deps: update dependency jdx/mise to v2026.4.23

[renovate]

This PR contains the following updates:

Package	Update	Change
jdx/mise	patch	2026.4.19 → 2026.4.23

---

Release Notes

jdx/mise (jdx/mise)

v2026.4.23: : Pre-releases, libc preference, and a Node musl fix

Compare Source

A patch release that adds a global libc preference and pre-release opt-in for github:/aqua: backends, alongside fixes for Node musl downloads, read-only system installs, and mise prune network hangs.

Added

• (backend) Per-tool prerelease = true opt-in for the github: and aqua: backends (#​9329) by @​jakedgy. When set, GitHub releases flagged prerelease: true show up in mise ls-remote, latest resolves against the full list including pre-releases, and fuzzy queries like 1.2 can match pre-release tags. Default behavior is unchanged; draft releases are still excluded.

  [tools]
  "github:myorg/mytool" = { version = "latest", prerelease = true }
  "aqua:owner/tool"     = { version = "latest", prerelease = true }

• (backend) Global libc setting for selecting Linux precompiled binary variants (#​9404) by @​jdx. Accepts musl, glibc, or gnu and threads through Platform::current()/PlatformTarget so generic GitHub asset matching, aqua registry replacements (e.g. unknown-linux-gnu ↔ unknown-linux-musl), Bun, Python precompiled builds, Node, and vfox envType all honor the preference.

  export MISE_LIBC=musl

Fixed

• (install) Stop rewriting healthy runtime symlinks (#​9410) by @​jdx. The rebuild path was unconditionally remove_all + recreating every latest -> X.Y.Z symlink, which became a hard failure under the common Docker pattern where root populates /usr/local/share/mise/installs/ at build time and a non-root user runs mise install at runtime. Healthy symlinks now take a no-op path; the read-only system dir is no longer touched. If a write is genuinely required and can't happen, the install fails loudly instead of silently leaving a stale latest.

• (node) Route musl tarball URLs to unofficial-builds.nodejs.org (#​9409) by @​jdx. After #​9404 Node started appending -musl to filenames but kept routing through nodejs.org/dist/ (which doesn't host them), causing 404s and lockfiles where the URL had a -musl suffix while the checksum was still pinned to the glibc tarball. The tarball URL and matching SHASUMS256.txt now come from the same host, and a custom node.mirror_url still passes through unchanged. Lockfile merging is also hardened to drop stale checksum/size/url_api when URLs disagree.

• (prune) Skip remote version resolution for tracked configs (#​9406) by @​jdx. mise prune was hitting npm, the Go proxy, and the GitHub API to resolve tracked-config tool versions, which could hang on slow or failing registries. Since prune only protects installed versions from deletion, an offline flag is now threaded through ResolveOptions for prune. mise upgrade is unchanged and still queries fresh remote data. Closes #​9405.

• (backend) Allow unresolved latest opt-in (#​9401) by @​jdx. latest now falls back to an unresolved selector only when a backend's unfiltered remote version list is empty and the backend opts in via unresolved_latest_version(). pipx opts in for git-backed requests; backends that require concrete versions continue to fail rather than create literal latest/ installs. If minimum_release_age filters all candidates out, mise still reports no matching version.

• (schema) Allow array values in tool additionalProperties (#​9400) by @​JP-Ellis. Configs like rust = { version = "1.77", components = ["rustfmt", "clippy"] } are no longer flagged as invalid by linters such as tombi.

Registry

• Use aqua for rumdl (#​9397) by @​scop
• Add llmfit (#​9412) by @​jylenhof

New Contributors

• @​JP-Ellis made their first contribution in #​9400

Full Changelog: jdx/mise@v2026.4.22...v2026.4.23

v2026.4.22: : Repaired latest resolution and clearer deps output

Compare Source

A focused patch release that repairs two @latest regressions, gives mise deps clearer per-provider output labels, and renames the install_before setting to minimum_release_age to match the wider ecosystem.

Highlights

• @latest resolution is fixed for Go modules that only publish pseudo-versions, and stale installs/<tool>/latest/ directories are now repaired automatically.
• The install_before setting has been renamed to minimum_release_age; the old name keeps working as a deprecated alias.
• mise deps output is now labeled by provider (e.g. [deps.codegen]) instead of repeating the raw command.
• Fedora 44 and Rawhide are now supported in the COPR build.

Fixed

• (backend) Two separate @latest issues are repaired in #​9383 by @​jdx:

  • Go modules that enumerate zero versions now resolve @latest via go list -m -json <module>@&#8203;latest, so modules that only publish pseudo-versions still install a concrete version.
  • Stale real installs/<tool>/latest/ directories are now repaired generically by the runtime symlink migration. The migration reruns under a new marker and refreshes only install_state after rewriting directories, so the current process picks up the repaired layout without rebuilding the backend map (which previously broke config aliases). Numeric partial-version dirs such as installs/<tool>/25/ are left alone, and real direct-URL latest installs (e.g. UBI URL installs) are preserved when there is no concrete version to replace them with.

• (task) mise deps output is now labeled with a stable [deps.<provider>] prefix on stdout/stderr (and in the progress message) instead of using the raw run command as the prefix, making repeated output from commands like pip install -r requirements.txt much easier to follow. mise deps add/remove continues to run unprefixed. (#​9385) by @​jdx

Changed

• (config) The install_before setting and per-tool option have been renamed to minimum_release_age, matching pnpm's terminology. The old install_before name is preserved as a hidden, deprecated alias — global settings are migrated at load time, per-tool options resolve through the new key, and the JSON schema marks the old name as deprecated. Precedence is unchanged: --before > per-tool > global. (#​9384) by @​jdx

Added

• (copr) Fedora 44 and Rawhide are now supported by the COPR build script. (#​9391) by @​bestagi

Documentation

• The docs site nav now displays the current release version (read from Cargo.toml at build time), linking to the GitHub releases page. The build emits a warning if the version cannot be parsed instead of silently falling back. (#​9388, #​9389) by @​jdx

Aqua Registry

Updated aqua-registry from v4.498.0 to v4.499.0.

Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors. If mise saves you or your team time, please consider sponsoring at en.dev.

Full Changelog: jdx/mise@v2026.4.21...v2026.4.22

v2026.4.21: : untrust command and prune lockfile fixes

Compare Source

A patch release that adds a new mise untrust command, teaches mise prune to skip tools tracked in lockfiles, and tightens GitHub asset auto-detection.

[!NOTE]
This release was tagged but the publish job failed before assets were uploaded. v2026.4.22 ships the same fixes alongside additional changes — install that release instead. These notes are preserved here for the changelog.

Highlights

• New mise untrust command revokes trust on a config file.
• mise prune now respects tracked lockfiles and no longer removes tools listed in them.
• GitHub asset auto-detection prefers the shortest asset name as a tiebreaker, avoiding spurious matches on longer-named variants.
• New --security flag on mise registry includes security info in JSON output.

Added

• (registry) --security flag on mise registry includes security info in JSON output. (#​9364) by @​jdx
• (trust) New mise untrust command. (#​9370) by @​jdx

Fixed

• (config) Resolved backend opts are now limited to aliases. (#​9315) by @​risu729
• (github) Asset auto-detection prefers the shortest asset name as a tiebreaker. (#​9361) by @​jdx
• (java) Newer Zulu versions are detected correctly — they use a different directory structure than older releases. (#​9365) by @​roele
• (prune) mise prune now respects tracked lockfiles. (#​9373) by @​jdx
• (task) Tool installation is skipped for missing naked tasks instead of failing the run. (#​9374) by @​jdx

Documentation

• The docs site dismissible banner stacks its message and link on mobile. (#​9362) by @​jdx
• Ruby compile message updated. (#​9338) by @​fladson

Registry

• Fix flux-operator-mcp aqua path. (#​9357) by @​monotek
• Remove openshift-install. (#​9372) by @​jdx
• Remove go-sdk. (#​9371) by @​jdx

New Contributors

• @​fladson made their first contribution in #​9338

Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors. If mise saves you or your team time, please consider sponsoring at en.dev.

Full Changelog: jdx/mise@v2026.4.20...v2026.4.21

v2026.4.20: : Lockfile cleanup and path: fixes

Compare Source

A focused patch release that cleans up two long-standing lockfile and path-resolution bugs, makes GitHub attestation verification tolerant of regex-based aqua registry URLs, and reworks how the aqua registry is baked into mise.

Highlights

• mise lock tool@latest now writes a concrete version and heals lockfiles already poisoned with version = "latest".
• path: tool versions with relative paths resolve correctly against the config root.
• Aqua registry is now baked from the upstream merged registry.yaml, pinned by tag.
• GitHub artifact attestation works for registry entries that use regex URLs.

Fixed

• (config) Relative path: tool versions are now resolved at parse time against the config's root directory (or CWD for CLI args), with ~/ expansion and leading ./ stripped. Previously, a value like path:./packages/logr was joined with installs_path at install time and produced a bogus directory such as ~/.local/share/mise/installs/logr/./packages/logr. (#​9320) by @​jdx

• (lock) mise lock handling of @latest has been overhauled (#​9321 by @​jdx):

  • mise lock tool@latest now resolves latest to the newest installed version instead of writing the literal string "latest" into the lockfile.
  • mise lock no longer produces duplicate [[tools.<name>]] entries when the config uses tool = "latest".
  • Lockfiles already poisoned with version = "latest" are cleaned up in a single mise lock run.

• GitHub artifact attestation verification now works when the aqua registry entry uses a regex in the workflow URL, unblocking installs such as aqua:updatecli/updatecli. (#​9327) by @​monotek

Changed

• (aqua) The baked aqua registry source has been swapped for the upstream merged registry.yaml, pinned by tag via crates/aqua-registry/aqua-registry/metadata.json. The build script generates a canonical package-id map plus an alias lookup table, so runtime lookups only parse the selected package YAML. The pinned tag is now visible in mise doctor. (#​9043) by @​risu729

Added

• New registry entry: grafana-kubernetes-plugin. (#​9300) by @​monotek

Documentation

• A dismissible announcement banner has been added to the docs site, driven by a remote JSON config. Link schemes are restricted to http/https, dismissals persist per-id in localStorage, and the banner height is kept in sync with --vp-layout-top-height via a ResizeObserver. The expires field is respected so banners automatically hide after a given date. (#​9326, #​9330, #​9334) by @​jdx

Aqua Registry

Updated aqua-registry from v4.492.0 to v4.498.0, which includes:

• v4.493.0
• v4.494.0
• v4.494.1
• v4.495.0
• v4.496.0
• v4.497.0
• v4.498.0

Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

Full Changelog: jdx/mise@v2026.4.19...v2026.4.20

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.