github jdx/mise v2026.6.2
v2026.6.2: Supply-chain defaults and clearer install warnings
on GitHub

6 hours ago

This release tightens mise's default supply-chain posture: fuzzy version resolution now waits 24 hours after a release by default on timestamp-aware backends, with new excludes, opt-outs, and warnings so it stays out of your way when you don't want it. A couple of long-standing GitHub-attestation and npm-install rough edges are smoothed over as well.

Added

  • (config) Apply a built-in 24-hour minimum_release_age when no global or per-tool value is set, for backends that expose release timestamps (core, aqua, github, npm, pipx, etc.). Asdf/vfox/plugin-style tools without release metadata are unaffected. mise ls-remote now reports how many releases were hidden, and mise upgrade warns when a newer release is being ignored by the cutoff, e.g.: 

    newer jq release 1.7.2 ignored by minimum_release_age

    Set minimum_release_age = "0s" to disable the default. Pinned exact versions still bypass the filter. (#10279 by @jdx)

  • (config) New minimum_release_age_excludes setting to skip the global (and built-in) release-age policy for selected tools or whole backends. Entries may be tool shorthands, full backend IDs, or backend wildcards: 

    [settings]
minimum_release_age = "24h"
minimum_release_age_excludes = ["jq", "npm:prettier", "npm:*"]

    Per-tool minimum_release_age and CLI --minimum-release-age still take precedence as before. (#10277 by @jdx)

  • (registry) cargo-msrv is now available in the registry, installed via aqua (foresterre/cargo-msrv) with a cargo:cargo-msrv fallback (#10276 by @jdx).

Fixed

  • (github) GitHub artifact attestation detection and verification now respect the existing registry/default-backend gate, so custom github: repos and non-registry aqua packages talk to GitHub directly instead of routing through the mise-versions host. Python precompiled builds still use the versions host; Ruby precompiled attestations use it only for the default jdx/ruby source (#10260 by @jdx).
  • (npm) After global npm installs, mise warns when the package declares lifecycle scripts (preinstall / install / postinstall) that were skipped because mise still passes --ignore-scripts=true. Setting npm_args = "--ignore-scripts=false" (or --no-ignore-scripts) correctly suppresses the warning, with later flags winning (#10280 by @jdx).

Changed

  • (registry) aube and pitchfork now resolve to jdx/aube and jdx/pitchfork in both the mise registry and the vendored aqua registry, with endevco/* aliases retained for compatibility. Aube <= 1.18.1 skips GitHub artifact attestations to match the upstream aqua registry change (#10285 by @jdx).

Documentation

  • (security) A new Security page consolidates software verification and supply-chain guidance, documents the 24h minimum_release_age default and 0s opt-out, and clarifies that only npm: and pipx: currently forward the cutoff to transitive dependency resolution (#10278 by @jdx).
  • (settings) Examples and CLI hints prefer the shorter mise settings set key=value form (#10271 by @jdx).
  • Debian/Ubuntu install instructions now recommend extrepo, since mise's deb repository was added to Debian extrepo (#10262 by @okulev).
  • Sponsor logos on the docs site now have better contrast (#10270 by @jdx).

New Contributors

Full Changelog: v2026.6.1...v2026.6.2

💚 Sponsor mise

mise is built by @jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

Check out latest releases or
releases around jdx/mise v2026.6.2

Don't miss a new mise release

NewReleases is sending notifications on new releases.

Get notifications