github jdx/mise v2026.3.12
v2026.3.12: Supply chain protection for lockfile upgrades
on GitHub

latest release: v2026.3.11
8 hours ago

A small but important release that adds supply chain protection for lockfile upgrades and fixes zsh completions broken by the usage v3.1.0 update. This release also includes the binary assets that were missing from v2026.3.11 due to the completions issue.

Security

  • Block GitHub tool upgrades when provenance is lost -- When upgrading a github: backend tool, mise now checks whether the prior locked version had provenance verification (e.g., GitHub Attestations). If the new version lacks provenance that the old version had, the upgrade is blocked with an error indicating a potential supply chain attack. The old provenance-verified lockfile entry is preserved, and the error includes both versions for easy investigation. This check applies to mise lock, mise install, and mise use. #8706 by @jdx

    Example error: 

    github:example/tool@2.0.0 has no provenance verification on linux-x64,
but github:example/tool@1.5.0 had github-attestations. This could indicate
a supply chain attack. Verify the release is authentic before proceeding.

Fixed

  • Zsh completions updated for usage v3.1.0 -- The prerendered zsh completion script has been regenerated to match the new output format from usage v3.1.0, which switched from _arguments to _describe and changed quoting behavior. This also fixes the binary build failure that prevented v2026.3.11 from publishing release assets. #8715 by @jdx

Full Changelog: v2026.3.11...v2026.3.12

Check out latest releases or
releases around jdx/mise v2026.3.12

Don't miss a new mise release

NewReleases is sending notifications on new releases.

Get notifications