Commit eecf1ba
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
chore(deps): update dependency mise to v2026.5.11 (#2119)
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [mise](https://redirect.github.com/jdx/mise) | patch | `v2026.5.5` →
`v2026.5.11` |
---
### Release Notes
<details>
<summary>jdx/mise (mise)</summary>
###
[`v2026.5.11`](https://redirect.github.com/jdx/mise/releases/tag/v2026.5.11):
: Provenance verification at lock time
[Compare
Source](https://redirect.github.com/jdx/mise/compare/v2026.5.10...v2026.5.11)
#### Added
- **(security)** Verify and record provenance during `mise lock`, with a
new `provenance_api_failures_fatal` setting to control whether GitHub
attestation API failures are fatal
([#​9945](https://redirect.github.com/jdx/mise/pull/9945) by
[@​jdx](https://redirect.github.com/jdx)).
- **(security)** Fall back to verifying archive contents when SLSA
provenance attests every file inside an archive but not the archive
itself, fixing releases like `github:prefix-dev/pixi@0.68.1`
([#​9898](https://redirect.github.com/jdx/mise/pull/9898) by
[@​sargunv](https://redirect.github.com/sargunv)).
- **(plugins)** Support remote git subdirectory sources for plugins,
e.g. `git::https://host/repo.git//path/to/plugin?ref=branch`
([#​9893](https://redirect.github.com/jdx/mise/pull/9893) by
[@​jdx](https://redirect.github.com/jdx)).
#### Fixed
- **(github)** Asset picker now picks the shortest matching name as a
tiebreaker for `asset_pattern` and accepts platform-agnostic runtime
archives like `.phar`, `.jar`, and `.pyz` (fixes installing `composer`)
([#​9946](https://redirect.github.com/jdx/mise/pull/9946) by
[@​jdx](https://redirect.github.com/jdx)).
- **(config)** Invalid `miserc.toml` now produces a clear parse error at
startup instead of being silently ignored
([#​9937](https://redirect.github.com/jdx/mise/pull/9937) by
[@​jdx](https://redirect.github.com/jdx)).
- **(install)** Per-tool `.mise.backend.toml` metadata is now written
alongside install directories, making merged/copied installs
self-describing and refreshing install state mid-run so same-run
dependency resolution sees freshly installed tools
([#​9941](https://redirect.github.com/jdx/mise/pull/9941) by
[@​jdx](https://redirect.github.com/jdx)).
- **(install)** `postinstall` hooks now run through the configured
default inline shell instead of `$SHELL -c`
([#​9812](https://redirect.github.com/jdx/mise/pull/9812) by
[@​risu729](https://redirect.github.com/risu729)).
- **(cache)** `mise cache prune [PLUGIN]...` now honors the plugin
filter instead of pruning every cache directory
([#​9914](https://redirect.github.com/jdx/mise/pull/9914) by
[@​risu729](https://redirect.github.com/risu729)).
- **(task)** Preserve task-declared env, `MISE_TASK_*` metadata, and
`MISE_ENV` across nested `hook-env` invocations, while keeping the
nested-PATH fix from
[#​9765](https://redirect.github.com/jdx/mise/pull/9765) intact
([#​9850](https://redirect.github.com/jdx/mise/pull/9850) by
[@​risu729](https://redirect.github.com/risu729)).
- **(backend)** Resolve helper dependency toolsets in offline mode so
`minimum_release_age` cannot mis-route helper tools like `node`/`npm`
when querying upstream versions
([#​9808](https://redirect.github.com/jdx/mise/pull/9808) by
[@​risu729](https://redirect.github.com/risu729)).
- **(vfox)** Key vfox `EnvKeys` hooks by the resolved install path so
shared/system installs don't reuse user-path cache entries
([#​9907](https://redirect.github.com/jdx/mise/pull/9907) by
[@​risu729](https://redirect.github.com/risu729)).
- **(use)** Skip the `mise use -g` shadow warning when the active
version comes from system config
([#​9900](https://redirect.github.com/jdx/mise/pull/9900) by
[@​risu729](https://redirect.github.com/risu729)).
- **(doctor)** List installed plugins from install state, including
those owned by disabled backends, and add a `plugins` object to `mise
doctor -J`
([#​9863](https://redirect.github.com/jdx/mise/pull/9863) by
[@​risu729](https://redirect.github.com/risu729)).
- **(erlang)** `erlang.compile = false` is now strict precompiled mode
and no longer falls back to `kerl build-install` on unsupported distros
([#​9866](https://redirect.github.com/jdx/mise/pull/9866) by
[@​risu729](https://redirect.github.com/risu729)).
#### Changed
- **(registry)** Prefer the `aqua` backend for `cilium-hubble`,
`localstack`, `mark`, `openbao`, `porter`, `process-compose`, `rtk`,
`sqlc`, `turso`, and `xcodegen`, with existing GitHub/asdf backends
preserved as fallbacks
([#​9789](https://redirect.github.com/jdx/mise/pull/9789) by
[@​risu729](https://redirect.github.com/risu729)).
- **(registry)** Add `aqua:jbangdev/jbang` as the primary backend for
`jbang`, enabling Windows support
([#​9811](https://redirect.github.com/jdx/mise/pull/9811) by
[@​risu729](https://redirect.github.com/risu729)).
- **(registry)** Alias `dotnet-core` to `dotnet`
([#​9807](https://redirect.github.com/jdx/mise/pull/9807) by
[@​risu729](https://redirect.github.com/risu729)).
- **(registry)** Add [`lisette`](https://lisette.run/)
([#​9944](https://redirect.github.com/jdx/mise/pull/9944) by
[@​ivov](https://redirect.github.com/ivov)).
- **(registry)** Fix `sourcery` archive format so macOS installs use the
`.zip` asset instead of trying to extract it as `tar.gz`
([#​9902](https://redirect.github.com/jdx/mise/pull/9902) by
[@​risu729](https://redirect.github.com/risu729)).
- **(docs)** Trim the global settings example in the configuration docs
([#​9912](https://redirect.github.com/jdx/mise/pull/9912) by
[@​risu729](https://redirect.github.com/risu729)).
#### New Contributors
- [@​ivov](https://redirect.github.com/ivov) made their first
contribution in
[#​9944](https://redirect.github.com/jdx/mise/pull/9944)
#### 💚 Sponsor mise
mise is built by [@​jdx](https://redirect.github.com/jdx) under
[**en.dev**](https://en.dev) — an independent studio making developer
tooling (mise, [aube](https://aube.en.dev/), and more). Development is
funded by sponsors.
If mise saves you or your team time, please consider sponsoring at
[en.dev](https://en.dev). Individual and company sponsorships keep mise
fast, free, and independent.
###
[`v2026.5.10`](https://redirect.github.com/jdx/mise/releases/tag/v2026.5.10):
: AWS SSO for s3 backends
[Compare
Source](https://redirect.github.com/jdx/mise/compare/v2026.5.9...v2026.5.10)
A small release that unblocks s3 backends for users on AWS SSO profiles,
plus two minor option-handling fixes that fell out of an internal
refactor of the GitHub/GitLab/Forgejo backend.
#### Fixed
- **(s3)** s3 backends now work with SSO-based AWS profiles. The `sso`
feature of `aws-config` is enabled, so configurations that authenticate
via [AWS IAM Identity
Center](https://aws.amazon.com/iam/identity-center/) no longer fail
with:
```
S3 error: DispatchFailure { ... ProfileFile provider could not be built:
This behavior requires following cargo feature(s) enabled: sso.
```
([#​9875](https://redirect.github.com/jdx/mise/pull/9875) by
[@​Amir-Ahmad](https://redirect.github.com/Amir-Ahmad)).
- **(backend)** Two small behavior fixes landed while centralizing Git
backend option reads
([#​9838](https://redirect.github.com/jdx/mise/pull/9838) by
[@​risu729](https://redirect.github.com/risu729)):
- Forgejo now applies the same install-time option filtering as
GitHub/GitLab.
- `no_app` is now read through target-aware platform option lookup, so
`platforms.<target>.no_app = true` is honored when resolving assets for
cross-platform lockfiles.
#### Changed
- **(backend)** Internal refactor introducing a shared `BackendOptions`
reader and a typed option wrapper for the unified GitHub/GitLab/Forgejo
backend. No user-visible behavior change beyond the fixes above
([#​9838](https://redirect.github.com/jdx/mise/pull/9838) by
[@​risu729](https://redirect.github.com/risu729)).
#### New Contributors
- [@​Amir-Ahmad](https://redirect.github.com/Amir-Ahmad) made
their first contribution in
[#​9875](https://redirect.github.com/jdx/mise/pull/9875)
**Full Changelog**:
<jdx/mise@v2026.5.9...v2026.5.10>
#### 💚 Sponsor mise
mise is built by [@​jdx](https://redirect.github.com/jdx) under
[**en.dev**](https://en.dev) — an independent studio making developer
tooling (mise, [aube](https://aube.en.dev/), and more). Development is
funded by sponsors.
If mise saves you or your team time, please consider sponsoring at
[en.dev](https://en.dev). Individual and company sponsorships keep mise
fast, free, and independent.
###
[`v2026.5.9`](https://redirect.github.com/jdx/mise/releases/tag/v2026.5.9):
: SwiftPM artifact bundles and per-hook watch shells
[Compare
Source](https://redirect.github.com/jdx/mise/compare/v2026.5.8...v2026.5.9)
A modest release: SwiftPM gains artifact bundle support,
`[[watch_files]]` hooks can pick their own inline shell, and a handful
of fixes land for aqua latest-tag resolution, vfox `cmd.exec`, and
GitHub OAuth device-flow URLs. Plain-string Tera rendering also gets a
fast path.
#### Added
- **(spm)** SwiftPM installs now prefer prebuilt artifact bundles
(`*.artifactbundle.zip`) when a release publishes one for the current
Swift target triple, falling back to a source build otherwise
([#​9825](https://redirect.github.com/jdx/mise/pull/9825)) by
[@​ikesyo](https://redirect.github.com/ikesyo). New controls:
```toml
[tools]
# require an artifact bundle; fail instead of source-building
"spm:giginet/swift-testing-revolutionary" = { version = "0.4.0",
artifactbundle = true }
# always source-build, ignore any bundles
"spm:tuist/tuist" = { version = "latest", artifactbundle = false }
# disambiguate when multiple bundle assets are published
"spm:org/tool" = { version = "1.0.0", artifactbundle_asset =
"tool.artifactbundle.zip" }
[settings]
# apply "bundles only" globally (mirrors cargo.binstall_only)
spm.artifactbundle_only = true
```
- **(config)** `[[watch_files]]` entries with `run` accept an optional
`shell` field, rendered through templates and falling back to the
configured default inline shell when unset
([#​9810](https://redirect.github.com/jdx/mise/pull/9810)) by
[@​risu729](https://redirect.github.com/risu729):
```toml
[[watch_files]]
patterns = ["*.js"]
run = "eslint --fix ."
shell = "bash -c"
```
`shell` only applies to `run` hooks; combining it with `task` produces a
warning and the value is ignored.
#### Fixed
- **(aqua)** When GitHub's `latest` release pointed at a tag that aqua's
registry rejected via `version_filter` or `version_constraint`, mise
would return it anyway. The latest fast path now applies both checks
before accepting a tag
([#​9834](https://redirect.github.com/jdx/mise/pull/9834)) by
[@​risu729](https://redirect.github.com/risu729).
- **(vfox)** Lua `cmd.exec` calls inside vfox plugins now build commands
from mise's configured `unix_default_inline_shell_args` /
`windows_default_inline_shell_args` instead of hardcoding `sh -c` or
`cmd /C`, aligning plugin behavior with tasks, Tera command rendering,
and other inline shell users
([#​9837](https://redirect.github.com/jdx/mise/pull/9837)) by
[@​risu729](https://redirect.github.com/risu729).
- GitHub OAuth device-flow paths were slightly off compared to the
documented endpoints. The default `oauth_auth_url` is now the GitHub
login base, with mise appending `/device/code` and `/oauth/access_token`
per [GitHub's device-flow
docs](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow)
([#​9791](https://redirect.github.com/jdx/mise/pull/9791)) by
[@​jasisk](https://redirect.github.com/jasisk).
- **(patrons)** `mise patrons` now points the "become a patron" link to
the en.dev homepage instead of `/sponsor`
([#​9868](https://redirect.github.com/jdx/mise/pull/9868)) by
[@​jdx](https://redirect.github.com/jdx).
#### Changed
- **(registry)** `npm` is now resolved through `aqua:npm/cli` (with
`npm:npm` retained as a fallback), and `buck2` switches to
`aqua:facebook/buck2` with `prerelease = true` so its always-prerelease
releases are visible
([#​9762](https://redirect.github.com/jdx/mise/pull/9762),
[#​9805](https://redirect.github.com/jdx/mise/pull/9805)) by
[@​risu729](https://redirect.github.com/risu729).
- **(registry)** Added SonarQube CLI as `aqua:SonarSource/sonarqube-cli`
([#​9824](https://redirect.github.com/jdx/mise/pull/9824)) by
[@​3PeatVR](https://redirect.github.com/3PeatVR).
#### Performance
- **(config)** Strings with no Tera block markers (`{{`, `{%`, `{#`,
including whitespace-trimmed forms) now bypass the Tera renderer at
config evaluation sites, skipping context construction, async context
fetches, and `get_tera` setup. Tera 1.20.1's grammar guarantees these
are the only block openers, so output is unchanged for both well-formed
and malformed templates
([#​9833](https://redirect.github.com/jdx/mise/pull/9833)) by
[@​risu729](https://redirect.github.com/risu729).
#### Documentation
- Updated the Walkthrough guide
([#​9853](https://redirect.github.com/jdx/mise/pull/9853)) by
[@​thernstig](https://redirect.github.com/thernstig).
#### New Contributors
- [@​3PeatVR](https://redirect.github.com/3PeatVR) made their
first contribution in
[#​9824](https://redirect.github.com/jdx/mise/pull/9824)
- [@​ikesyo](https://redirect.github.com/ikesyo) made their first
contribution in
[#​9825](https://redirect.github.com/jdx/mise/pull/9825)
- [@​thernstig](https://redirect.github.com/thernstig) made their
first contribution in
[#​9853](https://redirect.github.com/jdx/mise/pull/9853)
**Full Changelog**:
<jdx/mise@v2026.5.8...v2026.5.9>
#### 💚 Sponsor mise
mise is built by [@​jdx](https://redirect.github.com/jdx) under
[**en.dev**](https://en.dev) — an independent studio making developer
tooling (mise, [aube](https://aube.en.dev/), and more). Development is
funded by sponsors.
If mise saves you or your team time, please consider sponsoring at
[en.dev](https://en.dev). Individual and company sponsorships keep mise
fast, free, and independent.
###
[`v2026.5.8`](https://redirect.github.com/jdx/mise/releases/tag/v2026.5.8):
: Patrons, cleaner task output, and sigstore-rust
[Compare
Source](https://redirect.github.com/jdx/mise/compare/aqua-registry-v2026.5.7...v2026.5.8)
A small release: a new `mise patrons` command, cleaner task command
output when scripts start with a shebang, and a fix for `mise upgrade`
summaries getting wiped by progress cleanup. Under the hood, signature
verification moves to the modern sigstore-rust stack.
#### Added
- **(patrons)** New `mise patrons` subcommand lists individuals on the
Patron tier supporting mise development
([#​9841](https://redirect.github.com/jdx/mise/pull/9841)) by
[@​jdx](https://redirect.github.com/jdx). Data is fetched from the
en.dev patrons feed, cached for 24h, and falls back to stale cache on
network failure. Each patron's name renders as a clickable OSC 8
hyperlink in supporting terminals.
```
$ mise patrons
mise is supported by these patrons — thank you
• Ronald Gierlach
• youfoundron
Become a patron: https://en.dev/sponsor
```
Flags: `-J/--json`, `--refresh`.
- **(registry)** Add a `racket` shorthand backed by the aqua
`racket/racket/minimal` package, exposing both `racket` and `raco` from
the official racket-lang.org release artifacts
([#​9784](https://redirect.github.com/jdx/mise/pull/9784)) by
[@​albertnetymk](https://redirect.github.com/albertnetymk).
#### Fixed
- **(task)** When a task's `run` body starts with `#!/usr/bin/env bash`
or `set -Eeuo pipefail`, the echoed command line would show only that
boilerplate and hide the rest of the script. Leading shebang, blank, and
`set ...` lines are now skipped when building the displayed command, so
the first real command shows up. Execution is unchanged
([#​9844](https://redirect.github.com/jdx/mise/pull/9844)) by
[@​jdx](https://redirect.github.com/jdx). Fixes
[#​9842](https://redirect.github.com/jdx/mise/issues/9842).
```
# before
[generate-completions] $ #!/usr/bin/env bash
# after
[generate-completions] $ fzf --fish >
~/.config/fish/completions/fzf.fish
```
- **(upgrade)** `mise upgrade` could erase its own `Upgraded N tools:`
summary detail lines when an upgrade also performed an uninstall — fresh
progress jobs registered for the cleanup phase were still active at
shutdown, so `stop_clear()` wiped them along with the summary. Progress
jobs are now finished and reset before the summary prints
([#​9860](https://redirect.github.com/jdx/mise/pull/9860)) by
[@​risu729](https://redirect.github.com/risu729). Regression from
[#​9779](https://redirect.github.com/jdx/mise/pull/9779);
addresses
[#​9856](https://redirect.github.com/jdx/mise/discussions/9856).
#### Changed
- **(security)** Sigstore verification (`verify_github_attestation`,
`verify_cosign_signature`, `verify_slsa_provenance`,
`detect_attestations`) now runs on a local `mise-sigstore` adapter built
on `sigstore-verify` 0.7 from sigstore-rust, replacing the previous
`sigstore-verification` 0.2 dependency
([#​9260](https://redirect.github.com/jdx/mise/pull/9260)) by
[@​jdx](https://redirect.github.com/jdx). The mise call sites and
helper API are unchanged. The new adapter still covers legacy cosign v1
bundles (e.g. goreleaser-signed releases) and raw DSSE `*.intoto.jsonl`
envelopes (slsa-github-generator) that the upstream `Bundle::from_json`
rejects.
#### Deprecated
- **(config)** The top-level `env_file` setting (and `MISE_ENV_FILE`) is
now marked deprecated. Use `env._.file` in `mise.toml` instead
([#​9862](https://redirect.github.com/jdx/mise/pull/9862)) by
[@​risu729](https://redirect.github.com/risu729). The JSON Schema
gains the `deprecated` keyword, a warning is scheduled for 2026.11.0,
and removal is planned for 2027.11.0.
```toml
# before
env_file = ".env"
# after
[env]
_.file = ".env"
```
#### New Contributors
- [@​albertnetymk](https://redirect.github.com/albertnetymk) made
their first contribution in
[#​9784](https://redirect.github.com/jdx/mise/pull/9784)
**Full Changelog**:
<jdx/mise@v2026.5.7...v2026.5.8>
#### 💚 Sponsor mise
mise is built by [@​jdx](https://redirect.github.com/jdx) under
[**en.dev**](https://en.dev) — an independent studio making developer
tooling (mise, [aube](https://aube.en.dev/), and more). Development is
funded by sponsors.
If mise saves you or your team time, please consider sponsoring at
[en.dev](https://en.dev). Individual and company sponsorships keep mise
fast, free, and independent.
###
[`v2026.5.7`](https://redirect.github.com/jdx/mise/releases/tag/v2026.5.7):
: Lazy GitHub tokens, hardened version parsing, and faster task
freshness
[Compare
Source](https://redirect.github.com/jdx/mise/compare/v2026.5.6...aqua-registry-v2026.5.7)
A round of correctness and performance fixes: vfox-managed tools no
longer prompt your password manager on every shell hook, `mise upgrade`
stops double-printing its summary, `mise settings get` finally
distinguishes typos from unset values, and conda installs that pulled in
`adwaita-icon-theme` are unstuck. Plus a security pass that hardens
version-string parsing against shell injection.
#### Fixed
- **(vfox)** GitHub tokens are now resolved lazily inside Lua plugins.
Previously, `mise hook-env`, `mise activate`, `mise completion`, and
even `mise --help` would call `github.credential_command` for every
installed vfox tool — potentially unlocking a password manager on every
prompt. The resolver is now only invoked when a Lua plugin actually
issues an HTTP request to a GitHub API URL, e.g. during an install
([#​9816](https://redirect.github.com/jdx/mise/pull/9816)) by
[@​jdx](https://redirect.github.com/jdx). Fixes
[#​9797](https://redirect.github.com/jdx/mise/issues/9797).
- **(upgrade)** `mise upgrade` (and `mise up`) no longer prints the
installed-tools block twice when an upgrade also needs to uninstall an
older version. The shared progress-job registry is now cleared after
each phase so the subsequent uninstall renders cleanly
([#​9779](https://redirect.github.com/jdx/mise/pull/9779)) by
[@​jdx](https://redirect.github.com/jdx). Fixes
[#​9774](https://redirect.github.com/jdx/mise/issues/9774).
- **(settings)** `mise settings get` distinguishes between a known
setting that hasn't been set and a typo:
```sh
$ mise settings get python.compile
mise ERROR Setting [python.compile] is not set
$ mise settings get not.a.real.setting
mise ERROR Unknown setting: not.a.real.setting
```
Previously both returned `Unknown setting`, since `Option<T>` fields
skipped by TOML serialization were indistinguishable from missing keys
([#​9818](https://redirect.github.com/jdx/mise/pull/9818)) by
[@​jdx](https://redirect.github.com/jdx).
- **(backend)** Several backends (`aqua`, `github`/`gitlab`/`forgejo`,
`http`, `s3`, `ubi`, `vfox`, `conda`, Windows `npm`) reported
`bin-paths` pointing at the concrete resolved install dir (e.g.
`installs/tiny/1.0.0/...`) instead of the stable runtime symlink for the
requested label (e.g. `installs/tiny/latest/...`). A new
`runtime_path_for_install_path` helper remaps backend-discovered
absolute paths onto the runtime path while leaving explicit relative
`bin_path` values alone
([#​9606](https://redirect.github.com/jdx/mise/pull/9606)) by
[@​risu729](https://redirect.github.com/risu729).
- **(conda)** `mise use -g imagemagick` (and other tools pulling in
`adwaita-icon-theme`) failed with `conda solve failed: encountered
duplicate records for adwaita-icon-theme-40.1.1-...`. rattler-solve
detects duplicates by `DistArchiveIdentifier` rather than URL, so when
conda-forge served the same archive under multiple CDN URLs, the
existing URL-based dedup wasn't enough. Dedup now uses `r.identifier`,
the exact key the solver uses
([#​9831](https://redirect.github.com/jdx/mise/pull/9831)) by
[@​jdx](https://redirect.github.com/jdx). Fixes
[#​9829](https://redirect.github.com/jdx/mise/discussions/9829).
#### Added
- **(github)** `github.credential_command` now runs through the
configured default inline shell (instead of hardcoded `sh -c`) and is
invoked with `MISE_CREDENTIAL_HOST` and `MISE_CREDENTIAL_PROVIDER` in
the environment. The deprecated `$1` / `${1}` hostname positional
argument continues to work for sh-compatible shells (`ash`, `bash`,
`dash`, `ksh`, `sh`, `zsh`); a deprecation warning lands in `2026.11.0`
and removal is planned for `2027.11.0`
([#​9664](https://redirect.github.com/jdx/mise/pull/9664)) by
[@​risu729](https://redirect.github.com/risu729).
#### Performance
- **(aqua)** The baked aqua standard-registry package and alias lookup
tables are now generated as static `phf::Map`s at build time via
`phf_codegen`, instead of lazy runtime `HashMap`s. Warmed lookup is
comparable, but first-use no longer allocates \~115 KiB of heap or
builds a 2,179-entry bucket table
([#​9763](https://redirect.github.com/jdx/mise/pull/9763)) by
[@​risu729](https://redirect.github.com/risu729).
- **(task)** When `task.source_freshness_hash_contents = true`, mise now
caches each source file's blake3 hash keyed by `(size, mtime_secs,
mtime_nanos)` — git's stat-info trick — in a per-task file under
`STATE/task-sources/`. Unchanged files are skipped on subsequent runs;
entries for files removed from `sources` are pruned automatically
([#​9819](https://redirect.github.com/jdx/mise/pull/9819)) by
[@​jdx](https://redirect.github.com/jdx). See [discussion
#​9802](https://redirect.github.com/jdx/mise/discussions/9802).
#### Security
- **Reject shell metacharacters in version strings at the `ToolRequest`
boundary**
([#​9814](https://redirect.github.com/jdx/mise/pull/9814)) by
[@​jdx](https://redirect.github.com/jdx). `ToolRequest::new` now
validates `version`, `prefix`, `ref/*`, `sub-*`, and `path:` requests,
rejecting `$`, backticks, quotes, `\`, control chars, and `..`
traversal. This single change neutralizes the CRITICAL RCE class flagged
against `vfox-ag`, `vfox-bfs`, `vfox-bpkg`, `vfox-chezscheme`,
`vfox-redis`, `vfox-yarn`, and shell-injection findings on `clickhouse`,
`leiningen`, `pipenv`, `poetry`, `azure-functions-core-tools`,
`carthage`, and `android-sdk`, since no Lua hook can observe a hostile
`ctx.version` / `ctx.rootPath`. Real-world strings like `1.2.3-beta`,
`lts/hydrogen`, `3.12.0a1`, and `nightly` continue to validate. The PR
also tightens `workflow_dispatch` input validation in the COPR, PPA,
npm-publish, and Docker workflows.
#### Registry
- Replace unsupported `exe = ...` options across \~30 GitHub/GitLab
registry entries (`astro`, `babashka`, `coursier`, `glab`, `odin`,
`openbao`, `purescript`, and many more)
([#​9587](https://redirect.github.com/jdx/mise/pull/9587)) by
[@​risu729](https://redirect.github.com/risu729). Two entries
gained real config to fix Linux installs:
- `solidity` now uses `bin = "solc"` so the installed binary matches the
upstream `solc-static-linux` asset.
- `sourcery` now uses `format = "tar.gz"` because the upstream Linux
asset is gzip-compressed despite its `.tar.xz` filename.
- Update `pi` to `earendil-works/pi`
([#​9792](https://redirect.github.com/jdx/mise/pull/9792)) by
[@​garysassano](https://redirect.github.com/garysassano).
#### Documentation
- **(aliases)** Fix the Aliased Versions example and drop the stale asdf
callout ([#​9830](https://redirect.github.com/jdx/mise/pull/9830))
by [@​jdx](https://redirect.github.com/jdx).
**Full Changelog**:
<jdx/mise@v2026.5.6...v2026.5.7>
#### 💚 Sponsor mise
mise is built by [@​jdx](https://redirect.github.com/jdx) under
[**en.dev**](https://en.dev) — an independent studio making developer
tooling (mise, [aube](https://aube.en.dev/), and more). Development is
funded by sponsors.
If mise saves you or your team time, please consider sponsoring at
[en.dev](https://en.dev). Individual and company sponsorships keep mise
fast, free, and independent.
###
[`v2026.5.6`](https://redirect.github.com/jdx/mise/releases/tag/v2026.5.6):
: Native GitHub OAuth, project-scoped OCI builds, faster registries
[Compare
Source](https://redirect.github.com/jdx/mise/compare/v2026.5.5...v2026.5.6)
A mix of features and correctness work: a native GitHub OAuth token
source (experimental) that drops the dependency on `gh`/`ghtkn`, `mise
oci` commands scoped to the current project by default, and two
registry-lookup performance wins — plus fixes across activate, exec,
java, lock, pipx, and vfox.
#### Added
- **(cli)** Add `--before <date>` to `mise ls-remote` and `mise lock`
for release-date-aware version discovery
([#​9269](https://redirect.github.com/jdx/mise/pull/9269)) by
[@​risu729](https://redirect.github.com/risu729)
- **(config)** Hooks can now be defined as a table — `{ run = "...",
shell = "bash -c" }` — to pick a shell inline, alongside the existing
string form
([#​9718](https://redirect.github.com/jdx/mise/pull/9718)) by
[@​risu729](https://redirect.github.com/risu729)
- **(github)** Add native GitHub OAuth device-flow token source
(experimental) — no dependency on `gh`/`ghtkn`
([#​9654](https://redirect.github.com/jdx/mise/pull/9654)) by
[@​jdx](https://redirect.github.com/jdx). Create a GitHub App with
device flow enabled, then authorize once:
```sh
mise settings set experimental true
mise settings set github.oauth_client_id Iv1.yourgithubappclientid
mise token github --oauth
```
mise caches and refreshes the token for its own GitHub API calls, and
auto-exports it as `GITHUB_TOKEN` to shells started under `mise
activate`/`exec` so `gh`, `git`, and other GitHub-aware tools pick it up
too. See [GitHub Tokens → Native GitHub
OAuth](https://mise.en.dev/dev-tools/github-tokens.html#native-github-oauth)
for the full setup.
- **(oci)** `mise oci build/run/push` are now scoped to the current
project's config by default; pass `--include-global` to opt back into
the previous behavior of including global config
([#​9766](https://redirect.github.com/jdx/mise/pull/9766)) by
[@​jdx](https://redirect.github.com/jdx)
- **(outdated)** Prefixed-version requests now resolve to the latest
within the prefix — e.g. `temurin-17.0.19+10` for a `temurin-17.x`
request, instead of jumping ahead to `temurin-26.x`
([#​9767](https://redirect.github.com/jdx/mise/pull/9767)) by
[@​roele](https://redirect.github.com/roele)
#### Fixed
- **(activate)** Guard bash `chpwd_functions` expansion under `set -u`
so activated shells no longer fail with `chpwd_functions[@​]:
unbound variable`
([#​9716](https://redirect.github.com/jdx/mise/pull/9716)) by
[@​risu729](https://redirect.github.com/risu729)
- **(backend)** Date-check the `latest_stable_version` fast path when
`--before` or `minimum_release_age` is active, instead of returning a
too-new version
([#​9650](https://redirect.github.com/jdx/mise/pull/9650)) by
[@​risu729](https://redirect.github.com/risu729)
- **(config)** Parse core tool options consistently between table and
bracket syntax, so `[depends=...]` and `os=` set the named core fields
([#​9742](https://redirect.github.com/jdx/mise/pull/9742)) by
[@​risu729](https://redirect.github.com/risu729)
- **(exec)** Nested `mise -C <dir> exec` correctly resolves the inner
toolset's tools again — `__MISE_DIFF` is now propagated to children so
the child no longer inherits a mutated PATH that hides its own tools
([#​9765](https://redirect.github.com/jdx/mise/pull/9765)) by
[@​jdx](https://redirect.github.com/jdx)
- **(forgejo)** Include prereleases when `prerelease = true` /
`MISE_PRERELEASES=1` is set
([#​9717](https://redirect.github.com/jdx/mise/pull/9717)) by
[@​risu729](https://redirect.github.com/risu729)
- **(github)** Avoid caching empty release-asset responses, refetching
instead ([#​9616](https://redirect.github.com/jdx/mise/pull/9616))
by [@​risu729](https://redirect.github.com/risu729)
- **(java)** Resolve `core:java` lockfile URLs/checksums from mise Java
metadata, fixing `mise install --locked` for Java
([#​9719](https://redirect.github.com/jdx/mise/pull/9719)) by
[@​risu729](https://redirect.github.com/risu729)
- **(lock)** Cache `github_attestations = "unavailable"` so locked
installs stop hitting the GitHub attestation API for artifacts known to
have none
([#​9741](https://redirect.github.com/jdx/mise/pull/9741)) by
[@​risu729](https://redirect.github.com/risu729)
- **(pipx)** Preserve `uvx_args`/`pipx_args`/`extras`/`uvx = false` when
pipx tools are reinstalled after a Python upgrade
([#​9663](https://redirect.github.com/jdx/mise/pull/9663)) by
[@​risu729](https://redirect.github.com/risu729)
- **(python)** Skip redundant GitHub attestation re-verification when
the lockfile already has checksum + `provenance = "github-attestations"`
([#​9739](https://redirect.github.com/jdx/mise/pull/9739)) by
[@​risu729](https://redirect.github.com/risu729)
- **(vfox)** Run vfox plugin `pre_uninstall` hooks before removing
install directories
([#​9662](https://redirect.github.com/jdx/mise/pull/9662)) by
[@​risu729](https://redirect.github.com/risu729)
- Quote `program` and `args` in `cmd::cmd(..)` debug output so logged
commands are unambiguous
([#​9777](https://redirect.github.com/jdx/mise/pull/9777)) by
[@​ktetzlaff](https://redirect.github.com/ktetzlaff)
#### Performance
- **(aqua)** Bake aqua registry packages as rkyv blobs for much faster
lookup ([#​9535](https://redirect.github.com/jdx/mise/pull/9535))
by [@​risu729](https://redirect.github.com/risu729)
- **(registry)** Use `phf` for the mise registry lookup table, around
3.3x faster than the previous `BTreeMap` path
([#​9769](https://redirect.github.com/jdx/mise/pull/9769)) by
[@​risu729](https://redirect.github.com/risu729)
#### Registry
- Added `vector`
([#​9761](https://redirect.github.com/jdx/mise/pull/9761)) by
[@​kquinsland](https://redirect.github.com/kquinsland)
- Added `openshift-install` and an `http:` backend for `oc`
([#​9669](https://redirect.github.com/jdx/mise/pull/9669)) by
[@​konono](https://redirect.github.com/konono)
#### New Contributors
- [@​konono](https://redirect.github.com/konono) made their first
contribution in
[#​9669](https://redirect.github.com/jdx/mise/pull/9669)
- [@​kquinsland](https://redirect.github.com/kquinsland) made
their first contribution in
[#​9761](https://redirect.github.com/jdx/mise/pull/9761)
- [@​ktetzlaff](https://redirect.github.com/ktetzlaff) made their
first contribution in
[#​9777](https://redirect.github.com/jdx/mise/pull/9777)
**Full Changelog**:
<jdx/mise@v2026.5.5...v2026.5.6>
#### 💚 Sponsor mise
mise is built by [@​jdx](https://redirect.github.com/jdx) under
[**en.dev**](https://en.dev) — an independent studio making developer
tooling (mise, [aube](https://aube.en.dev/), and more). Development is
funded by sponsors.
If mise saves you or your team time, please consider sponsoring at
[en.dev](https://en.dev). Individual and company sponsorships keep mise
fast, free, and independent.
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- "before 4am on Monday"
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/prometheus/client_java).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzkuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE3OS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent 00a7052 commit eecf1ba
10 files changed
Lines changed: 20 additions & 20 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
15 | 15 | | |
16 | 16 | | |
17 | 17 | | |
18 | | - | |
19 | | - | |
| 18 | + | |
| 19 | + | |
20 | 20 | | |
21 | 21 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
14 | 14 | | |
15 | 15 | | |
16 | 16 | | |
17 | | - | |
18 | | - | |
| 17 | + | |
| 18 | + | |
19 | 19 | | |
20 | 20 | | |
21 | 21 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
21 | 21 | | |
22 | 22 | | |
23 | 23 | | |
24 | | - | |
25 | | - | |
| 24 | + | |
| 25 | + | |
26 | 26 | | |
27 | 27 | | |
28 | 28 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
39 | 39 | | |
40 | 40 | | |
41 | 41 | | |
42 | | - | |
43 | | - | |
| 42 | + | |
| 43 | + | |
44 | 44 | | |
45 | 45 | | |
46 | 46 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
33 | 33 | | |
34 | 34 | | |
35 | 35 | | |
36 | | - | |
37 | | - | |
| 36 | + | |
| 37 | + | |
38 | 38 | | |
39 | 39 | | |
40 | 40 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
23 | 23 | | |
24 | 24 | | |
25 | 25 | | |
26 | | - | |
27 | | - | |
| 26 | + | |
| 27 | + | |
28 | 28 | | |
29 | 29 | | |
30 | 30 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
15 | 15 | | |
16 | 16 | | |
17 | 17 | | |
18 | | - | |
19 | | - | |
| 18 | + | |
| 19 | + | |
20 | 20 | | |
21 | 21 | | |
22 | 22 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
36 | 36 | | |
37 | 37 | | |
38 | 38 | | |
39 | | - | |
40 | | - | |
| 39 | + | |
| 40 | + | |
41 | 41 | | |
42 | 42 | | |
43 | 43 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
29 | 29 | | |
30 | 30 | | |
31 | 31 | | |
32 | | - | |
33 | | - | |
| 32 | + | |
| 33 | + | |
34 | 34 | | |
35 | 35 | | |
36 | 36 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
20 | 20 | | |
21 | 21 | | |
22 | 22 | | |
23 | | - | |
24 | | - | |
| 23 | + | |
| 24 | + | |
25 | 25 | | |
26 | 26 | | |
27 | 27 | | |
| |||
0 commit comments