github jdx/mise v2026.5.13
v2026.5.13: Safer npm installs, faster shell completions
on GitHub

4 hours ago

A focused release that tightens npm install safety by default, removes network calls from shell completion generation, and fixes asset picking so primary release binaries beat related sub-archives.

Added

  • (npm) The npm backend now passes --ignore-scripts=true by default when installing through npm, and no longer adds Bun's --trust flag automatically. npm_args and bun_args remain the user escape hatches and are appended after the defaults, so you can opt back in per tool (#9913 by @risu729): 

    [tools]
# opt back into npm lifecycle scripts for one tool
"npm:some-tool" = { version = "latest", npm_args = "--ignore-scripts=false" }
# opt into Bun's broad install-time script trust
"npm:other-tool" = { version = "latest", bun_args = "--trust" }

    For dependency build approvals, prefer aube or pnpm with --allow-build=<pkg>; see the refreshed npm backend docs.

Fixed

  • (completion) mise completion is often invoked on shell init. It no longer refreshes remote version metadata while building the toolset, so slow networks and timeouts don't delay every new shell (#10010 by @sargunv-headway).
  • (github) Auto-detection scoring now gives a small bonus to assets whose platform-stripped filename matches the repo/tool name, and treats manylinux* / musllinux* asset names as Linux with the right glibc/musl libc. This fixes installs like opengrep/opengrep, where opengrep-core_linux_aarch64.tar.gz was previously winning over the primary opengrep_* binary. Explicit asset_pattern configuration is unchanged (#10008 by @risu729).
  • (shim) Optioned tool aliases (e.g. GitHub tool_alias entries with per-alias asset_pattern / bin_path) are now visible to runtime symlink and shim rebuilds. Previously these alias backends bypassed the global backend cache and could be missed after install, leaving latest symlinks or executable shims unbuilt (#9848 by @risu729).
  • (release) The embedded mise-plugins vfox plugin set now includes vfox-groovy, vfox-php, and vfox-scala as fallbacks after the default asdf backend (#9832 by @risu729).
  • (doctor) The mise doctor version-check request now uses the regular HTTP client and the configured http_timeout (controllable via MISE_HTTP_TIMEOUT), instead of an unconfigurable 3s timeout. Timeout error messages now point at the real setting (#9977 by @risu729).
  • (config) Tool options coming from the install manifest are tracked as their own source layer, kept below config and inline backend args in precedence, and no longer serialized back out as inline backend args (#9958 by @risu729).

Changed

  • (registry) vector now uses the aqua backend, which has Vector-specific vdev-* release filtering. This avoids resolving stray vdev-* GitHub releases as the latest Vector (#10011 by @jdx).
  • (registry) vale now tracks its updated aqua-registry location (#10002 by @eread).
  • (dotnet) The .NET backend reads prerelease (and other tool options) through a local typed option reader, with the legacy package-flag fallback preserved (#9962 by @risu729).

Full Changelog: v2026.5.12...v2026.5.13

💚 Sponsor mise

mise is built by @jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

Check out latest releases or
releases around jdx/mise v2026.5.13

Don't miss a new mise release

NewReleases is sending notifications on new releases.

Get notifications