jdx/mise v2026.4.2

v2026.4.2: Process sandboxing for exec and run

on GitHub

Note: This release's build failed so no binary assets were published. Use v2026.4.3 instead, which includes all changes from this release plus a build fix.

This release introduces experimental process sandboxing for mise exec and mise run, allowing you to restrict filesystem access, network access, and environment variables for executed processes.

Added

• Process sandboxing for mise x and mise run (experimental) -- A new lightweight sandboxing layer lets you lock down what processes spawned by mise can access. On Linux it uses Landlock for filesystem restrictions and seccomp-bpf for network filtering; on macOS it uses sandbox-exec (Seatbelt) with generated profiles. Requires experimental = true in settings. #8845 by @jdx

  # Block all filesystem and network access
  mise x --deny-all -- node script.js
  
  # Block network only
  mise x --deny-net -- npm run build
  
  # Block writes except to ./dist
  mise x --allow-write=./dist -- npm run build

  Task-level configuration is also supported:

  [tasks.build]
  run = "npm run build"
  deny_net = true
  allow_write = ["./dist"]

Fixed

• Docs: correct RUNTIME.osType and RUNTIME.archType values -- Fixed inconsistent documentation for runtime template variables and simplified examples. #8785 by @esteve

Full Changelog: v2026.4.1...v2026.4.2