v2026.5.9: : SwiftPM artifact bundles and per-hook watch shells

Compare Source

A modest release: SwiftPM gains artifact bundle support, [[watch_files]] hooks can pick their own inline shell, and a handful of fixes land for aqua latest-tag resolution, vfox cmd.exec, and GitHub OAuth device-flow URLs. Plain-string Tera rendering also gets a fast path.

Added

• (spm) SwiftPM installs now prefer prebuilt artifact bundles (*.artifactbundle.zip) when a release publishes one for the current Swift target triple, falling back to a source build otherwise (#​9825) by @​ikesyo. New controls:

  [tools]
  # require an artifact bundle; fail instead of source-building
  "spm:giginet/swift-testing-revolutionary" = { version = "0.4.0", artifactbundle = true }
  
  # always source-build, ignore any bundles
  "spm:tuist/tuist" = { version = "latest", artifactbundle = false }
  
  # disambiguate when multiple bundle assets are published
  "spm:org/tool" = { version = "1.0.0", artifactbundle_asset = "tool.artifactbundle.zip" }
  
  [settings]
  # apply "bundles only" globally (mirrors cargo.binstall_only)
  spm.artifactbundle_only = true

• (config) [[watch_files]] entries with run accept an optional shell field, rendered through templates and falling back to the configured default inline shell when unset (#​9810) by @​risu729:

  [[watch_files]]
  patterns = ["*.js"]
  run = "eslint --fix ."
  shell = "bash -c"

  shell only applies to run hooks; combining it with task produces a warning and the value is ignored.

Fixed

• (aqua) When GitHub's latest release pointed at a tag that aqua's registry rejected via version_filter or version_constraint, mise would return it anyway. The latest fast path now applies both checks before accepting a tag (#​9834) by @​risu729.
• (vfox) Lua cmd.exec calls inside vfox plugins now build commands from mise's configured unix_default_inline_shell_args / windows_default_inline_shell_args instead of hardcoding sh -c or cmd /C, aligning plugin behavior with tasks, Tera command rendering, and other inline shell users (#​9837) by @​risu729.
• GitHub OAuth device-flow paths were slightly off compared to the documented endpoints. The default oauth_auth_url is now the GitHub login base, with mise appending /device/code and /oauth/access_token per GitHub's device-flow docs (#​9791) by @​jasisk.
• (patrons) mise patrons now points the "become a patron" link to the en.dev homepage instead of /sponsor (#​9868) by @​jdx.

Changed

• (registry) npm is now resolved through aqua:npm/cli (with npm:npm retained as a fallback), and buck2 switches to aqua:facebook/buck2 with prerelease = true so its always-prerelease releases are visible (#​9762, #​9805) by @​risu729.
• (registry) Added SonarQube CLI as aqua:SonarSource/sonarqube-cli (#​9824) by @​3PeatVR.

Performance

• (config) Strings with no Tera block markers ({{, {%, {#, including whitespace-trimmed forms) now bypass the Tera renderer at config evaluation sites, skipping context construction, async context fetches, and get_tera setup. Tera 1.20.1's grammar guarantees these are the only block openers, so output is unchanged for both well-formed and malformed templates (#​9833) by @​risu729.

Documentation

• Updated the Walkthrough guide (#​9853) by @​thernstig.

New Contributors

• @​3PeatVR made their first contribution in #​9824
• @​ikesyo made their first contribution in #​9825
• @​thernstig made their first contribution in #​9853

Full Changelog: jdx/mise@v2026.5.8...v2026.5.9

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.8: : Patrons, cleaner task output, and sigstore-rust

Compare Source

A small release: a new mise patrons command, cleaner task command output when scripts start with a shebang, and a fix for mise upgrade summaries getting wiped by progress cleanup. Under the hood, signature verification moves to the modern sigstore-rust stack.

Added

• (patrons) New mise patrons subcommand lists individuals on the Patron tier supporting mise development (#​9841) by @​jdx. Data is fetched from the en.dev patrons feed, cached for 24h, and falls back to stale cache on network failure. Each patron's name renders as a clickable OSC 8 hyperlink in supporting terminals.

  $ mise patrons
  mise is supported by these patrons — thank you
  
    • Ronald Gierlach
    • youfoundron
  
  Become a patron: https://en.dev/sponsor
  

  Flags: -J/--json, --refresh.

• (registry) Add a racket shorthand backed by the aqua racket/racket/minimal package, exposing both racket and raco from the official racket-lang.org release artifacts (#​9784) by @​albertnetymk.

Fixed

• (task) When a task's run body starts with #!/usr/bin/env bash or set -Eeuo pipefail, the echoed command line would show only that boilerplate and hide the rest of the script. Leading shebang, blank, and set ... lines are now skipped when building the displayed command, so the first real command shows up. Execution is unchanged (#​9844) by @​jdx. Fixes #​9842.

  # before
  [generate-completions] $ #!/usr/bin/env bash
  
  # after
  [generate-completions] $ fzf --fish > ~/.config/fish/completions/fzf.fish
  

• (upgrade) mise upgrade could erase its own Upgraded N tools: summary detail lines when an upgrade also performed an uninstall — fresh progress jobs registered for the cleanup phase were still active at shutdown, so stop_clear() wiped them along with the summary. Progress jobs are now finished and reset before the summary prints (#​9860) by @​risu729. Regression from #​9779; addresses #​9856.

Changed

• (security) Sigstore verification (verify_github_attestation, verify_cosign_signature, verify_slsa_provenance, detect_attestations) now runs on a local mise-sigstore adapter built on sigstore-verify 0.7 from sigstore-rust, replacing the previous sigstore-verification 0.2 dependency (#​9260) by @​jdx. The mise call sites and helper API are unchanged. The new adapter still covers legacy cosign v1 bundles (e.g. goreleaser-signed releases) and raw DSSE *.intoto.jsonl envelopes (slsa-github-generator) that the upstream Bundle::from_json rejects.

Deprecated

• (config) The top-level env_file setting (and MISE_ENV_FILE) is now marked deprecated. Use env._.file in mise.toml instead (#​9862) by @​risu729. The JSON Schema gains the deprecated keyword, a warning is scheduled for 2026.11.0, and removal is planned for 2027.11.0.

  # before
  env_file = ".env"
  
  # after
  [env]
  _.file = ".env"

New Contributors

• @​albertnetymk made their first contribution in #​9784

Full Changelog: jdx/mise@v2026.5.7...v2026.5.8

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.7: : Lazy GitHub tokens, hardened version parsing, and faster task freshness

Compare Source

A round of correctness and performance fixes: vfox-managed tools no longer prompt your password manager on every shell hook, mise upgrade stops double-printing its summary, mise settings get finally distinguishes typos from unset values, and conda installs that pulled in adwaita-icon-theme are unstuck. Plus a security pass that hardens version-string parsing against shell injection.

Fixed

• (vfox) GitHub tokens are now resolved lazily inside Lua plugins. Previously, mise hook-env, mise activate, mise completion, and even mise --help would call github.credential_command for every installed vfox tool — potentially unlocking a password manager on every prompt. The resolver is now only invoked when a Lua plugin actually issues an HTTP request to a GitHub API URL, e.g. during an install (#​9816) by @​jdx. Fixes #​9797.

• (upgrade) mise upgrade (and mise up) no longer prints the installed-tools block twice when an upgrade also needs to uninstall an older version. The shared progress-job registry is now cleared after each phase so the subsequent uninstall renders cleanly (#​9779) by @​jdx. Fixes #​9774.

• (settings) mise settings get distinguishes between a known setting that hasn't been set and a typo:

  $ mise settings get python.compile
  mise ERROR Setting [python.compile] is not set
  $ mise settings get not.a.real.setting
  mise ERROR Unknown setting: not.a.real.setting

  Previously both returned Unknown setting, since Option<T> fields skipped by TOML serialization were indistinguishable from missing keys (#​9818) by @​jdx.

• (backend) Several backends (aqua, github/gitlab/forgejo, http, s3, ubi, vfox, conda, Windows npm) reported bin-paths pointing at the concrete resolved install dir (e.g. installs/tiny/1.0.0/...) instead of the stable runtime symlink for the requested label (e.g. installs/tiny/latest/...). A new runtime_path_for_install_path helper remaps backend-discovered absolute paths onto the runtime path while leaving explicit relative bin_path values alone (#​9606) by @​risu729.

• (conda) mise use -g imagemagick (and other tools pulling in adwaita-icon-theme) failed with conda solve failed: encountered duplicate records for adwaita-icon-theme-40.1.1-.... rattler-solve detects duplicates by DistArchiveIdentifier rather than URL, so when conda-forge served the same archive under multiple CDN URLs, the existing URL-based dedup wasn't enough. Dedup now uses r.identifier, the exact key the solver uses (#​9831) by @​jdx. Fixes #​9829.

Added

• (github) github.credential_command now runs through the configured default inline shell (instead of hardcoded sh -c) and is invoked with MISE_CREDENTIAL_HOST and MISE_CREDENTIAL_PROVIDER in the environment. The deprecated $1 / ${1} hostname positional argument continues to work for sh-compatible shells (ash, bash, dash, ksh, sh, zsh); a deprecation warning lands in 2026.11.0 and removal is planned for 2027.11.0 (#​9664) by @​risu729.

Performance

• (aqua) The baked aqua standard-registry package and alias lookup tables are now generated as static phf::Maps at build time via phf_codegen, instead of lazy runtime HashMaps. Warmed lookup is comparable, but first-use no longer allocates ~115 KiB of heap or builds a 2,179-entry bucket table (#​9763) by @​risu729.

• (task) When task.source_freshness_hash_contents = true, mise now caches each source file's blake3 hash keyed by (size, mtime_secs, mtime_nanos) — git's stat-info trick — in a per-task file under STATE/task-sources/. Unchanged files are skipped on subsequent runs; entries for files removed from sources are pruned automatically (#​9819) by @​jdx. See discussion #​9802.

Security

• Reject shell metacharacters in version strings at the ToolRequest boundary (#​9814) by @​jdx. ToolRequest::new now validates version, prefix, ref/*, sub-*, and path: requests, rejecting $, backticks, quotes, \, control chars, and .. traversal. This single change neutralizes the CRITICAL RCE class flagged against vfox-ag, vfox-bfs, vfox-bpkg, vfox-chezscheme, vfox-redis, vfox-yarn, and shell-injection findings on clickhouse, leiningen, pipenv, poetry, azure-functions-core-tools, carthage, and android-sdk, since no Lua hook can observe a hostile ctx.version / ctx.rootPath. Real-world strings like 1.2.3-beta, lts/hydrogen, 3.12.0a1, and nightly continue to validate. The PR also tightens workflow_dispatch input validation in the COPR, PPA, npm-publish, and Docker workflows.

Registry

• Replace unsupported exe = ... options across ~30 GitHub/GitLab registry entries (astro, babashka, coursier, glab, odin, openbao, purescript, and many more) (#​9587) by @​risu729. Two entries gained real config to fix Linux installs:
  • solidity now uses bin = "solc" so the installed binary matches the upstream solc-static-linux asset.
  • sourcery now uses format = "tar.gz" because the upstream Linux asset is gzip-compressed despite its .tar.xz filename.
• Update pi to earendil-works/pi (#​9792) by @​garysassano.

Documentation

• (aliases) Fix the Aliased Versions example and drop the stale asdf callout (#​9830) by @​jdx.

Full Changelog: jdx/mise@v2026.5.6...v2026.5.7

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.6: : Native GitHub OAuth, project-scoped OCI builds, faster registries

Compare Source

A mix of features and correctness work: a native GitHub OAuth token source (experimental) that drops the dependency on gh/ghtkn, mise oci commands scoped to the current project by default, and two registry-lookup performance wins — plus fixes across activate, exec, java, lock, pipx, and vfox.

Added

• (cli) Add --before <date> to mise ls-remote and mise lock for release-date-aware version discovery (#​9269) by @​risu729

• (config) Hooks can now be defined as a table — { run = "...", shell = "bash -c" } — to pick a shell inline, alongside the existing string form (#​9718) by @​risu729

• (github) Add native GitHub OAuth device-flow token source (experimental) — no dependency on gh/ghtkn (#​9654) by @​jdx. Create a GitHub App with device flow enabled, then authorize once:

  mise settings set experimental true
  mise settings set github.oauth_client_id Iv1.yourgithubappclientid
  mise token github --oauth

  mise caches and refreshes the token for its own GitHub API calls, and auto-exports it as GITHUB_TOKEN to shells started under mise activate/exec so gh, git, and other GitHub-aware tools pick it up too. See GitHub Tokens → Native GitHub OAuth for the full setup.

• (oci) mise oci build/run/push are now scoped to the current project's config by default; pass --include-global to opt back into the previous behavior of including global config (#​9766) by @​jdx

• (outdated) Prefixed-version requests now resolve to the latest within the prefix — e.g. temurin-17.0.19+10 for a temurin-17.x request, instead of jumping ahead to temurin-26.x (#​9767) by @​roele

Fixed

• (activate) Guard bash chpwd_functions expansion under set -u so activated shells no longer fail with chpwd_functions[@​]: unbound variable (#​9716) by @​risu729
• (backend) Date-check the latest_stable_version fast path when --before or minimum_release_age is active, instead of returning a too-new version (#​9650) by @​risu729
• (config) Parse core tool options consistently between table and bracket syntax, so [depends=...] and os= set the named core fields (#​9742) by @​risu729
• (exec) Nested mise -C <dir> exec correctly resolves the inner toolset's tools again — __MISE_DIFF is now propagated to children so the child no longer inherits a mutated PATH that hides its own tools (#​9765) by @​jdx
• (forgejo) Include prereleases when prerelease = true / MISE_PRERELEASES=1 is set (#​9717) by @​risu729
• (github) Avoid caching empty release-asset responses, refetching instead (#​9616) by @​risu729
• (java) Resolve core:java lockfile URLs/checksums from mise Java metadata, fixing mise install --locked for Java (#​9719) by @​risu729
• (lock) Cache github_attestations = "unavailable" so locked installs stop hitting the GitHub attestation API for artifacts known to have none (#​9741) by @​risu729
• (pipx) Preserve uvx_args/pipx_args/extras/uvx = false when pipx tools are reinstalled after a Python upgrade (#​9663) by @​risu729
• (python) Skip redundant GitHub attestation re-verification when the lockfile already has checksum + provenance = "github-attestations" (#​9739) by @​risu729
• (vfox) Run vfox plugin pre_uninstall hooks before removing install directories (#​9662) by @​risu729
• Quote program and args in cmd::cmd(..) debug output so logged commands are unambiguous (#​9777) by @​ktetzlaff

Performance

• (aqua) Bake aqua registry packages as rkyv blobs for much faster lookup (#​9535) by @​risu729
• (registry) Use phf for the mise registry lookup table, around 3.3x faster than the previous BTreeMap path (#​9769) by @​risu729

Registry

• Added vector (#​9761) by @​kquinsland
• Added openshift-install and an http: backend for oc (#​9669) by @​konono

New Contributors

• @​konono made their first contribution in #​9669
• @​kquinsland made their first contribution in #​9761
• @​ktetzlaff made their first contribution in #​9777

Full Changelog: jdx/mise@v2026.5.5...v2026.5.6

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.5: : Inactive upgrades, Windows bash and bunx fixes

Compare Source

A grab-bag release: a new --inactive flag for catching installed-but-unconfigured tools, several Windows fixes around bunx and the bash task shell, and correctness fixes for the npm shim, aqua bin-path resolution, and dotnet prereleases.

Added

• (outdated/upgrade) New --inactive flag on mise outdated and mise upgrade that includes installed-but-inactive tools — versions you have installed but that aren't referenced by the current config (#​9640) by @​roele. Useful for cleaning up or upgrading old tool installs:

  # show every installed tool that has a newer version, even if it's not in mise.toml
  mise outdated --inactive
  
  # upgrade an installed-but-inactive tool to its current latest
  mise upgrade tiny --inactive

  When a tool has no config source, --inactive resolves against the backend's latest version rather than the pinned installed version.

Fixed

• (node) The generated npm shim now invokes <this-install>/bin/node directly instead of node from PATH. Previously, running one Node install's npm while a different Node version was active could let npm derive its global prefix from the other install, sending default packages to the wrong place (#​9749) by @​jdx.

• (bun, Windows) mise install bun on Windows now creates a bunx entry alongside bun.exe, matching what the upstream PowerShell installer does. mise tries a bunx.exe -> bun.exe hardlink first (bun switches to bunx mode based on argv[0]) and falls back to a bunx.cmd shim. reshim picks it up automatically, so bunx <pkg> finally works under mise-managed bun on Windows (#​9732) by @​JamBalaya56562.

• (task, Windows) When a task uses shell = "bash -c" and mise is invoked from PowerShell, C:\Windows\System32\bash.exe (the WSL launcher) used to win the PATH search, silently running the task body inside a WSL Linux user-space where mise-managed Windows tools aren't visible. mise now resolves bash in this order: MISE_BASH_PATH, common Git Bash install locations (C:\Program Files\Git\bin\bash.exe, the x86 variant, %LOCALAPPDATA%\Programs\Git\bin\bash.exe), the existing PATH search, and finally an explicit reject of the WSL launcher with a warning (#​9750) by @​JamBalaya56562. sh/zsh/fish/ksh/dash and non-Windows builds are unaffected.

• (aqua) Aqua list_bin_paths() correctly handles packages whose actual git tags add an extra v after a version prefix (e.g. tool-v1.2.3 for canonical 1.2.3), without putting remote resolution back on the bin-path hot path that was reverted in #​5574. Install passes the already-resolved tag/version directly into file-link creation instead of recomputing it (#​9759) by @​risu729.

• (dotnet) The dotnet backend now uses the shared prerelease = true tool option used by aqua/github, fetches the NuGet prerelease superset, and skips the latest fast paths when prereleases are enabled. The global prereleases setting and the deprecated dotnet.package_flags = ["prerelease"] continue to work (#​9720) by @​risu729:

  MISE_EXPERIMENTAL=1 mise ls-remote 'dotnet:GitVersion.Tool[prerelease=true]'

Registry

• Added scalafmt (github:scalameta/scalafmt) — the official Scala formatter (#​9757) by @​pokir.
• Removed flarectl: upstream cloudflare/cloudflare-go no longer ships release binaries (the existing registry test was already commented out) (#​9756) by @​risu729.
• Removed 49 registry shorthands with zero recorded users (bbr, brig, btrace, carp, clarinet, cli53, concourse, conduit, copper, credhub, datree, djinni, dome, draft, dtm, envcli, esy, glen, grain, inlets, kcctl, ki, kp, krab, kube-credential-cache, kubefedctl, kubefirst, kubemqctl, kwt, lab, lane, levant, melt, opsgenie-lamp, pachctl, psc-package, purerl, redo, rke, sinker, soracom, starboard, sver, terradozer, titan, uaa-cli, wasm4, wren-cli, zbctl) (#​9725) by @​jdx. Tools added in 2026 were skipped, and any of these can still be installed with explicit backend syntax (e.g. mise use aqua:cloudfoundry/uaa-cli).

Documentation

• (secrets) Document that direct age encryption requires experimental mode, that age decryption is strict by default, and that age.strict=false skips undecryptable values and keeps resolving the environment (#​9737) by @​risu729.
• (tasks) Add a bash shebang to the conditional-dependencies example (#​9747) by @​JamBalaya56562.
• Backend tool option docs: document S3 support for size, strip_components, bin, and rename_exe; add no_app to GitLab and Forgejo; clarify that GitHub-family api_url covers release lookup and private/self-hosted API downloads, not just version listing (#​9738) by @​risu729.

New Contributors

• @​pokir made their first contribution in #​9757

Full Changelog: jdx/mise@v2026.5.4...v2026.5.5

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.4: : Java on Alpine, faster pwsh exits

Compare Source

A small release that smooths out Java installs on Alpine, makes pwsh shell activation noticeably snappier, and cleans up ibmcloud's $PATH footprint.

Added

• (java) Automatic musl detection on Alpine Linux (#​9688) by @​roele. Java versions on Alpine no longer require an explicit -musl feature suffix — mise-java now exposes an alpine-linux OS containing the musl builds, and mise selects it automatically when running on a musl libc. So this:

  mise use java@corretto-25

  picks the Alpine/musl Corretto build on Alpine, and -musl-suffixed versions (e.g. corretto-musl-25) continue to resolve for backwards compatibility.

Fixed

• (registry) ibmcloud now uses symlink_bins, so only the ibmcloud binary is placed on $PATH instead of the entire install directory. This prevents the bundled install binary from shadowing /usr/bin/install (#​9685) by @​dnwe.

Performance

• (pwsh) Activation no longer spawns a fresh pwsh -NoProfile -Command exit $status (or powershell on PS 5) after every hook just to propagate mise's exit code — it now assigns $global:LASTEXITCODE = $status directly. On a typical machine that's ~270ms (pwsh) or ~185ms (powershell) shaved off every prompt (#​9723) by @​vemoo.

Changed

• (schema) xtasks/render/schema.ts no longer overwrites $defs.task_template and the trailing $defs.task.oneOf branch on every mise run render:schema; those shapes already live in schema/mise.json, with lightweight guard checks remaining (#​9680) by @​risu729.

Aqua Registry Updates

New packages:

• DataDog/managed-kubernetes-auditing-toolkit
• oracle.com/sqlcl

Updated packages:

• alltuner/mise-completions-sync
• iann0036/iamlive
• pnpm/pnpm

Full Changelog: jdx/mise@v2026.5.3...v2026.5.4

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.3: : Aqua latest from GitHub releases

Compare Source

A small patch release that fixes how the aqua backend resolves latest for tools backed by GitHub releases.

Fixed

• (aqua) Resolve latest via GitHub's latest-release endpoint instead of walking the chronological tag list, so mise use <tool>@&#8203;latest and similar requests pick the upstream "latest" release rather than the newest tag. Packages using version_source = github_tag continue to use the existing tag-based fallback, and before_date / minimum_release_age settings still bypass the fast path. Tag-to-version normalization (version prefixes, leading v, asset checks) is now shared across remote listing, install lookup, and latest resolution (#​9277) by @​risu729.

Full Changelog: jdx/mise@v2026.5.2...v2026.5.3

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.2: : Stable monorepo task roots, fail-fast parallel tasks, and curated lockfiles

Compare Source

Added

• (aqua) Support registry libc variants (gnu vs musl) when resolving package overrides on Linux, including cross-platform lock targets like linux-x64-musl (#​9652) by @​jdx.
• (aqua) Honor aqua registry files[].link and files[].hard entries, creating relative symlink (or hard link) aliases next to extracted binaries so tools that inspect $0/argv[0] (e.g. granted/assumego, newer pnpm) launch correctly (#​9610) by @​risu729.
• (bin-paths) New mise bin-paths --bin-names flag prints executable names from active bin directories, and --json now emits structured entries with name, path, and symlink (#​9617) by @​risu729.
• (task) Added MISE_MONOREPO_ROOT env var pointing at the directory of the config with experimental_monorepo_root = true (#​9657) by @​jdx.
• (registry) Added code-review-graph via pipx:code-review-graph (#​9673) by @​chautruonglong.

Fixed

• (task) Parallel mise run --jobs N siblings now terminate promptly when one task fails, via per-task process groups and killpg, with a 10s pipe-drain timeout (#​9655) by @​jdx.
• (task) MISE_PROJECT_ROOT for monorepo subproject tasks is now stable regardless of invocation cwd (#​9657) by @​jdx.
• (install) Don't force a remote-versions cache refresh in prefer_offline mode; fixes a v2026.5.0 regression with shim auto-install of prefix: requests (#​9627) by @​jdx.
• (lockfile) Auto-lock during mise install now respects user-curated lockfiles — removed platforms stay removed (#​9621) by @​jdx.
• (lock) mise lock from a nested project scopes targets to the active project root and stops churning parent lockfiles; --global is now exclusive (#​9319) by @​risu729.
• (deps) Fall through to source-hash freshness when a provider returns no outputs, so bundle install, pip install, go mod download, poetry install, and uv sync stop rerunning on every invocation (#​9622) by @​jdx.
• (backend) Inline tool option overrides (e.g. tool[asset_pattern=...]) are now applied consistently across all backends, with backend alias [...] options as a distinct overlay layer (#​9306) by @​risu729.
• (backend) Skip the mise-versions host when locally overridden tool options affect remote version listing (#​9568) by @​risu729.
• (backend) Reject bare package-backend names like cargo and gem as implicit cargo:cargo/gem:gem tools (#​9608) by @​risu729.
• (aqua) Preserve configured file extensions (e.g. .bat scripts) on Windows; avoid doubling version_prefix (#​9611) by @​risu729.
• (github) Chmod only the explicitly configured bin target instead of every archive file (#​9609) by @​risu729.
• (pipx) Filter yanked PyPI releases from fuzzy/latest resolution while keeping exact pinned installs available (#​9607) by @​risu729.
• (pipx) Declare python as a backend dependency so pipx.pyz resolves to mise-managed Python (#​9678) by @​jdx.
• (trust) Run enter hooks after mise trust newly trusts a config for the current directory (#​9634) by @​risu729.
• (ui) Stop clearing the screen for confirmation prompts like mise prune (#​9619) by @​jdx.
• Use /bin/cp on macOS for mise sync so it doesn't break when GNU cp from Homebrew shadows it on PATH (#​9656) by @​pdehlke.
• (schema) Update refs to $defs in mise-registry-tool.json (#​9671) by @​risu729.

Changed

• (registry) Removed registry-level depends from generated registry tools and added test.tools for tools whose dependencies are only needed by mise test-tool (#​9571) by @​risu729.
• (config) Registry backend options now accept full TOML values (booleans, integers, arrays, tables) instead of strings only (#​9584) by @​risu729.

Documentation

• (node) Added tips for enabling node idiomatic version files (#​9675) by @​fu050409.

New Contributors

• @​chautruonglong made their first contribution in #​9673
• @​pdehlke made their first contribution in #​9656

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.1: : Aqua cosign and a reshim rescue

Compare Source

A small follow-up to v2026.5.0 that lands top-level cosign verification for the aqua backend, fixes a mise reshim failure caused by stale latest install directories, and tightens schema validation.

Added

• (backend) The aqua backend now honors top-level cosign metadata when verifying packages, covering both checksum and artifact flows and reusing the existing native sigstore path. Lockfiles record top-level cosign provenance, with new e2e and lockfile regression coverage (#​9111) by @​risu729.
• (registry) Added wasm-tools via aqua:bytecodealliance/wasm-tools for working with the WebAssembly Component Model (#​9596) by @​2xdevv.

Fixed

• (shim) mise reshim no longer aborts with failed to rebuild shims: no versions found for <tool> when an install directory literally named latest (or any other non-resolvable name) is left on disk. Toolset::list_installed_versions already reads concrete version directory names, so it now constructs ToolVersion directly instead of calling .resolve() (no network), and per-tool ToolRequest::new failures are warned-and-skipped instead of aborting the entire rebuild (#​9599) by @​jdx. Repro:

  mkdir -p ~/.mise/installs/buck2/latest/bin
  touch ~/.mise/installs/buck2/latest/bin/buck2
  mise reshim   # previously failed; now succeeds

• (schema) All files under schema/ are now validated against draft/2020-12 in strict mode. Hand-written schemas and the BoolOrString renderer in schema.ts use oneOf instead of union type arrays so AJV's strictTypes no longer rejects them; the bogus --strict-schema flag is replaced with --strict-types=true --strict-tuples=true (#​9594) by @​risu729.

• (registry) elixir-ls re-enables symlink_bins so the move to the aqua backend stops exposing internal binaries that aren't meant to be called directly (#​9592) by @​AlternateRT.

Changed

• (registry) rebar now installs from the GitHub backend (erlang/rebar3) since rebar3 is just an escript; the asdf plugin fallback is removed. Versions before rebar 3 are no longer supported, and the installed executable remains rebar3 to match upstream docs (#​9576) by @​risu729.
• (registry) bashly drops the asdf:mise-plugins/mise-bashly fallback and the redundant explicit ruby dependency, since the gem backend already pulls in Ruby (#​9578) by @​risu729.
• (release) Restored the "Sponsor mise" block on every successful GitHub release. It had been accidentally scoped to the communique-failure fallback in #​9395, so normal releases since v2026.4.22 lost it (#​9580) by @​jdx.

Documentation

• (dev-tools) Clarified that vfox metadata depends runs install hooks for the listed dependency tools (#​9573) by @​risu729.
• (plugins) Removed outdated registry submission guidance from the plugins docs (#​9577) by @​risu729.

Aqua Registry Updates

New packages:

• salesforce/reactive-grpc/protoc-gen-reactor-grpc
• spinframework/spin

Updated:

• pnpm/pnpm

Full Changelog: jdx/mise@v2026.5.0...v2026.5.1

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.0: : Conda graduates, smarter prereleases, and Windows POSIX tasks

Compare Source

Added

• (conda) Graduated the conda backend out of experimental (#​9544) by @​jdx.
• (deps) Added dart and flutter deps providers backed by pubspec.yaml / pubspec.lock (#​9505) by @​tjarvstrand.
• (task) sources entries can now be prefixed with ! to exclude paths, and a new sources_exclude field is supported; exclusions apply to freshness checks, task_source_files, and mise watch (#​9496) by @​jlarmstrongiv.
• (vfox) Added stat to the Lua file module so plugins can read file metadata (#​9497) by @​esteve.
• (registry) Added neo4j (#​9525), rustfs (#​9530), expert (#​9498), systemctl-tui (#​9521), codon (#​9538), yr (#​9542), betterleaks (#​9541), git-filter-repo (#​9550), umoci (#​9555), google-java-format (#​9488), an aqua backend for elixir-ls (#​9557), and enabled shellcheck on Windows (#​9487).

Fixed

• (backend) Stamp prerelease metadata via regex for backends that don't expose it upstream (#​9500) by @​jdx.
• (backend) Treat -nightly, -canary, -experimental, -insider, -edge as prereleases (#​9523) by @​jdx.
• (backend) Scope PEP 440 prerelease detection to Python backends (#​9558) by @​jdx.
• (backend) Honor dotnet.package_flags = "prerelease" and --prerelease for dotnet (#​9551) by @​jdx.
• (backend) Suppress repeated No versions found warnings for backends that support unresolved latest (#​9548) by @​jdx.
• (install) Don't warn for configured tools when version is passed via CLI (#​9522) by @​jdx.
• (install) Refresh latest before installing missing tools (#​9545) by @​jdx.
• (install) Don't cache nonexistent install paths (#​9553) by @​jdx.
• (lockfile) Don't propagate ad-hoc CLI overrides into the project lockfile (#​9562) by @​jdx.
• (plugin) Detect plugin types after cloning (#​9540) by @​risu729.
• (task) Convert PATH to MSYS Unix form when spawning POSIX shells on Windows (#​9547) by @​JamBalaya56562.
• (cargo) Apply install_env during cargo install (#​9502) by @​c22.
• (github) Skip attestations on non-default api_url (#​9486) by @​jdx.
• (github) Retry IP allow list errors without auth (#​9506) by @​risu729.
• (http) Update versions host tracking endpoint (#​9527) by @​jdx.
• (release) Pass --no-git-checks to aube publish (#​9483) by @​jdx.
• (copr) Drop epel-9 chroots since rust >= 1.91 is unavailable (#​9484) by @​jdx.

Changed

• (registry) Deny inline backend options in registry tool entries (#​9565) by @​risu729.
• (registry) Update entry for checkmake (#​9504) by @​eread.

Deprecated

• shorthands_file setting / MISE_SHORTHANDS_FILE is deprecated; warning starts in 2026.6.0, removal planned for 2026.12.0. Use [plugins] instead (#​9534) by @​risu729.

Documentation

• Document ghtkn as a GitHub credential_command (#​9546) by @​jdx.
• Clarify registry backend acceptance policy (#​9543, 7bbeebe) by @​jdx.
• Update mise watch docs to pitchfork.en.dev (#​9536) by @​risu729.
• Use bash in exec example for variable echoing (#​9567) by @​kuboon.

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.4.28: : Remote tasks pinned by commit SHA

Compare Source

A small patch release: remote tasks pinned to a commit SHA no longer panic, and the Fedora COPR packaging pipeline picks up Dockerfile fixes agai

✂ Note

PR body was truncated to here.