Skip to content

fix(cli-tools): update jdx/mise (v2026.3.3 -> v2026.3.5)#780

Open
ppat-self-hosted-renovate-bot[bot] wants to merge 2 commits intomainfrom
renovate/cli-tools
Open

fix(cli-tools): update jdx/mise (v2026.3.3 -> v2026.3.5)#780
ppat-self-hosted-renovate-bot[bot] wants to merge 2 commits intomainfrom
renovate/cli-tools

Conversation

@ppat-self-hosted-renovate-bot
Copy link
Contributor

@ppat-self-hosted-renovate-bot ppat-self-hosted-renovate-bot bot commented Mar 16, 2026

This PR contains the following updates:

Package Update Change Pending
jdx/mise patch v2026.3.3 -> v2026.3.5 v2026.3.9 (+3)

Release Notes

jdx/mise (jdx/mise)

v2026.3.5: : Provenance tracking in lockfiles and task deduplication fix

Compare Source

This release adds supply-chain security improvements by recording provenance verification results in lockfiles, exposes libc variant detection to vfox plugins, and fixes several bugs including duplicate task execution, offline mode hangs, and Windows binary identification.

Highlights

  • Provenance tracking in lockfiles prevents downgrade attacks by recording which verification mechanism was used for each tool, and refusing to install if that mechanism is later disabled.
  • Task delegation deduplication fixes a bug where shared dependency tasks could run multiple times when using run = [{ task }].
  • Offline mode fix prevents mise env, hook-env, activate, and exec from hanging when resolving "latest" versions behind private registries.

Added

  • Provenance verification results stored in lockfiles -- mise lock now records which provenance mechanism (SLSA, GitHub attestations, cosign, or minisign) was used to verify each tool per platform. On subsequent installs, mise refuses to proceed if the recorded verification mechanism is disabled or unavailable, protecting against downgrade/stripping attacks. The lockfile format also changes from inline tables to dotted-key subtables for platform entries, improving readability. Existing lockfiles remain backwards-compatible and will be updated on the next mise lock. #​8495 by @​jdx

  • RUNTIME.envType for vfox plugins -- Vfox Lua plugins can now check RUNTIME.envType to determine the libc variant at runtime ("gnu" for glibc, "musl" for musl Linux, nil on non-Linux). This lets plugins select the correct binary variant for the host system. #​8493 by @​malept

    if RUNTIME.envType == "musl" then
    -- download musl-compatible binary
elseif RUNTIME.envType == "gnu" then
    -- download glibc-compatible binary
end

  • Registry: portless -- Added portless (npm:portless) to the tool registry. #​8508 by @​risu729

Fixed

  • Shared dependency tasks no longer run multiple times with task delegation -- When a task uses run = [{ task }] to delegate, the sub-graph now inherits knowledge of tasks already completed in the parent graph, preventing shared dependencies from executing more than once. #​8497 by @​vadimpiven

  • "latest" version no longer triggers network calls in prefer-offline mode -- mise env, hook-env, activate, and exec with prefer_offline enabled would still make a remote call to resolve "latest" versions (e.g., npm:pkg = "latest"). If the registry held the connection open waiting for credentials, mise would hang indefinitely. This is now skipped, matching the existing offline guard for fully-qualified versions. #​8500 by @​jdx

  • Windows: mise binary correctly identified without .exe extension -- On Windows, argv[0] can resolve to mise (without .exe), mise.bat, or mise.cmd, all of which were incorrectly treated as shims. This caused mise --help and mise --version to silently fail in some environments (e.g., conda-forge CI). A unified is_mise_binary() helper now handles all these variants. #​8503 by @​jdx, with credit to @​salim-b for identifying the issue in #​8496

Full Changelog: jdx/mise@v2026.3.4...v2026.3.5

v2026.3.4: : Runtime musl detection, interactive tasks, and platform install fixes

Compare Source

A feature-rich release that adds runtime musl/glibc detection for correct binary selection on Linux, a new interactive task field for exclusive terminal access, and several important fixes for platform-specific tool installation, the standalone installer, and Ruby precompiled binary discovery.

Highlights

  • Runtime musl/glibc detection ensures mise downloads the right binary variant regardless of how mise itself was compiled, with lockfile support for both libc variants.
  • interactive task field provides a targeted way to give a task exclusive terminal access without forcing all tasks to run sequentially.
  • Platform install fixes correct multiple issues where registry-defined platform options were ignored or mangled, affecting tools like flyway and http-backend tools with platform-specific URLs.
  • Installer safety guard prevents accidental data loss when MISE_INSTALL_PATH points to an existing directory.

Added

  • interactive field for tasks -- Mark a task with interactive = true to give it exclusive terminal access (stdin/stdout/stderr) while other non-interactive tasks continue running in parallel. This is a more targeted alternative to raw = true, which forces jobs=1 globally -- interactive only blocks concurrent tasks while the interactive task is actively running. #​8491 by @​jdx

    [tasks.deploy]
run = "deploy.sh"
interactive = true  # gets exclusive stdin/stdout/stderr access

  • Runtime musl/glibc detection for correct libc variant selection -- mise now detects musl libc at runtime (by checking for /lib/ld-musl-*) instead of using compile-time configuration. This means a musl-built mise running on a glibc system (or vice versa) will correctly select the right binary variant. Lockfiles now include separate entries for linux-x64-musl and linux-arm64-musl platforms. Existing lockfiles without musl entries continue to work and will be updated on the next mise lock. #​8490 by @​jdx

  • Header comment in generated lockfiles -- mise.lock files now include a @generated header comment, making it clear the file is auto-generated and should not be edited manually. #​8481 by @​ivy

    # @​generated - this file is auto-generated by `mise lock` https://mise.jdx.dev/dev-tools/mise-lock.html

[[tools.node]]
version = "22.14.0"
...

  • Preserve .exe extensions on Windows -- The github, gitlab, forgejo, and http backends now automatically keep executable extensions (.exe, .bat, .cmd) when using bin or rename_exe options on Windows, fixing tools like yt-dlp that were broken by extension stripping. #​8424 by @​iki

Fixed

  • Registry platform options now applied during install -- Platform-specific options like asset_pattern defined in the tool registry were silently ignored during installation because nested TOML structures were flattened to strings. This caused tools like flyway to select the wrong asset (e.g., alpine instead of linux-x64). #​8492 by @​jdx

  • Tool opts stored as native TOML to fix platform switching -- Switching an http: tool from a single URL to platform-specific URLs ([tools."http:X".platforms]) could fail because cached options in .mise-installs.toml were mangled during round-tripping. Options are now stored as proper TOML fields with automatic migration of old manifests. #​8448 by @​jdx

  • Installer errors if MISE_INSTALL_PATH is a directory -- Setting MISE_INSTALL_PATH to an existing directory (e.g., ~/tmp instead of ~/tmp/mise) caused the installer to rm -rf that directory, potentially deleting important files. The installer now detects this and exits with a clear error message suggesting a file path. #​8468 by @​jdx

  • Prepare sources/outputs resolve relative to dir -- When a prepare provider sets dir, relative source and output paths now correctly resolve against project_root/dir instead of just project_root. This fixes freshness tracking in monorepo setups where prepare providers target subdirectories. #​8472 by @​jdx

  • Ruby precompiled binary lookup for older versions -- Precompiled Ruby discovery used paginated release listing (first page only), so versions beyond the first 30 releases (like Ruby 3.2.2) silently fell back to compiling from source. The lookup now fetches the specific release by tag directly. #​8488 by @​jdx

  • JSON schema supports structured objects in task depends -- The JSON schema for depends, depends_post, and wait_for now correctly accepts the structured { task, args?, env? } object syntax that the runtime already supported, fixing IDE validation errors. #​8463 by @​risu729

  • Broken pipe no longer panics in task output -- Task output macros used println!/eprintln! which panic on broken pipes (e.g., when piping mise output to head). Replaced with calm_io equivalents that gracefully handle closed stdout/stderr. #​8485 by @​vmaleze

  • Scoped npm package names no longer panic -- Using @scope/pkg (e.g., @anthropic-ai/claude-code) without the npm: backend prefix caused an internal panic. The parser now correctly treats the leading @ as part of the package name and provides a proper error message. #​8477 by @​jdx

New Contributors

Full Changelog: jdx/mise@v2026.3.3...v2026.3.4

Configuration

📅 Schedule: Branch creation - "before 10am on Tuesday" in timezone US/Eastern, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependency-type:cli-tools image:cli-tools pr-type:renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants