chore(deps): update dependency jdx/mise to v2026.3.13

[renovate]

This PR contains the following updates:

Package	Update	Change
jdx/mise	patch	2026.3.9 → 2026.3.13

---

Release Notes

jdx/mise (jdx/mise)

v2026.3.13: : Better hook-env stability, --silent fix, and system install symlinks

Compare Source

A focused bugfix release that significantly improves hook-env stability, fixes the --silent flag to actually suppress all mise output, and resolves broken symlinks when installing tools to system/shared directories.

Fixed

• hook-env watch_files tracking and early-exit stability -- Environment plugins (MiseEnv modules) that return watch_files now properly trigger re-evaluation when those files change. Previously, modifying a watched file (e.g. a secrets config) wouldn't cause mise to pick up the new values until a config change or directory switch. This PR also fixes two related stability issues: projects without a mise.lock file could fail to stabilize because the nonexistent lockfile was unconditionally added to the watch set, and directory mtime changes could cause repeated slow-path fallbacks. #​8716 by @​rpendleton

• --silent flag now fully suppresses mise output -- The global --silent flag was not being written to Settings, so mise --silent run foo would suppress task stdout/stderr but still show mise's own info/warn messages. Now --silent properly sets quiet=true in settings, making it a true superset of --quiet: it suppresses both mise messages and task output. #​8720 by @​nkakouros

• mise install --system now creates runtime symlinks correctly -- When installing tools to system/shared directories with --system, the latest and partial-version symlinks (e.g. 18 -> 18.19.0) were only being created in the user install directory, leaving the system directory without proper symlinks. Symlinks are now rebuilt per install directory based on the versions actually present there, with graceful handling of permission errors in shared/system locations. #​8722 by @​jdx

Added

• Registry: acli (Atlassian CLI) -- Added acli to the registry for interacting with Atlassian Cloud services (Jira, Confluence, Bitbucket) from the terminal. Install with mise install acli. #​8721 by @​ggoggam

New Contributors

• @​rpendleton made their first contribution in #​8716
• @​ggoggam made their first contribution in #​8721

Full Changelog: jdx/mise@v2026.3.12...v2026.3.13

v2026.3.12: : Supply chain protection for lockfile upgrades

Compare Source

A small but important release that adds supply chain protection for lockfile upgrades and fixes zsh completions broken by the usage v3.1.0 update. This release also includes the binary assets that were missing from v2026.3.11 due to the completions issue.

Security

• Block GitHub tool upgrades when provenance is lost -- When upgrading a github: backend tool, mise now checks whether the prior locked version had provenance verification (e.g., GitHub Attestations). If the new version lacks provenance that the old version had, the upgrade is blocked with an error indicating a potential supply chain attack. The old provenance-verified lockfile entry is preserved, and the error includes both versions for easy investigation. This check applies to mise lock, mise install, and mise use. #​8706 by @​jdx

  Example error:

  github:example/tool@2.0.0 has no provenance verification on linux-x64,
  but github:example/tool@1.5.0 had github-attestations. This could indicate
  a supply chain attack. Verify the release is authentic before proceeding.
  

Fixed

• Zsh completions updated for usage v3.1.0 -- The prerendered zsh completion script has been regenerated to match the new output format from usage v3.1.0, which switched from _arguments to _describe and changed quoting behavior. This also fixes the binary build failure that prevented v2026.3.11 from publishing release assets. #​8715 by @​jdx

Full Changelog: jdx/mise@v2026.3.11...v2026.3.12

v2026.3.11

Compare Source

Note: This release has no binary assets due to a CI failure caused by a breaking change in usage v3.1.0. The fix is in #​8715. All changes below are included in the next release.

This release adds --skip-tools for faster task execution, GitHub token auto-detection from gh CLI, optional args/env fields in task run entries, and fixes across lockfiles, shims, tasks, and environment handling.

Highlights

• mise run --skip-tools -- Skip tool installation when running tasks, useful when you know tools are already installed and want faster execution. #​8699 by @​jdx
• GitHub token auto-detection from gh CLI -- mise now reads GitHub tokens from gh's hosts.yml config, so authenticated GitHub API requests work automatically if you're logged in with gh auth login. #​8692 by @​jdx
• Optional args and env in task run entries -- Task run entries now support optional args and env fields for more flexible task configuration. #​8687 by @​jdx

Added

• mise run --skip-tools -- Skip tool installation when running tasks. #​8699 by @​jdx
• GitHub token from gh CLI -- Automatically read tokens from gh CLI's hosts.yml config. #​8692 by @​jdx
• Task run entries support args and env -- Optional fields for more flexible task definitions. #​8687 by @​jdx
• vfox: try_get, try_head, try_download_file -- Non-failing HTTP methods for Lua plugins. #​8697 by @​jdx
• New registry tools:
  • rtk -- #​8683 by @​bricelalu

Fixed

• Node: expand tilde in default_packages_file path -- ~/.default-node-packages now resolves correctly. #​8709 by @​jdx
• Lockfile: skip global config lockfile by default -- Global config no longer generates a lockfile unless explicitly configured. #​8707 by @​jdx
• Lockfile: respect existing platforms when running mise lock -- Existing platform entries in lockfiles are preserved instead of being overwritten. #​8708 by @​jdx
• GitHub: rename correct binary when archive contains multiple executables -- Archives with multiple binaries no longer rename the wrong one. #​8700 by @​jdx
• Task: include idiomatic version files in monorepo task toolset -- .node-version, .python-version, etc. are now picked up in monorepo task directories. #​8702 by @​jdx
• Task: strip inline args when validating run.tasks references -- Task references with inline args (e.g. "build --release") no longer fail validation. #​8701 by @​jdx
• Task: inherit task_config.dir for included TOML and file tasks -- Included tasks now correctly inherit the configured working directory. #​8689 by @​jdx
• Task: improve error message when task files are not executable -- Clearer error when a file task lacks execute permission. #​8705 by @​jdx
• Task: improve usage spec element support -- Better handling of usage spec elements in task definitions. #​8623 by @​nkakouros
• Install: skip redundant provenance verification when lockfile has integrity data -- Avoids duplicate verification work. #​8688 by @​jdx
• Install: skip GitHub API calls for aqua tools in --locked mode -- Locked installs no longer make unnecessary API calls. #​8679 by @​jdx
• Shim: detect shims by checking shims directory instead of binary name -- Fixes edge cases where shim detection failed. #​8694 by @​jdx
• Shell: error when no version specified instead of silent no-op -- mise shell node now shows an error instead of doing nothing. #​8693 by @​jdx
• Env: support multiple --env/-E flags -- Multiple environment overrides can now be specified. #​8686 by @​jdx
• Env: make module vars available in Tera template context -- Environment variables from env plugins are now accessible in Tera templates. #​8682 by @​victor-founder
• Config: recognize SSH and other non-HTTPS URLs in get_repo_url -- SSH-style git URLs are now handled correctly. #​8666 by @​modestman
• Implode: include system data dir in cleanup -- mise implode now removes system-level data directories. #​8696 by @​jdx
• Respect MISE_COLOR=0 for error output -- color_eyre error formatting now honors the color setting. #​8690 by @​jdx
• Windows: add usage tool registry support -- #​8713 by @​jdx

New Contributors

• @​victor-founder made their first contribution in #​8682
• @​modestman made their first contribution in #​8666
• @​bricelalu made their first contribution in #​8683

Full Changelog: jdx/mise@v2026.3.10...v2026.3.11

v2026.3.10: : Security fix for .tool-versions templates, Python checksum verification, and 15+ bug fixes

Compare Source

This release closes a security gap where .tool-versions files with Tera templates could execute arbitrary commands without a trust check, adds checksum verification for precompiled Python downloads, and ships over 15 bug fixes across tasks, lockfiles, the Rust plugin, bootstrap scripts, and more.

Highlights

• Security: trust check for .tool-versions Tera templates -- .tool-versions files were processed through Tera's render_str() with the exec() function available, allowing arbitrary command execution without any trust verification. A malicious .tool-versions in a cloned repo could silently execute code when a user with mise shell activation cd'd into the directory. Template syntax in .tool-versions now requires mise trust first; plain files continue to work without trust.
• Python checksum verification for precompiled binaries -- Precompiled Python downloads from astral-sh/python-build-standalone are now verified against lockfile checksums at install time, matching the behavior of other core plugins.
• Python freethreaded build exclusion -- Freethreaded Python builds (e.g. Python 3.14+) are now excluded from precompiled selection by default, fixing "missing lib directory" errors. Set python.precompiled_flavor explicitly if you want freethreaded builds.
• mise doctor PATH ordering check -- mise doctor now warns when non-mise directories appear before mise-managed tool paths in PATH, helping diagnose tool shadowing issues.

Security

• Require trust check for .tool-versions Tera templates -- When template syntax ({{, {%, {#) is detected in a .tool-versions file, mise now requires mise trust before processing it. Plain .tool-versions files without templates are unaffected. #​8675 by @​jdx

Added

• mise doctor detects PATH ordering issues -- When mise is activated (not shims-only), mise doctor now checks whether non-mise directories appear before mise-managed tool paths in PATH and lists the specific offending entries. #​8585 by @​jdx
• New registry tools:
  • viteplus (npm:vite-plus) -- #​8594 by @​risu729
  • ormolu (Haskell formatter) -- #​8617 by @​3w36zj6
  • pi.dev coding agent -- #​8635 by @​dector
  • qwen (npm:@​qwen-code/qwen-code) -- #​8667 by @​jianglu
  • hlint (Haskell linter) -- #​8670 by @​3w36zj6

Fixed

• Python: verify checksums for precompiled binary downloads -- Precompiled Python downloads are now checked against lockfile checksums between HTTP download and tarball extraction, preventing corrupted or tampered downloads from being silently accepted. #​8593 by @​malept
• Python: exclude freethreaded builds from precompiled selection -- Freethreaded Python builds (e.g. cpython-3.14.3-freethreaded) use lib/python3.14t/ instead of lib/python3.14/, causing installation failures. These are now filtered out by default unless python.precompiled_flavor is explicitly set to a freethreaded variant. #​8672 by @​jdx
• Config: resolve trust hash collision for same-name directories -- In paranoid mode, configs sharing the same parent directory leaf name (e.g. /projectA/infra/mise.toml and /projectB/infra/mise.toml) would map to a single hash file, silently breaking trust verification. The filename extension is now appended instead of replaced. Previously trusted configs may need a one-time mise trust after upgrading. #​8628 by @​tdragon
• Lockfile: resolve symlinks when updating -- If a lockfile is a symlink, mise now updates the target file instead of replacing the symlink with a regular file. #​8589 by @​chancez
• Rust: resolve relative CARGO_HOME/RUSTUP_HOME to absolute paths -- When CARGO_HOME or RUSTUP_HOME is set to a relative path (e.g. .cargo via [env]), the paths are now resolved to absolute before use, preventing broken PATH entries like undefined/bin after changing directories. #​8604 by @​simonepri
• Bootstrap: preserve argv[0] for shim dispatch -- mise generate bootstrap now emits exec -a "$0" instead of plain exec, preserving the original invocation name so that shim symlinks (e.g. claude -> mise) dispatch correctly. #​8521 by @​tak848
• Installer: normalize current version before comparison -- The standalone installer now strips the v prefix from MISE_CURRENT_VERSION before comparisons, so embedded checksums and the current-release CDN path are used correctly. #​8649 by @​tak848
• Tasks: global file tasks not properly marked as such -- #​8618 by @​roele
• Tasks: handle broken pipe in mise tasks ls -- Piping task output (e.g. mise tasks ls | head) no longer panics with EPIPE. #​8608 by @​vmaleze
• Tasks: correctly resolve _default files with extensions -- test/_default.sh is now correctly loaded as the test task instead of test:_default. #​8646 by @​youta1119
• Tasks: fix argument completion with flags in zsh -- Completing task arguments after flags (e.g. mise run build -- -c <TAB>) no longer produces errors. #​8601 by @​KevSlashNull
• Git: use "origin" as remote name -- Cloned registries now consistently use "origin" as the remote name, fixing fetch failures in some configurations. #​8626 by @​bentinata
• Shared tools: fix failing rebuild of runtime symlinks -- Installing tools with --system no longer fails when rebuilding runtime symlinks due to incorrect install path resolution. #​8647 by @​roele
• Flutter: fix version_expr Tera parser collision -- Added spaces around the current element operator in Flutter's version_expr to prevent Tera parser errors. #​8616 by @​roele

Changed

• Removed hidden --prefix and --interleave flags from mise run -- These flags were hidden in December 2024 when --output was introduced as their replacement. Their short forms (-p, -i) could silently consume flags intended for tasks. Use --output prefix or --output interleave instead. #​8669 by @​nkakouros

Breaking Changes

• .tool-versions with Tera templates now require trust -- If you have .tool-versions files using template syntax ({{, {%, {#), you will need to run mise trust in those directories. Plain .tool-versions files are unaffected. #​8675
• Trust hash files regenerated -- Due to the hash collision fix, previously trusted configs in paranoid mode may need a one-time mise trust after upgrading. #​8628
• --prefix/-p and --interleave/-i removed from mise run -- Use --output prefix or --output interleave instead (available since December 2024). #​8669

New Contributors

• @​nkakouros made their first contribution in #​8669
• @​jianglu made their first contribution in #​8667
• @​tak848 made their first contribution in #​8521
• @​bentinata made their first contribution in #​8626
• @​tdragon made their first contribution in #​8628
• @​nygmaaa made their first contribution in #​8642
• @​youta1119 made their first contribution in #​8646
• @​chancez made their first contribution in #​8589
• @​dector made their first contribution in #​8635

Full Changelog: jdx/mise@v2026.3.9...v2026.3.10

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.