Update dependency jdx/mise to v2026.4.28

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
jdx/mise	patch	v2026.4.3 → v2026.4.28

---

Release Notes

jdx/mise (jdx/mise)

v2026.4.28: : Remote tasks pinned by commit SHA

Compare Source

A small patch release: remote tasks pinned to a commit SHA no longer panic, and the Fedora COPR packaging pipeline picks up Dockerfile fixes again.

Fixed

• (task) Remote tasks referenced by commit SHA (a git:: source with ?ref=<40-char hex>) no longer crash mise with we map by name only and have no object-id in refspec from gix (#​9473) by @​jdx. gix-refspec parses any 40- or 64-char hex string as an ObjectId refspec, but gix::clone::fetch::util::find_custom_refname only handles name-based matches and expect()s on the result, so passing a bare SHA to prepare_clone.with_ref_name() triggered a hard process panic on every cache miss. Git::clone now detects SHA-shaped refs via a looks_like_sha heuristic, skips both the with_ref_name() and git clone -b paths (neither accepts bare SHAs), drops --depth 1 since shallow clones may not contain the requested object, and checks out the SHA after the clone via the existing CLI-backed update. Named branches and tags continue to use the existing fast paths. Closes #​9472.

• (copr) The copr-publish workflow no longer pins a stale ghcr.io/jdx/mise:copr image digest, and docker.yml now rebuilds the :copr image whenever packaging/copr/Dockerfile changes on main (#​9451) by @​bestagi. Previously the workflow kept hitting ModuleNotFoundError: No module named 'rich' even after #​9421 switched copr-cli to dnf install, because the hardcoded digest still pointed at the old pip-installed image.

New Contributors

• @​bestagi made their first contribution in #​9451

Full Changelog: jdx/mise@v2026.4.27...v2026.4.28

v2026.4.27: : npm install args, smarter watch, and a macOS shim recursion fix

Compare Source

A focused release: more control over how npm-backed tools get installed, smarter mise watch that follows task dependencies, and a fix for a nasty macOS shim recursion that could lock up a shell during mise up --bump.

Added

• (backend) New npm_args, pnpm_args, bun_args, and aube_args tool options on the npm backend (#​9109) by @​risu729. Each one is forwarded to the matching package manager when it's the active settings.npm.package_manager, mirroring the pipx backend's style. The args are also recorded in the lockfile and at install time:

  [tools]
  "npm:npm" = { version = "latest", aube_args = "--reporter append-only" }
  "npm:tiny" = { version = "latest", pnpm_args = "--loglevel=warn" }

• (env) External vfox environment plugins now get ctx.config_root in their MiseEnv / MisePath hooks (#​9465) by @​hisaac. This matches what built-in directives like _.file already see, so plugins (e.g. mise-xcode) can resolve user-supplied relative paths against the project root regardless of the shell's cwd. watch_files returned from a plugin are now also absolutized against config_root instead of current_dir().

• (task) mise watch now follows the task graph and watches the sources of each chosen task's dependencies as well as its own (#​9437) by @​43081j. Pass --skip-deps (or set skip_deps) to restore the previous "task sources only" behavior. Explicit --glob overrides still win.

• (release) scripts/gen-aqua-changelog.sh now diffs the previous tag's registry.yaml against the current one and emits New Packages / Updated Packages sections in the release PR, instead of dumping the aqua-registry release tags rolled into the release (#​9471) by @​jdx. This restores the pre-#​9043 behavior for the merged-registry world.

Fixed

• (backend) When _list_remote_versions returned an empty list (invalid module path, throttling, etc.) the empty result was cached as if it were authoritative, poisoning both the on-disk cache file and the in-memory OnceCell for up to an hour (#​9444) by @​c22. The cache is now cleared in both places when the list comes back empty, so the next call re-fetches.

• (shims) Fixed an infinite shim recursion on macOS reported in #​9462 where mise up --bump against npm packages would loop mise -> npm shim -> mise -> npm shim -> ... and sometimes crash the session (#​9468) by @​jdx. The trigger was a case-mismatched $HOME in PATH (/Users/Olfway/... vs. /Users/olfway/...) — the shims-stripping in Backend::dependency_env compared byte-equal, so on case-insensitive APFS/HFS+ volumes it was a no-op and npm re-resolved to the mise shim. A new file::paths_eq does case-insensitive compares on macOS/Windows and byte-equal on Linux, and is now used everywhere mise asks "is this PATH entry the shims directory?" — including path_env_without_shims, which_no_shims, PathEnv partitioning, cli::exec program resolution, and the doctor's shims_on_path check (which had been silently reporting no for affected users).

• (task) Under deny_env = true on Linux, every env var was being stripped from the child process — including the PATH / HOME / USER / SHELL / TERM / LANG that filter_env and the docs say should pass through (#​9467) by @​jdx, fixing #​9466. apply_sandbox() was calling Command::env_clear() after the task executor populated explicit envs via .envs(filtered_env), wiping both. The Linux branch now snapshots the explicit envs before clearing and re-applies them; macOS already did this. A new path_test task in e2e/sandbox/test_sandbox_task guards against regressions.

New Contributors

• @​43081j made their first contribution in #​9437
• @​hisaac made their first contribution in #​9465

Full Changelog: jdx/mise@v2026.4.26...v2026.4.27

v2026.4.25: : Sharper task tooling and lockfile fixes

Compare Source

A patch release focused on smoothing rough edges in tasks (sandbox path resolution, dependency templates, a new --name-only listing) and fixing a handful of upgrade/ls-remote pitfalls.

Added

• (task) New --name-only flag on mise tasks ls (and mise tasks) prints one task name per line — no headers, no padding, no description column (#​9435) by @​jdx. It composes with --all, --global/--local, --hidden, --sort/--sort-order, and uses a broken-pipe-tolerant writer so dropping it into fzf Just Works:

  mise run "$(mise tasks ls --name-only --all | fzf)"

  Conflicts with --json, --extended, and --usage.

Fixed

• (task) Dependency templates can now branch on usage values inside Tera statement tags, not just output expressions, and boolean/array flags are passed through with their real types instead of stringified (#​9424) by @​jdx. So this finally does what it looks like:

  [tasks.lint]
  usage = 'flag "--run-post" default=#false'
  depends_post = ['''
      {%- if usage.run_post -%}
          postlint:**
      {%- else -%}
          noop
      {%- endif -%}
  ''']
  run = 'echo "lint ran"'

• (task) Tasks that define usage with subcommands but no top-level args/flags now correctly populate usage.cmd for dependency templates, fixing a regression from #​9424 where the early-return path skipped subcommand handling (#​9431) by @​jdx. The fix also de-duplicates make_usage_ctx between the script parser and the dep renderer so they can't drift again.

• (task) Sandbox allow_read / allow_write paths declared on a task are now resolved against the task's effective working directory rather than the shell's pwd (#​9428) by @​jdx. Previously, dir = "../bar" plus allow_read = ["."] opened up the caller's directory while the task itself ran in bar/ and got blocked. CLI overrides like mise run --allow-read=… still resolve against shell cwd. Closes #​9423.

• (lockfile) mise upgrade now updates the global lockfile (~/.config/mise/mise.lock) when bumping a fuzzy version such as latest (#​9442) by @​jdx. The grouping pass was excluding global config files entirely, and fuzzy requests could re-resolve through the stale lockfile entry mid-update. Newly installed versions are now overlaid before lockfiles are rewritten, so a global dummy = "latest" upgrading from 1.0.0 to 2.0.0 actually pins 2.0.0.

• (aqua) When list_releases_including_prereleases returned an empty list (paginated/cached edge case, throttling, or a repo that genuinely has no releases), aqua fell back to list_tags and pulled in every git tag in the repo (#​9443) by @​jdx. For monorepos that tag sub-crates, that meant ripgrep's grep-regex-0.1.1 and friends ended up in the shared mise-versions snapshot, so ripgrep = "latest" resolved to a tag with no matching release asset and 404'd on install. Empty release lists now propagate as empty version lists; packages that legitimately use tags as their version source still opt in via version_source = "github_tag". The remote_versions cache filename is also reverted to remote_versions.msgpack.z to avoid needlessly invalidating existing caches — VersionInfo already deserializes forward-compatibly. (Server-side mise-versions snapshots will need to be regenerated with this fix.)

• (ls-remote) mise ls-remote --json no longer emits "rolling":false,"prerelease":false on every entry (#​9439) by @​jdx. Dummy output is now [{"version":"1.0.0"},{"version":"1.1.0"},{"version":"2.0.0"}]. Backends that legitimately set either flag (rust nightly/beta/stable, github/aqua pre-releases) still emit the field; cached entries written by older builds continue to deserialize.

• (docs) The docs site no longer flickers between light/dark themes on initial load (#​9427) by @​vhespanha. VitePress's anti-flicker inline script is now marked data-cfasync="false" so Cloudflare's Rocket Loader stops deferring it. Fixes #​9393.

• (Dockerfile) copr-cli is now installed via dnf instead of pip, fixing ModuleNotFoundError: No module named 'rich' in the publish-copr workflow (#​9421) by @​bestagi.

New Contributors

• @​vhespanha made their first contribution in #​9427
• @​bestagi made their first contribution in #​9421

Full Changelog: jdx/mise@v2026.4.24...v2026.4.25

v2026.4.24: : Resilient downloads and global pre-release opt-in

Compare Source

A small release that hardens HTTP downloads against flaky networks and adds a global way to surface pre-release versions, plus refreshed intro messaging.

Added

• (ls-remote) New global prereleases setting (MISE_PRERELEASES=1) and a --prerelease flag for mise ls-remote (#​9415) by @​jdx. Acts as prerelease = true applied to every tool, so GitHub releases flagged prerelease: true show up in ls-remote, latest resolves against the full list, and fuzzy queries like 1.2 can match pre-release tags. Currently honored by the github: and aqua: backends; draft releases are still excluded.

  mise ls-remote github:cli/cli --prerelease
  # or, persistently:
  export MISE_PRERELEASES=1

Fixed

• (http) HTTP requests now retry transient failures with a jittered backoff schedule (~200ms / 1s / 4s / 15s, then capped at 15s) and the default http_retries is bumped from 0 to 3 (#​9414) by @​jdx. Retries fire on 5xx, 408, 429, and network-layer errors (connect refused, timeout, mid-stream body drops); deterministic 4xx responses like 404 fail fast without retry. Downloads wrap the full request + body so a chunk failure mid-stream restarts from byte 0 instead of failing the install. Each retry logs a warn! immediately so flaky infrastructure surfaces in real time, and the same logic now powers vfox plugin downloads (which honor MISE_HTTP_RETRIES too). Set MISE_HTTP_RETRIES=0 to opt out. The http→https fallback now only triggers on connection-level errors, not on HTTP status errors.

• (release) scripts/publish-s3.sh now purges the mise.en.dev Cloudflare zone (alongside jdx.dev and mise.run) after each S3 publish (#​9416) by @​jdx. Because install.sh is uploaded with immutable cache-control, missing the purge could leave one zone serving the previous release's install.sh next to a new release's install.sh.minisig.

Documentation

• Refreshed the project tagline and intro across the README, docs site, landing page, man page, snapcraft/RPM/DEB/npm packaging metadata, and CLI help text to "Dev tools, env vars, and tasks in one CLI" with a clearer "what is it?" pitch focused on what mise does rather than what it replaces (#​9418) by @​jdx.
• The docs site's GitHub star count is now prefixed with a ★ glyph for clarity (#​9417) by @​jdx.

Full Changelog: jdx/mise@v2026.4.23...v2026.4.24

v2026.4.23: : Pre-releases, libc preference, and a Node musl fix

Compare Source

A patch release that adds a global libc preference and pre-release opt-in for github:/aqua: backends, alongside fixes for Node musl downloads, read-only system installs, and mise prune network hangs.

Added

• (backend) Per-tool prerelease = true opt-in for the github: and aqua: backends (#​9329) by @​jakedgy. When set, GitHub releases flagged prerelease: true show up in mise ls-remote, latest resolves against the full list including pre-releases, and fuzzy queries like 1.2 can match pre-release tags. Default behavior is unchanged; draft releases are still excluded.

  [tools]
  "github:myorg/mytool" = { version = "latest", prerelease = true }
  "aqua:owner/tool"     = { version = "latest", prerelease = true }

• (backend) Global libc setting for selecting Linux precompiled binary variants (#​9404) by @​jdx. Accepts musl, glibc, or gnu and threads through Platform::current()/PlatformTarget so generic GitHub asset matching, aqua registry replacements (e.g. unknown-linux-gnu ↔ unknown-linux-musl), Bun, Python precompiled builds, Node, and vfox envType all honor the preference.

  export MISE_LIBC=musl

Fixed

• (install) Stop rewriting healthy runtime symlinks (#​9410) by @​jdx. The rebuild path was unconditionally remove_all + recreating every latest -> X.Y.Z symlink, which became a hard failure under the common Docker pattern where root populates /usr/local/share/mise/installs/ at build time and a non-root user runs mise install at runtime. Healthy symlinks now take a no-op path; the read-only system dir is no longer touched. If a write is genuinely required and can't happen, the install fails loudly instead of silently leaving a stale latest.

• (node) Route musl tarball URLs to unofficial-builds.nodejs.org (#​9409) by @​jdx. After #​9404 Node started appending -musl to filenames but kept routing through nodejs.org/dist/ (which doesn't host them), causing 404s and lockfiles where the URL had a -musl suffix while the checksum was still pinned to the glibc tarball. The tarball URL and matching SHASUMS256.txt now come from the same host, and a custom node.mirror_url still passes through unchanged. Lockfile merging is also hardened to drop stale checksum/size/url_api when URLs disagree.

• (prune) Skip remote version resolution for tracked configs (#​9406) by @​jdx. mise prune was hitting npm, the Go proxy, and the GitHub API to resolve tracked-config tool versions, which could hang on slow or failing registries. Since prune only protects installed versions from deletion, an offline flag is now threaded through ResolveOptions for prune. mise upgrade is unchanged and still queries fresh remote data. Closes #​9405.

• (backend) Allow unresolved latest opt-in (#​9401) by @​jdx. latest now falls back to an unresolved selector only when a backend's unfiltered remote version list is empty and the backend opts in via unresolved_latest_version(). pipx opts in for git-backed requests; backends that require concrete versions continue to fail rather than create literal latest/ installs. If minimum_release_age filters all candidates out, mise still reports no matching version.

• (schema) Allow array values in tool additionalProperties (#​9400) by @​JP-Ellis. Configs like rust = { version = "1.77", components = ["rustfmt", "clippy"] } are no longer flagged as invalid by linters such as tombi.

Registry

• Use aqua for rumdl (#​9397) by @​scop
• Add llmfit (#​9412) by @​jylenhof

New Contributors

• @​JP-Ellis made their first contribution in #​9400

Full Changelog: jdx/mise@v2026.4.22...v2026.4.23

v2026.4.22: : Repaired latest resolution and clearer deps output

Compare Source

A focused patch release that repairs two @latest regressions, gives mise deps clearer per-provider output labels, and renames the install_before setting to minimum_release_age to match the wider ecosystem.

Highlights

• @latest resolution is fixed for Go modules that only publish pseudo-versions, and stale installs/<tool>/latest/ directories are now repaired automatically.
• The install_before setting has been renamed to minimum_release_age; the old name keeps working as a deprecated alias.
• mise deps output is now labeled by provider (e.g. [deps.codegen]) instead of repeating the raw command.
• Fedora 44 and Rawhide are now supported in the COPR build.

Fixed

• (backend) Two separate @latest issues are repaired in #​9383 by @​jdx:

  • Go modules that enumerate zero versions now resolve @latest via go list -m -json <module>@&#8203;latest, so modules that only publish pseudo-versions still install a concrete version.
  • Stale real installs/<tool>/latest/ directories are now repaired generically by the runtime symlink migration. The migration reruns under a new marker and refreshes only install_state after rewriting directories, so the current process picks up the repaired layout without rebuilding the backend map (which previously broke config aliases). Numeric partial-version dirs such as installs/<tool>/25/ are left alone, and real direct-URL latest installs (e.g. UBI URL installs) are preserved when there is no concrete version to replace them with.

• (task) mise deps output is now labeled with a stable [deps.<provider>] prefix on stdout/stderr (and in the progress message) instead of using the raw run command as the prefix, making repeated output from commands like pip install -r requirements.txt much easier to follow. mise deps add/remove continues to run unprefixed. (#​9385) by @​jdx

Changed

• (config) The install_before setting and per-tool option have been renamed to minimum_release_age, matching pnpm's terminology. The old install_before name is preserved as a hidden, deprecated alias — global settings are migrated at load time, per-tool options resolve through the new key, and the JSON schema marks the old name as deprecated. Precedence is unchanged: --before > per-tool > global. (#​9384) by @​jdx

Added

• (copr) Fedora 44 and Rawhide are now supported by the COPR build script. (#​9391) by @​bestagi

Documentation

• The docs site nav now displays the current release version (read from Cargo.toml at build time), linking to the GitHub releases page. The build emits a warning if the version cannot be parsed instead of silently falling back. (#​9388, #​9389) by @​jdx

Aqua Registry

Updated aqua-registry from v4.498.0 to v4.499.0.

Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors. If mise saves you or your team time, please consider sponsoring at en.dev.

Full Changelog: jdx/mise@v2026.4.21...v2026.4.22

v2026.4.21: : untrust command and prune lockfile fixes

Compare Source

A patch release that adds a new mise untrust command, teaches mise prune to skip tools tracked in lockfiles, and tightens GitHub asset auto-detection.

[!NOTE]
This release was tagged but the publish job failed before assets were uploaded. v2026.4.22 ships the same fixes alongside additional changes — install that release instead. These notes are preserved here for the changelog.

Highlights

• New mise untrust command revokes trust on a config file.
• mise prune now respects tracked lockfiles and no longer removes tools listed in them.
• GitHub asset auto-detection prefers the shortest asset name as a tiebreaker, avoiding spurious matches on longer-named variants.
• New --security flag on mise registry includes security info in JSON output.

Added

• (registry) --security flag on mise registry includes security info in JSON output. (#​9364) by @​jdx
• (trust) New mise untrust command. (#​9370) by @​jdx

Fixed

• (config) Resolved backend opts are now limited to aliases. (#​9315) by @​risu729
• (github) Asset auto-detection prefers the shortest asset name as a tiebreaker. (#​9361) by @​jdx
• (java) Newer Zulu versions are detected correctly — they use a different directory structure than older releases. (#​9365) by @​roele
• (prune) mise prune now respects tracked lockfiles. (#​9373) by @​jdx
• (task) Tool installation is skipped for missing naked tasks instead of failing the run. (#​9374) by @​jdx

Documentation

• The docs site dismissible banner stacks its message and link on mobile. (#​9362) by @​jdx
• Ruby compile message updated. (#​9338) by @​fladson

Registry

• Fix flux-operator-mcp aqua path. (#​9357) by @​monotek
• Remove openshift-install. (#​9372) by @​jdx
• Remove go-sdk. (#​9371) by @​jdx

New Contributors

• @​fladson made their first contribution in #​9338

Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors. If mise saves you or your team time, please consider sponsoring at en.dev.

Full Changelog: jdx/mise@v2026.4.20...v2026.4.21

v2026.4.20: : Lockfile cleanup and path: fixes

Compare Source

A focused patch release that cleans up two long-standing lockfile and path-resolution bugs, makes GitHub attestation verification tolerant of regex-based aqua registry URLs, and reworks how the aqua registry is baked into mise.

Highlights

• mise lock tool@latest now writes a concrete version and heals lockfiles already poisoned with version = "latest".
• path: tool versions with relative paths resolve correctly against the config root.
• Aqua registry is now baked from the upstream merged registry.yaml, pinned by tag.
• GitHub artifact attestation works for registry entries that use regex URLs.

Fixed

• (config) Relative path: tool versions are now resolved at parse time against the config's root directory (or CWD for CLI args), with ~/ expansion and leading ./ stripped. Previously, a value like path:./packages/logr was joined with installs_path at install time and produced a bogus directory such as ~/.local/share/mise/installs/logr/./packages/logr. (#​9320) by @​jdx

• (lock) mise lock handling of @latest has been overhauled (#​9321 by @​jdx):

  • mise lock tool@latest now resolves latest to the newest installed version instead of writing the literal string "latest" into the lockfile.
  • mise lock no longer produces duplicate [[tools.<name>]] entries when the config uses tool = "latest".
  • Lockfiles already poisoned with version = "latest" are cleaned up in a single mise lock run.

• GitHub artifact attestation verification now works when the aqua registry entry uses a regex in the workflow URL, unblocking installs such as aqua:updatecli/updatecli. (#​9327) by @​monotek

Changed

• (aqua) The baked aqua registry source has been swapped for the upstream merged registry.yaml, pinned by tag via crates/aqua-registry/aqua-registry/metadata.json. The build script generates a canonical package-id map plus an alias lookup table, so runtime lookups only parse the selected package YAML. The pinned tag is now visible in mise doctor. (#​9043) by @​risu729

Added

• New registry entry: grafana-kubernetes-plugin. (#​9300) by @​monotek

Documentation

• A dismissible announcement banner has been added to the docs site, driven by a remote JSON config. Link schemes are restricted to http/https, dismissals persist per-id in localStorage, and the banner height is kept in sync with --vp-layout-top-height via a ResizeObserver. The expires field is respected so banners automatically hide after a given date. (#​9326, #​9330, #​9334) by @​jdx

Aqua Registry

Updated aqua-registry from v4.492.0 to v4.498.0, which includes:

• v4.493.0
• v4.494.0
• v4.494.1
• v4.495.0
• v4.496.0
• v4.497.0
• v4.498.0

Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

Full Changelog: jdx/mise@v2026.4.19...v2026.4.20

v2026.4.19: : OCI images, aqua templates, and more resilient installs

Compare Source

This release adds a new way to package environments as OCI images, improves backend flexibility with aqua variable templating, and tightens several authentication and concurrency edge cases that were causing friction in real workflows.

The biggest addition is mise support for building OCI images directly from mise.toml, with per-tool layering to make image rebuilds more efficient. Alongside that, aqua-backed tools can now use templated variables, which should make more registries and package definitions work cleanly without custom glue. On the reliability side, fixes in conda, GitHub auth handling, vfox token usage, and interactive CLI cancellation should make automation and authenticated installs behave more predictably.

Highlights

• Build OCI images directly from mise.toml with per-tool image layers.
• Support aqua variable templates in backends.
• Fix several GitHub and token-handling issues affecting authenticated requests.
• Improve install reliability for conda and backend path handling.
• Add new registry entries including gsudo, kiro-cli, llama.cpp, and Flux operator tooling.

Changes

Features

• (oci) build OCI images from mise.toml with per-tool layers by @​jdx in #​9273
• (backend) support aqua vars templates by @​jdx in #​9110
• add gsudo (Sudo for Windows) to registry by @​jdx in #​9281

Bug Fixes

• (cli) suppress error output after interactive cancel by @​jdx in #​9294
• (backend) stop fuzzy requests installing literal dirs by @​jdx in #​9276
• (conda) avoid temp file collisions during parallel package downloads by @​jdx in #​9293
• (github) scope auth headers to API URLs by @​jdx in #​9271
• (cli) retrieve token from github helper for self-update command by @​jdx in #​9259
• (vfox) use github token for lua http requests by @​jdx in #​9257

Registry

• add flux-operator & flux-operator-mcp by @​tiyee in #​8852
• add kiro-cli by @​jdx in #​9274
• add llama.cpp (github:ggml-org/llama.cpp) by @​jdx in #​9282

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.4.18: : Deps management, aube support, and vfox plugin dependencies

Compare Source

A feature-packed release that renames mise prepare to mise deps with new package management subcommands, adds aube as an npm backend package manager, enables vfox plugins to declare their own dependencies, and ships several important fixes for version resolution, lockfile concurrency, and GitHub Enterprise attestation verification.

Highlights

• mise prepare renamed to mise deps with add/remove subcommands -- The experimental dependency management command is now mise deps, with new mise deps add npm:react and mise deps remove npm:lodash subcommands for managing individual packages. All config keys, settings, state files, and CLI flags have been updated accordingly ([prepare] to [deps], --no-prepare to --no-deps).
• Aube package manager support for npm backend -- npm.package_manager now defaults to "auto", which prefers the aube package manager when available and falls back to npm. Explicit npm.package_manager = "aube" is also supported.
• vfox plugins can declare dependencies -- Plugin authors can now specify PLUGIN.depends = {"node", "python"} in metadata.lua, so mise resolves installation order automatically without users needing depends = [...] in their config.
• Stale versions host cache bypassed for package-registry backends -- npm, pipx, cargo, gem, go, and http/s3 backends with version_list_url now query their upstream sources directly, fixing the issue where tools like Flutter showed outdated versions.

Added

• mise deps command with add/remove subcommands -- The experimental mise prepare command has been renamed to mise deps. New mise deps add and mise deps remove subcommands let you manage individual packages using ecosystem:package syntax. Currently supports npm, yarn, pnpm, and bun ecosystems. Bare mise deps defaults to mise deps install (the previous mise prepare behavior). #​9056 by @​jdx

  mise deps add npm:react           # add a dependency
  mise deps add -D npm:vitest       # add as dev dependency
  mise deps remove npm:lodash       # remove a dependency
  mise deps                         # install all project dependencies

  # Configuration uses [deps] instead of [prepare]
  [deps.npm]
  auto = true

• --before flag for mise latest -- One-off latest-version lookups can now be constrained by release date. Supports absolute dates (2024-06-01) and relative durations (90d, 1y). Overrides per-tool install_before options and the global install_before setting. #​9168 by @​risu729

  mise latest node --before 2024-01-01
  mise latest node --before 90d

• Aube package manager support for npm backend -- The npm backend now supports aube as an alternative package manager. The new default npm.package_manager = "auto" prefers aube when it is available in the active toolset and falls back to npm otherwise. #​9256 by @​jdx

• filter_bins option for SPM backend -- Restrict which executable products are built and linked from a Swift package. Filtering happens before swift build, so unwanted products are never compiled. #​9253 by @​jdx

  [tools]
  "spm:swiftlang/swiftly" = { version = "latest", filter_bins = ["swiftly"] }

• vfox plugin-declared dependencies via metadata.lua -- Plugin authors can now declare tool dependencies directly in their plugin's metadata.lua. User-specified depends in mise.toml remains additive. #​9051 by @​ahemon

  -- metadata.lua
  PLUGIN = {}
  PLUGIN.name = "my-tool"
  PLUGIN.version = "1.0.0"
  PLUGIN.depends = {"node", "python"}

• Registry: bitwarden-secrets-manager -- Now available via the aqua backend (aqua:bitwarden/sdk-sm), replacing the legacy asdf plugin for better checksum/SLSA verification. #​9255 by @​msuzoagu

Fixed

• Stale version listings for package-registry backends -- Backends with canonical upstream sources (npm, pipx, cargo, gem, go, and http/s3 with version_list_url) now skip the mise-versions.jdx.dev cache and query upstream directly. This fixes the issue where tools like Flutter showed outdated versions until users set MISE_USE_VERSIONS_HOST=0. #​9245 by @​jdx

• Concurrent lockfile save race condition -- Fixed ENOENT errors when multiple mise processes updated the same lockfile simultaneously (commonly seen with parallel tool installs in CI via hk). Each save now uses a uniquely named temp file instead of a fixed mise.lock.tmp path. #​9250 by @​jdx

• GitHub Enterprise attestation verification -- Artifact attestation verification now routes to the configured api_url instead of always hitting api.github.com, fixing 401 Unauthorized errors for GHES users. #​9254 by @​jdx

• Noisy third-party debug/trace logs suppressed -- Debug and trace logs from dependency crates (h2, hyper, reqwest, rustls, etc.) are now filtered out of -v/-vv output. Set MISE_LOG_VERBOSE_DEPS=1 to restore them. #​9248 by @​jdx

• Animated progress UI disabled in CI -- CI environments no longer show animated progress frames even when stderr is allocated as a TTY, preventing thousands of duplicate log lines. #​9249 by @​jdx

• mise use respects --quiet and --silent -- The "tools:", "removed:", and "would update" messages are now suppressed when --quiet or --silent is passed. #​9251 by @​jdx

• --locked works for vfox backend plugins -- Custom Lua backend plugins that cannot provide download URLs no longer fail with "No lockfile URL found" when using mise install --locked. #​9252 by @​jdx

New Contributors

• @​ahemon made their first contribution in #​9051
• @​msuzoagu made their first contribution in #​9255

Full Changelog: jdx/mise@v2026.4.17...v2026.4.18

v2026.4.17: : install_before fixes, lockfile repair, and new registry tools

Compare Source

A fix-heavy release that addresses several install_before edge cases across npm, pipx, and backend latest lookups, repairs lockfile generation for aqua tools with custom version prefixes, and adds six new tools to the registry.

Highlights

• install_before now works consistently across backends -- The date-based version cutoff is now respected in direct latest lookups, npm no longer drifts by a day due to double timestamp sampling, and pipx/uv installs forward the cutoff via --exclude-newer / --uploaded-prior-to.
• Lockfile fix for aqua tools with version prefixes -- mise lock now correctly propagates version_prefix (e.g. jq-) to GitHub release lookups, fixing empty platform URLs that broke --locked mode.
• Deprecation warnings for legacy config keys and mise b -- env_file, dotenv, env_path, and the mise b shorthand now emit deprecation warnings with removal scheduled for 2027.4.0.

Fixed

• install_before respected in backend latest lookups -- Direct calls like mise latest npm:prettier now apply the effective install_before cutoff, not just install/upgrade flows. #​9193 by @​risu729

• tool@latest routes through stable lookup -- An explicit @latest suffix now follows the same backend-specific fast path as an unqualified tool name, so both forms return the same version. #​9228 by @​risu729

• npm install_before day drift -- Fixed an off-by-one where install_before = "3d" could compute --min-release-age=4 due to a second Timestamp::now() call drifting past the day boundary. A stable per-process timestamp and a 60-second tolerance window eliminate the issue. #​9157 by @​risu729

• install_before forwarded to pipx and uv installs -- pipx: tools now pass --exclude-newer to uv and --uploaded-prior-to (via --pip-args) to pipx, so Python package installs respect the date cutoff. #​9190 by @​risu729

• Warning for old bun/pnpm with install_before -- When install_before is active and the detected bun or pnpm version is below the minimum that supports release-age flags, mise now warns instead of silently ignoring the cutoff. #​9232 by @​risu729

• Lockfile version prefix propagation -- mise lock now uses version_prefix when looking up GitHub releases for aqua tools, fixing empty platform URLs that caused --locked installs to fail. #​9242 by @​effati

• shfmt available on Windows -- The shfmt registry entry no longer restricts to Linux/macOS, so mise use shfmt works on Windows via the aqua backend. #​9191 by @​zeitlinger

• GitLab expired OAuth2 token warning -- When mise reads a GitLab token from glab's config and the OAuth2 expiry has passed, it now warns the user to refresh (e.g. glab api user) instead of failing silently. #​9195 by @​stanhu

• GitHub auth skipped on release asset downloads -- Token lookup is now skipped for GitHub release asset CDN hosts (objects.githubusercontent.com, etc.), avoiding unnecessary authentication failures on public downloads. #​9060 by @​risu729

• Empty enable_tools disables all tools -- An explicitly empty enable_tools list now means "disable all tools" rather than "no filter", matching user expectations as an allowlist. #​9108 by @​risu729

• Deprecation warnings for legacy env keys -- env_file, dotenv, and env_path now warn when used, directing users to env._.file and env._.path. Removal is scheduled for 2027.4.0. #​9205 by @​risu729

• mise b shorthand deprecated -- The mise b alias for mise backends now emits a deprecation warning with removal scheduled for 2027.4.0. #​9234 by @​risu729

Added

• Registry: sheldon -- sheldon is a fast, configurable shell plugin manager. #​9104 by @​3w36zj6
• Registry: pocketbase -- pocketbase is an open-source backend in a single file. #​9123 by @​ranfdev
• Registry: worktrunk -- worktrunk provides a CLI for git worktree management, designed for running AI agents in parallel. #​8796 by @​edouardr
• Registry: dependency-check -- dependency-check detects publicly disclosed vulnerabilities in application dependencies. #​9204 by @​kapitoshka438
• Registry: janet -- janet is a lightweight, expressive programming language. #​9241 by @​ranfdev
• Registry: aube -- #​9244 by @​jdx

New Contributors

• @​ranfdev made their first contribution in #​9123
• @​stanhu made their first contribution in #​9195
• @​effati made their first contribution in #​9242
• @​jjt made their first contribution in #​9233
• @​marianwolf made their first contribution in #​9208
• @​edouardr made their first contribution in #​8796

Full Changelog: jdx/mise@v2026.4.16...v2026.4.17

v2026.4.16: : Tera templates in inline tasks, raw_args passthrough, and runtime symlink paths

Compare Source

A feature-rich release with two new task runner capabilities, an important fix for how mise exposes tool paths in the environment, and a batch of task system improvements.

Inline table run tasks (run = [{ task = "...", args = [...] }]) now support Tera templates, so you can pass parsed usage arguments into sub-task calls. A new raw_args option lets proxy tasks forward all flags -- including --help -- directly to the underlying command without mise intercepting them. On the tooling side, fuzzy version requests like python = "3.14" now put the stable runtime symlink on PATH instead of the resolved patch directory, so virtualenvs and other tools that cache interpreter paths survive patch upgrades.

Highlights

• Tera templates in inline run tasks -- args and env in table-style run entries can now use {{usage.*}} variables, connecting usage-parsed arguments to sub-task invocations.
• raw_args for proxy tasks -- Tasks that wrap tools with their own CLI (Django manage.py, Next.js, argparse scripts) can set raw_args = true so mise never intercepts --help or rewrites flags.
• Runtime symlink paths for fuzzy versions -- PATH entries now use the requested-version symlink (e.g. .../installs/python/3.14/bin) rather than the concrete patch directory, so downstream tools that cache paths are not broken by patch upgrades.
• TOML task metadata merges into file tasks -- A [tasks.my-script] block in mise.toml now overlays env, description, dir, and other metadata onto a same-named file task instead of being silently dropped.

Added

• Tera template support for inline table run tasks -- args and env values in run = [{ task = "greet", args = ["{{usage.name}}"] }] are now rendered through the Tera engine, allowing usage-parsed arguments and environment variables to flow into sub-task calls. #​9079 by @​iamkroot

• raw_args task option -- Set raw_args = true on a task definition (TOML or file header) to skip mise's argument parsing entirely. All arguments, including --help and -h, are forwarded verbatim to the underlying command. Additionally, mise run task -- --help now bypasses the usage parser even without raw_args, restoring the documented escape hatch. #​9118 by @​jdx

  [tasks.manage]
  raw_args = true
  run = 'python manage.py'

  mise run manage --help            # forwarded to manage.py
  mise run manage migrate --fake    # all flags reach manage.py unchanged

• .perl-version support for perl -- The perl registry entry now recognizes .perl-version files for both auto-detection and idiomatic version file reading (when idiomatic_version_file_enable_tools includes "perl"), m

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.