fix(deps): update dependency jdx/mise to v2026.5.11

[renovate]

This PR contains the following updates:

Package	Update	Change	Pending
jdx/mise	patch	2026.5.0 → 2026.5.11	2026.5.15 (+3)

---

Release Notes

jdx/mise (jdx/mise)

v2026.5.11

Compare Source

🐛 Bug Fixes

• (backend) avoid release age cutoff for dependency envs by @​risu729 in #​9808
• (cache) honor plugin filter when pruning cache by @​risu729 in #​9914
• (config) report invalid miserc files by @​jdx in #​9937
• (doctor) list installed plugins from install state by @​risu729 in #​9863
• (erlang) respect compile false for precompiled installs by @​risu729 in #​9866
• (github) asset picker handles ambiguous patterns and runtime archives by @​jdx in #​9946
• (install) respect default inline shell in postinstall by @​risu729 in #​9812
• (install) store metadata alongside install dirs by @​jdx in #​9941
• (plugins) support remote git subdirectory sources by @​jdx in #​9893
• (task) preserve task env across nested hook-env by @​risu729 in #​9850
• (use) ignore system config for global shadow warning by @​risu729 in #​9900
• (vfox) use selected install path for env keys by @​risu729 in #​9907
• verify provenance during lock by @​jdx in #​9945

🚜 Refactor

• (aqua) parse tool options locally by @​risu729 in #​9872
• (cargo) parse tool options locally by @​risu729 in #​9922
• (npm) parse tool options locally by @​risu729 in #​9920
• (pipx) parse tool options locally by @​risu729 in #​9921
• (s3) parse tool options locally by @​risu729 in #​9871
• (ubi) parse tool options locally by @​risu729 in #​9873

📚 Documentation

• (configuration) trim global settings example by @​risu729 in #​9912

🛡️ Security

• (security) verify SLSA archive contents by @​sargunv in #​9898

📦️ Dependency Updates

• bump ctor to 1 by @​jdx in #​9938

📦 Registry

• fix sourcery platform archive format by @​risu729 in #​9902
• prefer aqua for tools also in aqua-registry by @​risu729 in #​9789
• add aqua backend for jbang by @​risu729 in #​9811
• alias dotnet-core to dotnet by @​risu729 in #​9807
• add lisette by @​ivov in #​9944

Chore

• (ci) require clear hyperfine regressions by @​risu729 in #​9874
• (ci) close failing or conflicted PRs sooner by @​jdx in #​9939

New Contributors

• @​ivov made their first contribution in #​9944

📦 Aqua Registry Updates

New Packages (1)

• glossia/cli

Updated Packages (1)

• dathere/qsv

v2026.5.10

Compare Source

🐛 Bug Fixes

• (s3) support SSO-based AWS profiles by enabling aws-config sso feature by @​Amir-Ahmad in #​9875

🚜 Refactor

• (backend) parse tool options per backend by @​risu729 in #​9838

📦️ Dependency Updates

• update rust crate sha2 to 0.11 by @​renovate[bot] in #​9885
• update ghcr.io/jdx/mise:alpine docker digest to 1a653b5 by @​renovate[bot] in #​9890
• update ghcr.io/jdx/mise:rpm docker digest to 7880c74 by @​renovate[bot] in #​9892
• update ghcr.io/jdx/mise:deb docker digest to a6fe62d by @​renovate[bot] in #​9891
• update rust docker digest to 39d8cb3 by @​renovate[bot] in #​9899

New Contributors

• @​Amir-Ahmad made their first contribution in #​9875

v2026.5.9

Compare Source

🚀 Features

• (config) add shell to watch_files run by @​risu729 in #​9810
• (spm) add artifact bundle support by @​ikesyo in #​9825

🐛 Bug Fixes

• (aqua) reject registry-invalid latest tags by @​risu729 in #​9834
• (patrons) point sponsor link to https://en.dev by @​jdx in #​9868
• (vfox) respect default inline shell in cmd.exec by @​risu729 in #​9837
• github oauth device flow paths by @​jasisk in #​9791

📚 Documentation

• Update Walkthrough guide by @​thernstig in #​9853

⚡ Performance

• (config) skip tera render for plain strings by @​risu729 in #​9833

📦️ Dependency Updates

• update ghcr.io/jdx/mise:rpm docker digest to d2471f2 by @​renovate[bot] in #​9879
• update rust docker digest to 5b1e348 by @​renovate[bot] in #​9880
• update ghcr.io/jdx/mise:deb docker digest to 0cde829 by @​renovate[bot] in #​9878
• update ubuntu docker tag to resolute-20260421 by @​renovate[bot] in #​9881
• update ghcr.io/jdx/mise:alpine docker digest to 2d0ea74 by @​renovate[bot] in #​9877
• update rust crate phf to 0.13 by @​renovate[bot] in #​9884
• update rust crate phf_codegen to 0.13 by @​renovate[bot] in #​9883

📦 Registry

• use aqua backend for npm by @​risu729 in #​9762
• add aqua for buck2 prereleases by @​risu729 in #​9805
• add SonarQube CLI (aqua:SonarSource/sonarqube-cli) by @​3PeatVR in #​9824

New Contributors

• @​3PeatVR made their first contribution in #​9824
• @​ikesyo made their first contribution in #​9825
• @​thernstig made their first contribution in #​9853

📦 Aqua Registry Updates

New Packages (4)

• SurgeDM/Surge
• roie/ovw
• so-dang-cool/sigi
• vjeantet/alerter

Updated Packages (2)

• alltuner/mise-completions-sync
• str4d/age-plugin-yubikey

v2026.5.8

Compare Source

🚀 Features

• (patrons) add mise patrons command by @​jdx in #​9841

🐛 Bug Fixes

• (task) skip shebang line in displayed task command by @​jdx in #​9844

🚜 Refactor

• (security) switch to sigstore-rust verification by @​jdx in #​9260

v2026.5.7

Compare Source

🐛 Bug Fixes

• (backend) use runtime paths for backend bin dirs by @​risu729 in #​9606
• (ci) preserve vendor/aqua-registry/ in PPA publish workflow by @​jdx in #​9782
• (ci) set UTF-8 locale in e2e Docker image by @​jdx in #​9820
• (ci) pass UTF-8 locale through to e2e tests by @​jdx in #​9823
• (conda) dedup repodata by archive identifier instead of URL by @​jdx in #​9831
• (github) use default shell for credential command by @​risu729 in #​9664
• (settings) distinguish unset known settings from unknown ones by @​jdx in #​9818
• (upgrade) remove completed progress jobs to prevent duplicate output by @​jdx in #​9779
• (vfox) resolve GitHub token lazily inside Lua plugins by @​jdx in #​9816

🚜 Refactor

• (config) separate core and backend tool options by @​risu729 in #​9753
• (schema) reuse env directive property schemas by @​risu729 in #​9651

📚 Documentation

• (aliases) fix Aliased Versions example and drop stale asdf callout by @​jdx in #​9830

⚡ Performance

• (aqua) use phf for baked registry lookups by @​risu729 in #​9763
• (task) cache per-file content hashes for source_freshness_hash_contents by @​jdx in #​9819

🧪 Testing

• (e2e) pin aube to known-good version in npm package_manager test by @​jdx in #​9794

📦 Registry

• replace unsupported exe options by @​risu729 in #​9587
• update pi by @​garysassano in #​9792

Chore

• (ci) use non-large runners for release builds by @​jdx in #​9786
• (ci) compare registry PRs from fork point by @​risu729 in #​9643
• (ci) make build-copr.sh the single source of truth for COPR chroots by @​jdx in #​9788
• (ci) use crates.io trusted publishing in release-plz by @​jdx in #​9793
• (ci) remove autofix.ci workflow by @​jdx in #​9801
• (ci) restore -large runner for Linux release builds by @​jdx in #​9815
• (ci) add zizmor workflow for github actions security analysis by @​jdx in #​9804
• (ci) assert mise run render produces no diff by @​jdx in #​9803
• (copr) publish EL9 builds via centos-stream+epel-next-9 chroot by @​jdx in #​9787

Ci

• remove pull_request_target workflow by @​jdx in #​9799
• remove caching from publishing workflows by @​jdx in #​9800

Security

• reject shell metacharacters in version strings and CI inputs by @​jdx in #​9814

📦 Aqua Registry Updates

New Packages (11)

• Code-Hex/Neo-cowsay
• SonarSource/sonarqube-cli
• earendil-works/pi
• hylo-lang/hylo-new
• jfernandez/bpftop
• modem-dev/hunk
• npm/cli
• racket/racket/minimal
• slackapi/slack-cli
• vectordotdev/vector
• wasilibs/go-yamllint

Updated Packages (10)

• DataDog/pup
• aquasecurity/trivy
• astral-sh/uv
• caarlos0/svu
• cargo-bins/cargo-binstall
• foundry-rs/foundry
• gastownhall/beads
• gruntwork-io/terragrunt
• pnpm/pnpm
• santosr2/TerraTidy

v2026.5.6

Compare Source

🚀 Features

• (cli) add minimum release age flag to lock and ls-remote by @​risu729 in #​9269
• (config) add run field for hooks by @​risu729 in #​9718
• (github) add native oauth token source by @​jdx in #​9654
• (oci) scope build to project config by default by @​jdx in #​9766
• add support for prefixed latest version queries in outdated checks by @​roele in #​9767

🐛 Bug Fixes

• (activate) guard bash chpwd hook under nounset by @​risu729 in #​9716
• (backend) date-check latest stable fast path by @​risu729 in #​9650
• (config) parse core tool options consistently by @​risu729 in #​9742
• (exec) propagate __MISE_DIFF so nested mise recovers pristine PATH by @​jdx in #​9765
• (forgejo) include prereleases when opted in by @​risu729 in #​9717
• (github) avoid caching empty release assets by @​risu729 in #​9616
• (java) resolve lockfile URLs from metadata by @​risu729 in #​9719
• (lock) cache unavailable github attestations by @​risu729 in #​9741
• (pipx) preserve options when reinstalling tools by @​risu729 in #​9663
• (python) skip redundant lockfile provenance verification by @​risu729 in #​9739
• (vfox) run pre_uninstall hook by @​risu729 in #​9662

🚜 Refactor

• (schema) extract tool options definition by @​risu729 in #​9649

⚡ Performance

• (aqua) bake rkyv aqua package blobs by @​risu729 in #​9535

📦️ Dependency Updates

• lock file maintenance by @​renovate[bot] in #​9773

📦 Registry

• add vector (github:vectordotdev/vector) by @​kquinsland in #​9761
• add oc and openshift-install (http backend) by @​konono in #​9669

New Contributors

• @​konono made their first contribution in #​9669
• @​kquinsland made their first contribution in #​9761

v2026.5.5

Compare Source

🚀 Features

• add --inactive option to outdated and upgrade commands for inactive tools by @​roele in #​9640

🐛 Bug Fixes

• (aqua) resolve bin paths for prefixed v tags by @​risu729 in #​9759
• (bun) create bunx alongside bun.exe on Windows install by @​JamBalaya56562 in #​9732
• (dotnet) use shared prerelease tool option by @​risu729 in #​9720
• (node) use matching node in npm shim by @​jdx in #​9749
• (task) resolve bash deterministically on Windows to avoid WSL launcher by @​JamBalaya56562 in #​9750

📚 Documentation

• (secrets) clarify age strict mode default by @​risu729 in #​9737
• (tasks) add bash shebang to conditional-dependencies example by @​JamBalaya56562 in #​9747
• update backend tool option docs by @​risu729 in #​9738

📦 Registry

• remove tools with zero users by @​jdx in #​9725
• add scalafmt (github:scalameta/scalafmt) by @​pokir in #​9757
• remove flarectl by @​risu729 in #​9756

Chore

• (release) strip pre-existing sponsor block before appending canonical one by @​jdx in #​9745

New Contributors

• @​pokir made their first contribution in #​9757

v2026.5.4

Compare Source

🚀 Features

• (java) remove musl feature in favor of autom. musl detection and alpine-linux versions by @​roele in #​9688

🚜 Refactor

• (schema) stop patching task_template in render script by @​risu729 in #​9680

📚 Documentation

• (deps) drop codegen example from configuration section by @​jdx in 6b2d851

⚡ Performance

• avoid spawning process to set exit code by @​vemoo in #​9723

📦️ Dependency Updates

• update ghcr.io/jdx/mise:rpm docker digest to b8b0b72 by @​renovate[bot] in #​9711
• update ghcr.io/jdx/mise:alpine docker digest to f130900 by @​renovate[bot] in #​9709
• update ghcr.io/jdx/mise:deb docker digest to 71bda11 by @​renovate[bot] in #​9710
• bump rattler crates together by @​jdx in #​9721
• update rust crate junction to v2 by @​renovate[bot] in #​9726
• update rust docker digest to 4d4ec51 by @​renovate[bot] in #​9734

📦 Registry

• use symlink_bins in ibmcloud by @​dnwe in #​9685

Chore

• (ci) pass mise github token to tests by @​risu729 in #​9684

📦 Aqua Registry Updates

New Packages (2)

• DataDog/managed-kubernetes-auditing-toolkit
• oracle.com/sqlcl

Updated Packages (3)

• alltuner/mise-completions-sync
• iann0036/iamlive
• pnpm/pnpm

v2026.5.3

Compare Source

🐛 Bug Fixes

• (aqua) resolve latest from GitHub releases by @​risu729 in #​9277

📦️ Dependency Updates

• update ubuntu:26.04 docker digest to f3d2860 by @​renovate[bot] in #​9697
• update ghcr.io/jdx/mise:alpine docker digest to d15f3f9 by @​renovate[bot] in #​9694
• update ghcr.io/jdx/mise:rpm docker digest to 9084f68 by @​renovate[bot] in #​9696
• update ghcr.io/jdx/mise:deb docker digest to dd8a908 by @​renovate[bot] in #​9695
• update rust crate ctor to 0.12 by @​renovate[bot] in #​9698

Chore

• (ci) increase lint job timeout for clippy by @​risu729 in #​9682
• (hk) drop jq from schema lint step by @​risu729 in #​9681

📦 Aqua Registry Updates

New Packages (2)

• DataDog/pup
• reviewdog/nightly

Updated Packages (1)

• gittuf/gittuf

v2026.5.2

Compare Source

🚀 Features

• (aqua) support registry libc variants by @​jdx in #​9652
• (bin-paths) add executable names output by @​risu729 in #​9617

🐛 Bug Fixes

• (aqua) preserve configured file extensions by @​risu729 in #​9611
• (aqua) support registry file links by @​risu729 in #​9610
• (backend) reject bare package backend names by @​risu729 in #​9608
• (backend) apply inline tool option overrides by @​risu729 in #​9306
• (backend) skip versions host for local tool opts by @​risu729 in #​9568
• (github) chmod explicit archive bin by @​risu729 in #​9609
• (install) skip remote-versions refresh in prefer-offline mode by @​jdx in #​9627
• (lock) scope targets to active project root by @​risu729 in #​9319
• (lockfile) respect existing platforms during auto-lock by @​jdx in #​9621
• (pipx) filter yanked pypi releases by @​risu729 in #​9607
• (pipx) declare python as a backend dependency by @​jdx in #​9678
• (schema) update refs to $defs in mise-registry-tool.json by @​risu729 in #​9671
• (task) terminate parallel siblings on failure via process groups by @​jdx in #​9655
• (task) stable MISE_PROJECT_ROOT for monorepo tasks, add MISE_MONOREPO_ROOT by @​jdx in #​9657
• (trust) run enter hooks after trusting config by @​risu729 in #​9634
• (ui) stop clearing screen for prompts by @​jdx in #​9619
• use /bin/cp on macos by @​pdehlke in #​9656

🚜 Refactor

• (aqua) store aqua var defaults as strings by @​risu729 in #​9645
• (config) support structured TOML values in registry backend options by @​risu729 in #​9584
• (deps) remove serde_derive dependency by @​risu729 in #​9670
• (deps) remove anyhow dependency by @​risu729 in #​9661
• (deps) use std::sync::LazyLock instead of once_cell::Lazy by @​risu729 in #​9668
• (schema) generate task schema from mise schema by @​risu729 in #​9581
• (schema) reuse task props with unevaluatedProperties by @​risu729 in #​9582
• (schema) reuse registry common types by @​risu729 in #​9648
• (schema) reuse plugin script config by @​risu729 in #​9647
• (schema) use $defs in schema files by @​risu729 in #​9646

📚 Documentation

• (node) add tips for enabling node idiomatic by @​fu050409 in #​9675

🧪 Testing

• (cli) remove nondeterministic tool depends assertion by @​risu729 in #​9633
• (e2e) pin uv to 0.11.8 around astral-sh/uv#19278 by @​jdx in #​9618
• (e2e) wait for docker env cleanup by @​risu729 in #​9631
• (zig) use official zig instead of mach mirror by @​jdx in #​9659

📦️ Dependency Updates

• fall through to hash check when providers have no outputs by @​jdx in #​9622
• bump Cargo.lock by @​jdx in #​9625

📦 Registry

• remove registry depends by @​risu729 in #​9571
• add code-review-graph (pipx:code-review-graph) by @​chautruonglong in #​9673

Chore

• (ci) split large registry test-tool changes by @​risu729 in #​9628
• (ci) make perf script robust to runner noise by @​jdx in #​9635
• (ci) skip hyperfine comments without permission by @​risu729 in #​9629

New Contributors

• @​chautruonglong made their first contribution in #​9673
• @​pdehlke made their first contribution in #​9656

📦 Aqua Registry Updates

New Packages (5)

• anthropics/anthropic-cli
• crates.io/wasmi_cli
• openclaw/gogcli
• racket-lang.org/racket-minimal
• runs-on/cli

Updated Packages (13)

• UpCloudLtd/upcloud-cli
• aristocratos/btop
• dprint/dprint
• j178/prek
• jdx/hk
• jdx/mise
• jdx/usage
• jreleaser/jreleaser
• jreleaser/jreleaser/standalone
• pnpm/pnpm
• suzuki-shunsuke/cmdx
• suzuki-shunsuke/ghir
• twpayne/chezmoi

v2026.5.1

Compare Source

🚀 Features

• (backend) support top-level aqua cosign verification by @​risu729 in #​9111

🐛 Bug Fixes

• (schema) validate all schema files with draft2020 and strict mode by @​risu729 in #​9594
• (shim) skip network resolution for installed tool dirs by @​jdx in #​9599

📚 Documentation

• (dev-tools) clarify vfox metadata depends for install hooks by @​risu729 in #​9573
• (plugins) remove registry submission guidance by @​risu729 in #​9577

📦️ Dependency Updates

• lock file maintenance by @​renovate[bot] in #​9586

📦 Registry

• remove bashly asdf fallback by @​risu729 in #​9578
• use github backend for rebar by @​risu729 in #​9576
• add wasm-tools (aqua:bytecodealliance/wasm-tools) by @​2xdevv in #​9596
• enable symlink_bins for elixir-ls by @​AlternateRT in #​9592

Chore

• (release) always append sponsor block to release notes by @​jdx in #​9580
• warn on vendored vfox embedded plugins by @​risu729 in #​9588
• prefer registry shorthands over cargo/npm backends in mise.toml by @​risu729 in #​9595

📦 Aqua Registry Updates

New Packages (2)

• salesforce/reactive-grpc/protoc-gen-reactor-grpc
• spinframework/spin

Updated Packages (1)

• pnpm/pnpm

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

This PR updates mise from v2026.5.0 to v2026.5.11, spanning 11 patch releases. The changes consist primarily of:

Bug Fixes (Major):

• Backend improvements for aqua, pipx, github, vfox, and other tool backends
• Configuration parsing and validation fixes
• Task execution improvements (parallel task handling, env preservation)
• Lock file and provenance verification enhancements
• Windows compatibility improvements (bun, bash resolution)

Security Enhancements:

• SLSA archive content verification (v2026.5.11)
• Provenance verification during lock operations
• Shell metacharacter rejection in version strings and CI inputs
• GitHub OAuth device flow improvements

Performance Improvements:

• Baked rkyv aqua package blobs for faster lookups
• Skip tera render for plain strings
• Avoid spawning process to set exit code
• Various caching improvements

Refactoring & Internal Changes:

• Backend tool options parsing improvements
• Schema generation and validation enhancements
• Dependency updates and removal of deprecated dependencies

Breaking Changes: None identified that affect this project's usage patterns.

🎯 Impact Scope Investigation

Usage Locations in Codebase:

1. Dockerfile (Primary Impact): Lines 6, 36, 45, 56, 69, 78

   • mise use -g <tool>@<version> - Used to install Node.js, Ruby, Go, Python, Rust
   • mise settings ruby.compile=false - Ruby configuration
   • ✅ These commands remain unchanged and fully compatible

2. mise.toml (Development Environment):

   • Defines tool versions for development (Go, golangci-lint, lefthook, hadolint, Node.js, Ruby, Rust, Python)
   • ✅ No changes required - tool version format unchanged

3. GitHub Actions (.github/workflows/ci.yml):

   • Uses jdx/mise-action@1648a7812b9aeae629881980618f079932869151 (v4.0.1)
   • ✅ The action is independent and will use the appropriate mise version

4. Documentation (CLAUDE.md, skill files):

   • References to mise install command
   • ✅ No changes needed - command remains stable

Dependency Impact:

• No impact on other dependencies
• mise is used as a build-time tool installer, not a runtime dependency
• All downstream runtime installations (Node.js, Ruby, Go, etc.) remain unaffected

Configuration Impact:

• No breaking changes to mise.toml format
• No changes required to Dockerfile mise commands
• The mise settings ruby.compile=false syntax remains valid

💡 Recommended Actions

Immediate Action: ✅ Safe to merge immediately

Reasoning:

1. All 11 patch releases contain only bug fixes, security improvements, and internal refactoring
2. No breaking changes to CLI commands used in this project (mise use, mise settings)
3. No changes to configuration file formats
4. Security improvements (SLSA verification, provenance checks) enhance supply chain security
5. Performance improvements will benefit build times
6. The update follows semantic versioning (patch releases only)

Post-Merge Validation:

• CI pipeline will automatically validate the change through:
  • Docker build process (uses mise to install runtimes)
  • Unit tests
  • E2E tests
  • All existing checks will confirm compatibility

No Migration Steps Required: The update is a drop-in replacement with no code or configuration changes needed.

🔗 Reference Links

• Release v2026.5.11
• Release v2026.5.10
• Release v2026.5.9
• Release v2026.5.8
• Release v2026.5.7
• Release v2026.5.6
• Release v2026.5.5
• Release v2026.5.4
• Release v2026.5.3
• Release v2026.5.2
• Release v2026.5.1
• Full CHANGELOG
• mise Documentation

Generated by koki-develop/claude-renovate-review