest node --before 2024-01-01
  mise latest node --before 90d

• Aube package manager support for npm backend -- The npm backend now supports aube as an alternative package manager. The new default npm.package_manager = "auto" prefers aube when it is available in the active toolset and falls back to npm otherwise. #​9256 by @​jdx

• filter_bins option for SPM backend -- Restrict which executable products are built and linked from a Swift package. Filtering happens before swift build, so unwanted products are never compiled. #​9253 by @​jdx

  [tools]
  "spm:swiftlang/swiftly" = { version = "latest", filter_bins = ["swiftly"] }

• vfox plugin-declared dependencies via metadata.lua -- Plugin authors can now declare tool dependencies directly in their plugin's metadata.lua. User-specified depends in mise.toml remains additive. #​9051 by @​ahemon

  -- metadata.lua
  PLUGIN = {}
  PLUGIN.name = "my-tool"
  PLUGIN.version = "1.0.0"
  PLUGIN.depends = {"node", "python"}

• Registry: bitwarden-secrets-manager -- Now available via the aqua backend (aqua:bitwarden/sdk-sm), replacing the legacy asdf plugin for better checksum/SLSA verification. #​9255 by @​msuzoagu

Fixed

• Stale version listings for package-registry backends -- Backends with canonical upstream sources (npm, pipx, cargo, gem, go, and http/s3 with version_list_url) now skip the mise-versions.jdx.dev cache and query upstream directly. This fixes the issue where tools like Flutter showed outdated versions until users set MISE_USE_VERSIONS_HOST=0. #​9245 by @​jdx

• Concurrent lockfile save race condition -- Fixed ENOENT errors when multiple mise processes updated the same lockfile simultaneously (commonly seen with parallel tool installs in CI via hk). Each save now uses a uniquely named temp file instead of a fixed mise.lock.tmp path. #​9250 by @​jdx

• GitHub Enterprise attestation verification -- Artifact attestation verification now routes to the configured api_url instead of always hitting api.github.com, fixing 401 Unauthorized errors for GHES users. #​9254 by @​jdx

• Noisy third-party debug/trace logs suppressed -- Debug and trace logs from dependency crates (h2, hyper, reqwest, rustls, etc.) are now filtered out of -v/-vv output. Set MISE_LOG_VERBOSE_DEPS=1 to restore them. #​9248 by @​jdx

• Animated progress UI disabled in CI -- CI environments no longer show animated progress frames even when stderr is allocated as a TTY, preventing thousands of duplicate log lines. #​9249 by @​jdx

• mise use respects --quiet and --silent -- The "tools:", "removed:", and "would update" messages are now suppressed when --quiet or --silent is passed. #​9251 by @​jdx

• --locked works for vfox backend plugins -- Custom Lua backend plugins that cannot provide download URLs no longer fail with "No lockfile URL found" when using mise install --locked. #​9252 by @​jdx

New Contributors

• @​ahemon made their first contribution in #​9051
• @​msuzoagu made their first contribution in #​9255

Full Changelog: jdx/mise@v2026.4.17...v2026.4.18

v2026.4.17: : install_before fixes, lockfile repair, and new registry tools

Compare Source

A fix-heavy release that addresses several install_before edge cases across npm, pipx, and backend latest lookups, repairs lockfile generation for aqua tools with custom version prefixes, and adds six new tools to the registry.

Highlights

• install_before now works consistently across backends -- The date-based version cutoff is now respected in direct latest lookups, npm no longer drifts by a day due to double timestamp sampling, and pipx/uv installs forward the cutoff via --exclude-newer / --uploaded-prior-to.
• Lockfile fix for aqua tools with version prefixes -- mise lock now correctly propagates version_prefix (e.g. jq-) to GitHub release lookups, fixing empty platform URLs that broke --locked mode.
• Deprecation warnings for legacy config keys and mise b -- env_file, dotenv, env_path, and the mise b shorthand now emit deprecation warnings with removal scheduled for 2027.4.0.

Fixed

• install_before respected in backend latest lookups -- Direct calls like mise latest npm:prettier now apply the effective install_before cutoff, not just install/upgrade flows. #​9193 by @​risu729

• tool@latest routes through stable lookup -- An explicit @latest suffix now follows the same backend-specific fast path as an unqualified tool name, so both forms return the same version. #​9228 by @​risu729

• npm install_before day drift -- Fixed an off-by-one where install_before = "3d" could compute --min-release-age=4 due to a second Timestamp::now() call drifting past the day boundary. A stable per-process timestamp and a 60-second tolerance window eliminate the issue. #​9157 by @​risu729

• install_before forwarded to pipx and uv installs -- pipx: tools now pass --exclude-newer to uv and --uploaded-prior-to (via --pip-args) to pipx, so Python package installs respect the date cutoff. #​9190 by @​risu729

• Warning for old bun/pnpm with install_before -- When install_before is active and the detected bun or pnpm version is below the minimum that supports release-age flags, mise now warns instead of silently ignoring the cutoff. #​9232 by @​risu729

• Lockfile version prefix propagation -- mise lock now uses version_prefix when looking up GitHub releases for aqua tools, fixing empty platform URLs that caused --locked installs to fail. #​9242 by @​effati

• shfmt available on Windows -- The shfmt registry entry no longer restricts to Linux/macOS, so mise use shfmt works on Windows via the aqua backend. #​9191 by @​zeitlinger

• GitLab expired OAuth2 token warning -- When mise reads a GitLab token from glab's config and the OAuth2 expiry has passed, it now warns the user to refresh (e.g. glab api user) instead of failing silently. #​9195 by @​stanhu

• GitHub auth skipped on release asset downloads -- Token lookup is now skipped for GitHub release asset CDN hosts (objects.githubusercontent.com, etc.), avoiding unnecessary authentication failures on public downloads. #​9060 by @​risu729

• Empty enable_tools disables all tools -- An explicitly empty enable_tools list now means "disable all tools" rather than "no filter", matching user expectations as an allowlist. #​9108 by @​risu729

• Deprecation warnings for legacy env keys -- env_file, dotenv, and env_path now warn when used, directing users to env._.file and env._.path. Removal is scheduled for 2027.4.0. #​9205 by @​risu729

• mise b shorthand deprecated -- The mise b alias for mise backends now emits a deprecation warning with removal scheduled for 2027.4.0. #​9234 by @​risu729

Added

• Registry: sheldon -- sheldon is a fast, configurable shell plugin manager. #​9104 by @​3w36zj6
• Registry: pocketbase -- pocketbase is an open-source backend in a single file. #​9123 by @​ranfdev
• Registry: worktrunk -- worktrunk provides a CLI for git worktree management, designed for running AI agents in parallel. #​8796 by @​edouardr
• Registry: dependency-check -- dependency-check detects publicly disclosed vulnerabilities in application dependencies. #​9204 by @​kapitoshka438
• Registry: janet -- janet is a lightweight, expressive programming language. #​9241 by @​ranfdev
• Registry: aube -- #​9244 by @​jdx

New Contributors

• @​ranfdev made their first contribution in #​9123
• @​stanhu made their first contribution in #​9195
• @​effati made their first contribution in #​9242
• @​jjt made their first contribution in #​9233
• @​marianwolf made their first contribution in #​9208
• @​edouardr made their first contribution in #​8796

Full Changelog: jdx/mise@v2026.4.16...v2026.4.17

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.