Update dependency jdx/mise to v2026

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
jdx/mise	major	v2024.7.1 → v2026.3.8

---

Release Notes

jdx/mise (jdx/mise)

v2026.3.8: : Wrapper recursion fix and lockfile provenance correction

Compare Source

A small patch release that fixes infinite recursion in mise exec when wrapper scripts and shims coexist in PATH, and corrects lockfile provenance detection for aqua tools with opts-only cosign configurations.

Fixed

• mise exec no longer infinite-loops when wrapper scripts and shims are both in PATH -- In devcontainer setups (and similar environments), a wrapper script like .devcontainer/bin/gitleaks that calls mise x -- gitleaks would resolve back to itself instead of the real binary when the wrapper directory appeared before the shims directory in PATH. This caused infinite recursion until the environment exceeded ARG_MAX, producing confusing errors. The fix reorders the internal lookup PATH so that mise-managed tool bin directories are checked before system PATH entries, ensuring the real binary is always found first. The child process still inherits the full unmodified PATH. #​8560 by @​jdx

• Lockfile no longer records unverifiable cosign provenance for opts-only aqua tools -- Tools like yamlfmt, trufflehog, and tflint configure cosign in the aqua registry with only CLI opts (e.g. --certificate-identity) but no key or bundle config. mise lock was recording provenance = "cosign" for these tools, but mise install can only verify cosign natively via key-based or bundle-based flows, causing "Lockfile requires cosign provenance ... but no verification was used" errors on install. Now cosign provenance is only recorded when the tool has a key or bundle config that can actually be verified. #​8559 by @​jdx

Added

• turbo added to the registry -- Turborepo, the high-performance build system for JavaScript and TypeScript codebases, can now be installed via mise use turbo. #​8553 by @​igas
• workmux added to the registry -- workmux, a tool for git worktrees + tmux windows for zero-friction parallel development, can now be installed via mise use workmux. #​8555 by @​ifraixedes

New Contributors

• @​himkt made their first contribution in #​8558
• @​ifraixedes made their first contribution in #​8555
• @​igas made their first contribution in #​8553

Full Changelog: jdx/mise@v2026.3.7...v2026.3.8

v2026.3.7: : Cleaner conda PATH handling

Compare Source

A small patch release that fixes conda packages polluting PATH with dozens of transitive dependency binaries.

Fixed

• Conda backend no longer exposes transitive dependency binaries on PATH -- Installing a conda package such as conda:postgresql would previously add every binary from every transitive dependency to PATH. For example, conda:postgresql exposed 106 binaries including ncurses utilities (clear, reset, tput, tabs), openldap commands (ldapadd), and krb5 tools (kinit) -- all of which could shadow standard system commands. Now only binaries belonging to the main requested package are placed on PATH (e.g., psql, pg_dump, createdb, initdb, pg_ctl, postgres, etc.). Dependency binaries remain installed and available to packages that need them internally, but are no longer visible on PATH. No user configuration is needed -- this is automatic for all new conda installs, and existing installs gracefully fall back to the previous behavior. #​8543 by @​simonepri

New Contributors

• @​simonepri made their first contribution in #​8543

Full Changelog: jdx/mise@v2026.3.6...v2026.3.7

v2026.3.6: : Per-environment lockfiles, Windows fixes, and fork bomb prevention

Compare Source

This release redesigns environment-specific lockfiles for better CI isolation, fixes a critical fork bomb caused by shim recursion in go: backend tools, and addresses several Windows-specific issues including locked .exe shims and env._.source support.

Highlights

• Per-environment lockfiles replace the previous env tag system, so mise.test.toml now generates mise.test.lock instead of tagging entries in a shared mise.lock. This means CI caches are no longer invalidated by dev-only tool changes.
• Fork bomb prevention strips mise shims from dependency environment PATHs, fixing infinite process spawning when go: backend tools are configured alongside an uninstalled Go version in shims mode.
• Windows .exe shim handling gracefully renames locked shim executables instead of failing with "Access is denied" during reshim.

Changed

• Lockfiles are now per-environment -- Environment-specific configs now get their own lockfiles (mise.test.toml -> mise.test.lock, mise.local.toml -> mise.local.lock) instead of using env = ["test"] tags in a single mise.lock. This improves CI cache isolation -- environments that don't set MISE_ENV only depend on mise.lock, so dev tool version bumps won't invalidate CI caches. Old lockfiles with env fields are silently accepted and migrated on the next mise lock. #​8523 by @​jdx

  Config file	Lockfile
  mise.toml	mise.lock
  mise.test.toml	mise.test.lock
  mise.local.toml	mise.local.lock

• touch_outputs removed from prepare providers -- The touch_outputs configuration option has been removed from prepare providers. Freshness checking now uses blake3 content hashing exclusively, so touching output modification times is no longer necessary. #​8535 by @​jdx

Fixed

• Fork bomb when using go: backend tools in shims mode -- When a go: backend tool (e.g., go:github.com/pulumi/upgrade-provider) was configured alongside a Go version that wasn't installed, and the version cache was cleared, mise could enter infinite shim recursion -- the Go shim would call mise exec, which would resolve the go: backend, which would call go list via the shim, and so on. The fix strips mise's shims directory from the PATH in dependency_env, ensuring dependency tools either resolve to a real installed binary or fail cleanly. This applies to all backends that use dependency environments (go, npm, gem, dotnet, spm, elixir). #​8475 by @​pose

• Locked .exe shims on Windows during reshim -- mise reshim would fail with "Access is denied" on Windows when .exe shims were locked by running processes. The fix removes shims individually (instead of wiping the entire directory) and uses a rename-to-.old fallback for locked files, which Windows allows even when the file is in use. The .old files are cleaned up on the next reshim. #​8517 by @​davireis

• env._.source now works on Windows -- env._.source would fail on Windows because it searched for bash without the .exe extension. The Windows API executable search now correctly looks for bash.exe. #​8520 by @​pjeby

• GitHub @latest version resolution -- The github: backend would fail with a 404 when using @latest because it constructed /releases/tags/latest instead of using GitHub's /releases/latest API endpoint. This was a regression introduced in v2026.3.5. #​8532 by @​jdx

• Fish shell shim PATH ordering on re-source -- When config.fish is re-sourced (e.g., in VS Code integrated terminals), mise activate fish --shims now correctly moves shims to the front of PATH using fish_add_path --global --move, instead of silently skipping them because they were already present. Other shells are unaffected. #​8534 by @​jdx

• Task output prefix disambiguation -- When running the same task multiple times with different arguments (e.g., mise run greet alice ::: greet bob), output prefixes now include the arguments to distinguish runs ([greet alice] vs [greet bob]). Arguments are only included when disambiguation is needed; single-instance tasks keep clean prefixes. Long prefixes are truncated to 40 characters. #​8533, #​8536 by @​jdx

• Non-MRI Ruby on Windows -- Requesting non-MRI Ruby engines (jruby, truffleruby, etc.) on Windows now fails early with a clear error message explaining that only standard MRI Ruby is supported via RubyInstaller2, instead of producing a confusing 404 from an invalid download URL. #​8539 by @​jdx

Added

• Registry: tigerbeetle -- Added tigerbeetle (github:tigerbeetle/tigerbeetle) to the tool registry. #​8514 by @​risu729

Breaking Changes

• Per-environment lockfiles: If you were relying on env tags within mise.lock for environment-specific version pinning, running mise lock will migrate to the new format automatically, creating separate mise.<env>.lock files. Make sure to commit the new lockfiles and update your .gitignore if needed for mise.<env>.local.lock files.
• touch_outputs removed: If you were using touch_outputs in prepare provider configuration, that field is no longer recognized. Freshness is now determined entirely by blake3 hashing of source files.

New Contributors

• @​pjeby made their first contribution in #​8520
• @​davireis made their first contribution in #​8517
• @​Aurorxa made their first contribution in #​8511

Full Changelog: jdx/mise@v2026.3.5...v2026.3.6

v2026.3.5: : Provenance tracking in lockfiles and task deduplication fix

Compare Source

This release adds supply-chain security improvements by recording provenance verification results in lockfiles, exposes libc variant detection to vfox plugins, and fixes several bugs including duplicate task execution, offline mode hangs, and Windows binary identification.

Highlights

• Provenance tracking in lockfiles prevents downgrade attacks by recording which verification mechanism was used for each tool, and refusing to install if that mechanism is later disabled.
• Task delegation deduplication fixes a bug where shared dependency tasks could run multiple times when using run = [{ task }].
• Offline mode fix prevents mise env, hook-env, activate, and exec from hanging when resolving "latest" versions behind private registries.

Added

• Provenance verification results stored in lockfiles -- mise lock now records which provenance mechanism (SLSA, GitHub attestations, cosign, or minisign) was used to verify each tool per platform. On subsequent installs, mise refuses to proceed if the recorded verification mechanism is disabled or unavailable, protecting against downgrade/stripping attacks. The lockfile format also changes from inline tables to dotted-key subtables for platform entries, improving readability. Existing lockfiles remain backwards-compatible and will be updated on the next mise lock. #​8495 by @​jdx

• RUNTIME.envType for vfox plugins -- Vfox Lua plugins can now check RUNTIME.envType to determine the libc variant at runtime ("gnu" for glibc, "musl" for musl Linux, nil on non-Linux). This lets plugins select the correct binary variant for the host system. #​8493 by @​malept

  if RUNTIME.envType == "musl" then
      -- download musl-compatible binary
  elseif RUNTIME.envType == "gnu" then
      -- download glibc-compatible binary
  end

• Registry: portless -- Added portless (npm:portless) to the tool registry. #​8508 by @​risu729

Fixed

• Shared dependency tasks no longer run multiple times with task delegation -- When a task uses run = [{ task }] to delegate, the sub-graph now inherits knowledge of tasks already completed in the parent graph, preventing shared dependencies from executing more than once. #​8497 by @​vadimpiven

• "latest" version no longer triggers network calls in prefer-offline mode -- mise env, hook-env, activate, and exec with prefer_offline enabled would still make a remote call to resolve "latest" versions (e.g., npm:pkg = "latest"). If the registry held the connection open waiting for credentials, mise would hang indefinitely. This is now skipped, matching the existing offline guard for fully-qualified versions. #​8500 by @​jdx

• Windows: mise binary correctly identified without .exe extension -- On Windows, argv[0] can resolve to mise (without .exe), mise.bat, or mise.cmd, all of which were incorrectly treated as shims. This caused mise --help and mise --version to silently fail in some environments (e.g., conda-forge CI). A unified is_mise_binary() helper now handles all these variants. #​8503 by @​jdx, with credit to @​salim-b for identifying the issue in #​8496

Full Changelog: jdx/mise@v2026.3.4...v2026.3.5

v2026.3.4: : Runtime musl detection, interactive tasks, and platform install fixes

Compare Source

A feature-rich release that adds runtime musl/glibc detection for correct binary selection on Linux, a new interactive task field for exclusive terminal access, and several important fixes for platform-specific tool installation, the standalone installer, and Ruby precompiled binary discovery.

Highlights

• Runtime musl/glibc detection ensures mise downloads the right binary variant regardless of how mise itself was compiled, with lockfile support for both libc variants.
• interactive task field provides a targeted way to give a task exclusive terminal access without forcing all tasks to run sequentially.
• Platform install fixes correct multiple issues where registry-defined platform options were ignored or mangled, affecting tools like flyway and http-backend tools with platform-specific URLs.
• Installer safety guard prevents accidental data loss when MISE_INSTALL_PATH points to an existing directory.

Added

• interactive field for tasks -- Mark a task with interactive = true to give it exclusive terminal access (stdin/stdout/stderr) while other non-interactive tasks continue running in parallel. This is a more targeted alternative to raw = true, which forces jobs=1 globally -- interactive only blocks concurrent tasks while the interactive task is actively running. #​8491 by @​jdx

  [tasks.deploy]
  run = "deploy.sh"
  interactive = true  # gets exclusive stdin/stdout/stderr access

• Runtime musl/glibc detection for correct libc variant selection -- mise now detects musl libc at runtime (by checking for /lib/ld-musl-*) instead of using compile-time configuration. This means a musl-built mise running on a glibc system (or vice versa) will correctly select the right binary variant. Lockfiles now include separate entries for linux-x64-musl and linux-arm64-musl platforms. Existing lockfiles without musl entries continue to work and will be updated on the next mise lock. #​8490 by @​jdx

• Header comment in generated lockfiles -- mise.lock files now include a @generated header comment, making it clear the file is auto-generated and should not be edited manually. #​8481 by @​ivy

  # @​generated - this file is auto-generated by `mise lock` https://mise.jdx.dev/dev-tools/mise-lock.html
  
  [[tools.node]]
  version = "22.14.0"
  ...

• Preserve .exe extensions on Windows -- The github, gitlab, forgejo, and http backends now automatically keep executable extensions (.exe, .bat, .cmd) when using bin or rename_exe options on Windows, fixing tools like yt-dlp that were broken by extension stripping. #​8424 by @​iki

Fixed

• Registry platform options now applied during install -- Platform-specific options like asset_pattern defined in the tool registry were silently ignored during installation because nested TOML structures were flattened to strings. This caused tools like flyway to select the wrong asset (e.g., alpine instead of linux-x64). #​8492 by @​jdx

• Tool opts stored as native TOML to fix platform switching -- Switching an http: tool from a single URL to platform-specific URLs ([tools."http:X".platforms]) could fail because cached options in .mise-installs.toml were mangled during round-tripping. Options are now stored as proper TOML fields with automatic migration of old manifests. #​8448 by @​jdx

• Installer errors if MISE_INSTALL_PATH is a directory -- Setting MISE_INSTALL_PATH to an existing directory (e.g., ~/tmp instead of ~/tmp/mise) caused the installer to rm -rf that directory, potentially deleting important files. The installer now detects this and exits with a clear error message suggesting a file path. #​8468 by @​jdx

• Prepare sources/outputs resolve relative to dir -- When a prepare provider sets dir, relative source and output paths now correctly resolve against project_root/dir instead of just project_root. This fixes freshness tracking in monorepo setups where prepare providers target subdirectories. #​8472 by @​jdx

• Ruby precompiled binary lookup for older versions -- Precompiled Ruby discovery used paginated release listing (first page only), so versions beyond the first 30 releases (like Ruby 3.2.2) silently fell back to compiling from source. The lookup now fetches the specific release by tag directly. #​8488 by @​jdx

• JSON schema supports structured objects in task depends -- The JSON schema for depends, depends_post, and wait_for now correctly accepts the structured { task, args?, env? } object syntax that the runtime already supported, fixing IDE validation errors. #​8463 by @​risu729

• Broken pipe no longer panics in task output -- Task output macros used println!/eprintln! which panic on broken pipes (e.g., when piping mise output to head). Replaced with calm_io equivalents that gracefully handle closed stdout/stderr. #​8485 by @​vmaleze

• Scoped npm package names no longer panic -- Using @scope/pkg (e.g., @anthropic-ai/claude-code) without the npm: backend prefix caused an internal panic. The parser now correctly treats the leading @ as part of the package name and provides a proper error message. #​8477 by @​jdx

New Contributors

• @​ivy made their first contribution in #​8481
• @​iki made their first contribution in #​8424

Full Changelog: jdx/mise@v2026.3.3...v2026.3.4

v2026.3.3: : Standalone installer zstd fix

Compare Source

A single-fix patch release that corrects the standalone installer's zstd archive selection logic on systems where the zstd binary is not installed.

Fixed

• Standalone installer no longer selects zstd archives when zstd is not installed -- The tar_supports_zstd() function returned true for GNU tar >= 1.31 regardless of whether the zstd binary was actually present on the system. Since GNU tar shells out to zstd rather than linking against it, this caused extraction to fail. The fix checks for the zstd binary upfront before evaluating the tar version. A separate fallback branch in get_ext() that could also select a .tar.zst archive without verifying zstd availability has been removed. #​8460 by @​octo

New Contributors

• @​octo made their first contribution in #​8460

Full Changelog: jdx/mise@v2026.3.2...v2026.3.3

v2026.3.2: : Local-scoped upgrades, config-based quiet/silent, and redaction fixes

Compare Source

A small release that adds a --local flag for scoping outdated and upgrade to project-local tools, fixes several bugs around env var redaction, Tera template rendering in prepare, and task output configuration, and corrects a regression in the standalone installer.

Added

• --local flag for outdated and upgrade commands -- You can now run mise upgrade --local or mise outdated --local to restrict operations to tools defined in project-local config files (e.g., mise.toml), skipping anything from the global config (~/.config/mise/config.toml). This is useful when you have separate workflows for managing global vs. project-local tool versions. #​8451 by @​malept

  # Only upgrade tools defined in the local mise.toml
  mise upgrade --local
  
  # Only show outdated tools from the local config
  mise outdated --local

• tinygo added to the registry -- TinyGo is now available via mise use tinygo, using the aqua backend. #​8446 by @​artemklevtsov

Fixed

• task.output config setting now works for quiet/silent modes -- Setting task.output = "quiet" or task.output = "silent" in mise.toml was not suppressing mise's own output during task runs. Only the MISE_TASK_OUTPUT environment variable worked. Both approaches now behave identically. #​8445 by @​my1e5

• Redactions applied correctly when tools = true and redact = true are combined -- Environment variables with both tools = true and redact = true were not being redacted in task output because the tools-only code path collected redactions but never registered them with the global redactor. Secret values now correctly appear as [redacted]. #​8449 by @​jdx

• Tera templates rendered in [prepare.*.env] values -- Tera template expressions like "{{env.MY_VAR}}" in prepare provider env blocks were being passed as literal strings instead of being rendered. They are now evaluated with the full toolset environment available in the template context. #​8450 by @​jdx

• Standalone installer tar zstd version check regex fixed (again) -- A follow-up fix to the regex repair in v2026.3.1: a missing escape on the opening parenthesis caused grep: Unmatched ) or \) errors. The regex is now fully correct. #​8453 by @​chadlwilson

Full Changelog: jdx/mise@v2026.3.1...v2026.3.2

v2026.3.1: : Bug fixes for tasks, Swift, Julia, and installer

Compare Source

A small bug-fix release that corrects task scheduling behavior for depends_post, fixes Julia version resolution, resolves Swift installation failures on some macOS environments, and repairs the standalone installer's tar version detection.

Fixed

• depends_post tasks no longer run when a pre-dependency fails -- Previously, if a task in depends failed before the main task started, depends_post cleanup tasks would still execute. This happened because the scheduler checked whether the parent task was scheduled rather than whether it actually executed. Now depends_post tasks are correctly skipped when the main task never ran due to a pre-dependency failure. They still run as expected when the main task itself fails. #​8426 by @​jdx

• Julia version listing no longer crashes with MISE_USE_VERSIONS_HOST=0 -- The Julia registry entry's version_expr used a filter() predicate with a bare # variable, which the expr-lang evaluator treated as an undefined variable. Wrapping the predicate in {...} closure braces fixes the syntax so mise ls-remote julia works correctly when fetching versions directly from the upstream JSON endpoint. #​8420 by @​jdx

• Swift install fallback to system pkgutil on macOS -- On some macOS environments, pkgutil is not found on the PATH during Swift installation. The Swift backend now falls back to /usr/sbin/pkgutil (the standard system location) when which pkgutil fails. #​8435 by @​mackwic

• Standalone installer tar zstd version check fixed -- The regex used to detect whether the system tar supports zstd was broken -- unescaped parentheses and pipes caused grep to match nothing. The regex is now properly escaped so tar version 1.31+ is correctly detected, enabling zstd-compressed archive downloads. #​8430 by @​autarch

New Contributors

• @​autarch made their first contribution in #​8430
• @​mackwic made their first contribution in #​8435

Full Changelog: jdx/mise@v2026.3.0...v2026.3.1

v2026.3.0: : Smarter prepare, task-backed hooks, and per-task vars

Compare Source

This release brings a major upgrade to mise prepare with content-hash freshness, dependency ordering, and better diagnostics. Hooks and watch files can now delegate to full mise tasks, and task vars gain monorepo inheritance and per-task overrides. Several lockfile and idiomatic version file parsing bugs are also fixed.

Highlights

• mise prepare overhaul -- Freshness detection switches from mtime to blake3 content hashing (reliable across CI and clock skew), providers can declare dependencies on each other, a new --explain flag shows detailed diagnostics, and per-provider timeouts are now supported.
• Task-backed hooks -- Hooks and watch_files can now reference mise tasks instead of inline scripts, gaining access to the full task system (deps, env, templating).
• Per-task vars and monorepo vars inheritance -- Tasks can define their own vars that override config-level vars, and monorepo subdirectory vars are now properly inherited when running tasks from the root.

Added

• Task references in hooks and watch_files -- Hooks can now use { task = "name" } syntax to run a mise task instead of an inline script. Mixed arrays of scripts and task references are supported. Task refs respect MISE_NO_HOOKS=1 and the full task system (deps, env, etc.). #​8400 by @​jdx

  [hooks]
  enter = { task = "setup" }
  
  [[watch_files]]
  patterns = ["uv.lock"]
  task = "uv-deps"

• Per-task vars and monorepo vars inheritance -- Tasks can now define task-local vars that override config-level vars for that task. Monorepo subdirectory vars are also properly inherited when running tasks from the project root, matching how env already works. #​8248 by @​halms

  [vars]
  greeting = "hello"
  
  [tasks.test]
  run = 'echo {{vars.greeting}}'
  vars = { greeting = "hi" }   # overrides config-level var

• Built-in git-submodule prepare provider -- A new built-in provider detects .gitmodules and runs git submodule update --init --recursive when submodule directories are stale. No configuration needed -- it activates automatically when .gitmodules exists. #​8407 by @​jdx

• Blake3 content-hash freshness for prepare -- mise prepare now uses blake3 content hashing instead of mtime comparison to determine whether providers need to run. Hashes are persisted to .mise/prepare-state.toml. This is more reliable across CI, VCS operations, and clock skew scenarios. #​8404 by @​jdx

• Human-readable stale reasons in prepare output -- Dry-run and status bar messages now explain why a provider would run, e.g. [dry-run] Would prepare: npm (node_modules does not exist) or prepare: codegen (schema.graphql changed) -- run 'mise prep'. #​8408 by @​jdx

• mise prepare --explain <provider> diagnostics -- A new --explain flag shows detailed information about a specific provider: sources, outputs, auto status, command, and a fresh/stale verdict with reasons. Exits 0 if fresh, 1 if stale, useful for scripting. #​8409 by @​jdx

• Per-provider timeout support for prepare -- Providers can now set a timeout in seconds. If the command exceeds the timeout it is killed. #​8405 by @​jdx

  [prepare.npm]
  timeout = 120  # kill after 2 minutes

• Dependency ordering for prepare providers -- Providers can declare depends = ["other-provider"] to enforce execution ordering. Independent providers still run in parallel. Cycle detection, failure propagation, and unknown-dep warnings are all handled. #​8401 by @​jdx

  [prepare.ansible-galaxy]
  depends = ["uv"]
  run = "ansible-galaxy install -f requirements.yml"
  sources = ["requirements.yml"]
  outputs = [".galaxy-installed"]

Fixed

• Idiomatic version files now ignore comments -- Files like .python-version, .node-version, .ruby-version, and .java-version now correctly strip # comments (both full-line and inline) and blank lines, preventing mise from treating comment text as version specifiers. #​7682 by @​iloveitaly

• Generic parser used for idiomatic files -- Built-in idiomatic file parsers (e.g. for package.json and raw text files) are now used consistently, preventing unexpected behavior when plugins like vfox don't support certain file formats. #​8171 by @​risu729

• Aqua bin_paths disk cache restored with proper invalidation -- The aqua bin_paths.msgpack.z cache removed in v2026.2.24 has been restored with fresh_file invalidation keyed on the install directory. This recovers the 7-11% performance regression on mise env and mise hook-env while keeping cache correctness. #​8398 by @​jdx

• Lockfile no longer splits entries for precompiled settings -- mise lock with precompiled_flavor or similar settings configured no longer produces duplicate tool entries by splitting the host platform into a separate entry. #​8396 by @​jdx

• Python lockfile respects precompiled settings -- mise lock now correctly uses precompiled_arch, precompiled_os, and precompiled_flavor settings when generating Python lock file entries, and precompiled_flavor is properly honored during installs. #​8399 by @​jdx

• "v" prefix normalized in lockfile version matching -- --locked mode no longer fails when mise.toml specifies v1.2.3 but the lockfile stores 1.2.3 (or vice versa). #​8413 by @​jdx

• Vfox no longer eagerly loads metadata -- Removed vfox's idiomatic_filenames() override that triggered plugin metadata loading for every config file check, and reordered detection logic so known patterns are checked first. Eliminates spurious [vfox] Getting metadata for yarn debug messages. #​8397 by @​jdx

• Fixed infinite recursion with uv_venv_auto and uv shims -- When uv_venv_auto = "create|source" is set and a mise shim for uv exists on PATH, venv creation no longer enters infinite subprocess recursion. The fix excludes the mise shims directory from the uv binary search. #​8402 by @​halms

• Improved git submodule parser for prepare -- The .gitmodules parser is now INI-section aware, only extracting path values from [submodule "..."] sections and ignoring comments. Freshness check errors now default to fresh rather than stale, preventing spurious warnings. #​8412 by @​jdx

Breaking Changes

• The deprecated # mise ... file task header syntax has been removed as scheduled. Only #MISE / # [MISE] / //MISE / ::MISE headers are now recognized. If you have task files still using the old # mise headers, update them to use the new syntax. #​8403 by @​jdx

New Contributors

• @​iloveitaly made their first contribution in #​7682

Full Changelog: jdx/mise@v2026.2.24...v2026.3.0

v2026.2.24: : Hooks get Tera templates, aqua cache cleanup, and better error messages

Compare Source

A bug-fix release that enables Tera template rendering in hooks, eliminates a class of stale PATH bugs with aqua tools, improves error messages for unsupported registry tools, and removes the long-deprecated python.venv_auto_create setting.

Fixed

• Hooks now support Tera template rendering -- Hook scripts can now use Tera template variables like {{tools.ripgrep.path}}, just like tasks. Additionally, the install progress bar is now cleared before postinstall hooks run, so hook output is no longer masked by the progress UI. Preinstall hooks correctly skip tools=true env directives since referenced tools may not yet be installed. #​8385 by @​jdx

• Aqua tool PATH entries no longer go stale -- The aqua backend's bin_paths disk cache (bin_paths.msgpack.z) has been removed entirely. This cache provided negligible performance benefit -- reading and decompressing a msgpack file is comparable to parsing the small YAML registry entry -- but was the root cause of stale PATH entries after tool installs (e.g. upgrading uv causing its PATH entry to vanish). The previous fix in v2026.2.23 was raceable by concurrent mise hook-env calls; removing the cache eliminates this class of bugs completely. #​8383 by @​jdx

• Better error when a registry tool has no supported backends -- When a tool exists in the registry but all its backends are filtered out for the current platform or configuration (e.g. imagemagick on a platform where only conda and asdf backends are registered but disabled), the error now clearly explains the situation and lists the registered backends instead of suggesting the user meant the exact tool name they already typed. #​8388 by @​jdx

Removed

• Deprecated python.venv_auto_create setting removed -- The python.venv_auto_create and python_venv_auto_create settings have been fully removed. These were deprecated in favor of the _.python.venv configuration. If you were relying on the legacy virtualenv tool option to auto-create venvs, mise will now warn and print manual creation instructions instead. Migrate to the newer venv configuration: #​8384 by @​jdx

  [tools]
  python = { version = "3.12", _.python.venv = { path = ".venv", create = true } }

Breaking Changes

• The python.venv_auto_create and python_venv_auto_create settings no longer exist. If you still have these in your configuration, they will be silently ignored. Use _.python.venv = { path = ".venv", create = true } in your tool configuration instead. #​8384

Full Changelog: jdx/mise@v2026.2.23...v2026.2.24

v2026.2.23: : Stricter lockfile enforcement and vfox backend options

Compare Source

This release tightens lockfile behavior in --locked mode, fixes a stale PATH cache issue with aqua-based tools, resolves intermittent panics with remote git tasks, and adds the ability to pass custom options to vfox backend plugins.

Added

• Custom options for vfox backend plugins -- Options defined in mise.toml tool entries are now passed through to vfox backend plugins in both BackendInstall and BackendExecEnv contexts, accessible in Lua via ctx.options. This enables custom plugin use cases like controlling build parameters. #​8369 by @​Attempt3035

  [tools]
  "llvm:clang" = { version = "latest", build_cores = "22" }

  function PLUGIN:BackendInstall(ctx)
      local cores = ctx.options.build_cores
      -- use cores in your build logic
  end

• Registry: porter -- Added Porter, a CNAB bundle authoring and management tool (github:getporter/porter). #​8380 by @​lbergnehr

• Registry: entire -- Added entire CLI (aqua:entireio/cli). #​8378 by @​TyceHerrman

• Registry: topgrade -- Added topgrade (aqua:topgrade-rs/topgrade), an all-in-one system upgrade tool. #​8377 by @​TyceHerrman

Fixed

• --locked mode now strictly enforces the lockfile -- Previously, mise lock could still run while --locked was active, mise use tool@latest could bypass the lockfile, and tools missing from the lockfile would silently fall through to remote resolution. Now mise lock refuses to run in locked mode with a clear error and hint, mise use tool@latest respects the lockfile when locked, and missing tools fail fast with an actionable message instead of resolving remotely. #​8362 by @​jdx

• Aqua tool PATH entries no longer go missing after install -- The list_bin_paths() cache could be populated with stale (empty) data before extraction finished, or by a concurrent mise hook-env call during installation. The in-memory and on-disk bin_paths caches are now cleared after an aqua tool install completes so paths are recomputed from the freshly installed files. Fixes an issue where upgrading tools like uv caused their PATH entry to vanish. #​8374 by @​jdx

• Remote git task cache no longer panics or corrupts on concurrent access -- Replaced println!/eprintln! with non-panicking writeln! to handle EPIPE gracefully, and added file locking with clone-to-temp-then-rename to prevent concurrent cache corruption when multiple mise processes fetch the same remote git task simultaneously. #​8375 by @​vmaleze

New Contributors

• @​Attempt3035 made their first contribution in #​8369
• @​lbergnehr made their first contribution in #​8380

Full Changelog: jdx/mise@v2026.2.22...v2026.2.23

v2026.2.22: : Outdated plugins, rename_exe fixes, and smoother installs

Compare Source

A small release adding a new way to check for outdated plugins, along with three bug fixes for archive installs, tool environment resolution, and cross-platform Ruby lockfiles.

Added

• mise plugins ls --outdated flag -- A new -o/--outdated flag checks remote git refs in parallel and displays only plugins where the local SHA differs from the remote. Shows a table with plugin name, URL, ref, local SHA, and remote SHA. Prints "All plugins are up to date" when everything is current. #​8360 by @​jdx

  $ mise plugins ls --outdated
  Plugin  Url                                             Ref   Local    Remote
  tiny    https://github.com/mise-plugins/rtx-tiny.git    main  abc1234  def5678

Fixed

• rename_exe works with archives containing a bin/ subdirectory -- When an archive extracts to a layout like prefix/bin/binary, the rename_exe option was silently skipped because it searched the extraction root non-recursively instead of the bin/ subdirectory where the binary actually lives. Both the GitHub-style backend and the HTTP backend now auto-detect the bin/ subdirectory as the search directory, matching the same logic used by discover_bin_paths() for PATH construction. #​8358 by @​jdx

• Installing cargo/npm/pipx tools no longer crashes with tools = true env directives -- When [env] contained entries like NODE_VERSION = { value = "{{ tools.node.version }}", tools = true }, installing npm/cargo/pipx tools would fail with "Variable not found in context" because the referenced tools might not be installed yet. The cargo, npm, and pipx backends now skip tools = true env directive resolution during installation while still including tool paths in PATH. #​8356 by @​jdx

• Ruby lockfile resolves correct Windows checksums -- Running mise lock on macOS/Linux now correctly resolves RubyInstaller2 binary URLs and checksums for Windows platform entries, instead of incorrectly using the MRI source tarball checksum. The lockfile generator now fetches the correct .7z asset from the oneclick/rubyinstaller2 GitHub releases for Windows targets. #​8357 by @​jdx

Changed

• Registry: terradozer switched to GitHub fork -- The terradozer registry entry now points to github:chenrui333/terradozer (replacing the archived asdf plugin and unavailable aqua backend), and is restricted to Linux and macOS. #​8365 by @​chenrui333

New Contributors

• @​chenrui333 made their first contribution in #​8365

Full Changelog: jdx/mise@v2026.2.21...v2026.2.22

v2026.2.21: : Bug fix roundup for monorepo tasks, conda noarch, and exec PATH handling

Compare Source

A bug-fix release addressing several regressions and long-standing issues: monorepo task variables and glob dependencies now resolve correctly, the conda backend can install Python noarch packages, mise x respects virtualenv PATH ordering again, and nested task execution no longer hangs.

Fixed

• mise x respects virtualenv PATH order again -- A pre-resolution step added in v2026.2.17 (#​8276) resolved bare command names directly to mise-managed tool paths, bypassing PATH entirely. This broke _.python.venv and similar configs where a virtualenv binary should take precedence over the mise-managed install. The pre-resolution is removed; shim stripping in exec_program (also from #​8276) is sufficient to prevent recursion. #​8342 by @​jdx

• Conda noarch Python packages install correctly -- Installing noarch Python packages via the conda backend (e.g. mise use conda:ruff) failed because the linker didn't know the Python version needed to compute site-packages paths. The solver's resolved Python version is now extracted and passed through to link_package, fixing the error. #​8349 by @​wolfv

• Nested mise tasks no longer hang -- The process group isolation (setpgid/killpg) introduced in v2026.2.18 and refined in v2026.2.19 has been fully reverted. When tools like Playwright use process-group-based kills (kill(-pid, SIGKILL)) to tear down a server subprocess tree, grandchild processes in a separate group (created by mise's setpgid) survived and held pipes open, causing indefinite hangs. mise now sends signals directly to child PIDs instead. #​8347 by @​jdx

• Monorepo tasks resolve [vars] from subdirectory configs -- Running a monorepo task like mise run //infra/stacks/gcp:greet failed to pick up [vars] defined in subdirectory .mise.toml files, causing template rendering errors. Variables are now resolved from the task's full config hierarchy (including mise.<env>.toml overlays) and threaded through script rendering. #​8343 by @​jdx

• Monorepo glob dependencies trigger subdirectory prepare steps -- When a root task depended on a monorepo glob pattern like //...:check, the prepare phase only collected configs from top-level tasks, missing subdirectory tasks entirely. Dependencies are now resolved before prepare runs, so transitive subdirectory tasks and their prepare providers are properly discovered. #​8353 by @​jdx

New Contributors

• @​wolfv made their first contribution in #​8349

Full Changelog: jdx/mise@v2026.2.20...v2026.2.21

v2026.2.20: : Conda rewrite, .NET SDK core plugin, and per-task timeouts

Compare Source

A feature-packed release that replaces the conda backend with production-grade internals, adds a native .NET SDK plugin, and finally enforces per-task timeouts. Several lockfile and environment-handling fixes round things out.

Highlights

• Conda backend rewritten with rattler -- The experimental conda backend has been completely rewritten to use the rattler Rust crates (the same engine behind pixi), replacing ~1,600 lines of custom code that relied on the unsupported anaconda.org API. This brings a proper SAT-based dependency solver, correct binary prefix replacement, and repodata caching via CDN. #​8325 by @​jdx

• Native .NET SDK management -- A new core plugin for .NET SDK installs all versions side-by-side under a shared DOTNET_ROOT, matching .NET's native multi-version model. It uses Microsoft's official dotnet-install script and supports global.json for per-project SDK pinning. #​8326 by @​jdx

• Per-task timeouts are now enforced -- The timeout field on tasks (added in v2025.1.6 but never wired up) now actually kills tasks that exceed their limit. Timeouts send SIGTERM with a 5-second grace period before SIGKILL, and both per-task and global task_timeout settings are respected. #​8250 by @​tvararu

Added

• Core .NET SDK plugin -- mise use dotnet@8 now installs via a native core plugin with side-by-side version support and global.json detection. Configure DOTNET_ROOT via the new dotnet.dotnet_root setting. #​8326 by @​jdx
• Per-task timeout enforcement -- Tasks with a timeout field are now killed if they exceed the configured duration. Works with both per-task config and the global task_timeout/--timeout flag. #​8250 by @​tvararu

  [tasks.deploy]
  run = "npm run deploy"
  timeout = "5m"

• VSIX archive support -- The HTTP backend now recognizes .vsix files as ZIP archives and extracts them correctly, enabling tools distributed as VS Code extensions to be installed via http: URLs. #​8306 by @​sosumappu
• Registry: oxfmt -- Added the oxfmt formatter to the tool registry. #​8316 by @​taoufik07

Changed

• Conda backend rewritten with rattler crates -- Replaces custom version matching, dependency resolution, archive extracti

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.