jdx/mise v2026.5.11

v2026.5.11: Provenance verification at lock time

on GitHub

Added

• (security) Verify and record provenance during mise lock, with a new provenance_api_failures_fatal setting to control whether GitHub attestation API failures are fatal (#9945 by @jdx).
• (security) Fall back to verifying archive contents when SLSA provenance attests every file inside an archive but not the archive itself, fixing releases like github:prefix-dev/pixi@0.68.1 (#9898 by @sargunv).
• (plugins) Support remote git subdirectory sources for plugins, e.g. git::https://host/repo.git//path/to/plugin?ref=branch (#9893 by @jdx).

Fixed

• (github) Asset picker now picks the shortest matching name as a tiebreaker for asset_pattern and accepts platform-agnostic runtime archives like .phar, .jar, and .pyz (fixes installing composer) (#9946 by @jdx).
• (config) Invalid miserc.toml now produces a clear parse error at startup instead of being silently ignored (#9937 by @jdx).
• (install) Per-tool .mise.backend.toml metadata is now written alongside install directories, making merged/copied installs self-describing and refreshing install state mid-run so same-run dependency resolution sees freshly installed tools (#9941 by @jdx).
• (install) postinstall hooks now run through the configured default inline shell instead of $SHELL -c (#9812 by @risu729).
• (cache) mise cache prune [PLUGIN]... now honors the plugin filter instead of pruning every cache directory (#9914 by @risu729).
• (task) Preserve task-declared env, MISE_TASK_* metadata, and MISE_ENV across nested hook-env invocations, while keeping the nested-PATH fix from #9765 intact (#9850 by @risu729).
• (backend) Resolve helper dependency toolsets in offline mode so minimum_release_age cannot mis-route helper tools like node/npm when querying upstream versions (#9808 by @risu729).
• (vfox) Key vfox EnvKeys hooks by the resolved install path so shared/system installs don't reuse user-path cache entries (#9907 by @risu729).
• (use) Skip the mise use -g shadow warning when the active version comes from system config (#9900 by @risu729).
• (doctor) List installed plugins from install state, including those owned by disabled backends, and add a plugins object to mise doctor -J (#9863 by @risu729).
• (erlang) erlang.compile = false is now strict precompiled mode and no longer falls back to kerl build-install on unsupported distros (#9866 by @risu729).

Changed

• (registry) Prefer the aqua backend for cilium-hubble, localstack, mark, openbao, porter, process-compose, rtk, sqlc, turso, and xcodegen, with existing GitHub/asdf backends preserved as fallbacks (#9789 by @risu729).
• (registry) Add aqua:jbangdev/jbang as the primary backend for jbang, enabling Windows support (#9811 by @risu729).
• (registry) Alias dotnet-core to dotnet (#9807 by @risu729).
• (registry) Add lisette (#9944 by @ivov).
• (registry) Fix sourcery archive format so macOS installs use the .zip asset instead of trying to extract it as tar.gz (#9902 by @risu729).
• (docs) Trim the global settings example in the configuration docs (#9912 by @risu729).

New Contributors

• @ivov made their first contribution in #9944

💚 Sponsor mise

mise is built by @jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.