Update dependency jdx/mise to v2026.3.10

[renovate]

This PR contains the following updates:

Package	Update	Change
jdx/mise	patch	v2026.3.9 → v2026.3.10

---

Release Notes

jdx/mise (jdx/mise)

v2026.3.10: : Security fix for .tool-versions templates, Python checksum verification, and 15+ bug fixes

Compare Source

This release closes a security gap where .tool-versions files with Tera templates could execute arbitrary commands without a trust check, adds checksum verification for precompiled Python downloads, and ships over 15 bug fixes across tasks, lockfiles, the Rust plugin, bootstrap scripts, and more.

Highlights

• Security: trust check for .tool-versions Tera templates -- .tool-versions files were processed through Tera's render_str() with the exec() function available, allowing arbitrary command execution without any trust verification. A malicious .tool-versions in a cloned repo could silently execute code when a user with mise shell activation cd'd into the directory. Template syntax in .tool-versions now requires mise trust first; plain files continue to work without trust.
• Python checksum verification for precompiled binaries -- Precompiled Python downloads from astral-sh/python-build-standalone are now verified against lockfile checksums at install time, matching the behavior of other core plugins.
• Python freethreaded build exclusion -- Freethreaded Python builds (e.g. Python 3.14+) are now excluded from precompiled selection by default, fixing "missing lib directory" errors. Set python.precompiled_flavor explicitly if you want freethreaded builds.
• mise doctor PATH ordering check -- mise doctor now warns when non-mise directories appear before mise-managed tool paths in PATH, helping diagnose tool shadowing issues.

Security

• Require trust check for .tool-versions Tera templates -- When template syntax ({{, {%, {#) is detected in a .tool-versions file, mise now requires mise trust before processing it. Plain .tool-versions files without templates are unaffected. #​8675 by @​jdx

Added

• mise doctor detects PATH ordering issues -- When mise is activated (not shims-only), mise doctor now checks whether non-mise directories appear before mise-managed tool paths in PATH and lists the specific offending entries. #​8585 by @​jdx
• New registry tools:
  • viteplus (npm:vite-plus) -- #​8594 by @​risu729
  • ormolu (Haskell formatter) -- #​8617 by @​3w36zj6
  • pi.dev coding agent -- #​8635 by @​dector
  • qwen (npm:@​qwen-code/qwen-code) -- #​8667 by @​jianglu
  • hlint (Haskell linter) -- #​8670 by @​3w36zj6

Fixed

• Python: verify checksums for precompiled binary downloads -- Precompiled Python downloads are now checked against lockfile checksums between HTTP download and tarball extraction, preventing corrupted or tampered downloads from being silently accepted. #​8593 by @​malept
• Python: exclude freethreaded builds from precompiled selection -- Freethreaded Python builds (e.g. cpython-3.14.3-freethreaded) use lib/python3.14t/ instead of lib/python3.14/, causing installation failures. These are now filtered out by default unless python.precompiled_flavor is explicitly set to a freethreaded variant. #​8672 by @​jdx
• Config: resolve trust hash collision for same-name directories -- In paranoid mode, configs sharing the same parent directory leaf name (e.g. /projectA/infra/mise.toml and /projectB/infra/mise.toml) would map to a single hash file, silently breaking trust verification. The filename extension is now appended instead of replaced. Previously trusted configs may need a one-time mise trust after upgrading. #​8628 by @​tdragon
• Lockfile: resolve symlinks when updating -- If a lockfile is a symlink, mise now updates the target file instead of replacing the symlink with a regular file. #​8589 by @​chancez
• Rust: resolve relative CARGO_HOME/RUSTUP_HOME to absolute paths -- When CARGO_HOME or RUSTUP_HOME is set to a relative path (e.g. .cargo via [env]), the paths are now resolved to absolute before use, preventing broken PATH entries like undefined/bin after changing directories. #​8604 by @​simonepri
• Bootstrap: preserve argv[0] for shim dispatch -- mise generate bootstrap now emits exec -a "$0" instead of plain exec, preserving the original invocation name so that shim symlinks (e.g. claude -> mise) dispatch correctly. #​8521 by @​tak848
• Installer: normalize current version before comparison -- The standalone installer now strips the v prefix from MISE_CURRENT_VERSION before comparisons, so embedded checksums and the current-release CDN path are used correctly. #​8649 by @​tak848
• Tasks: global file tasks not properly marked as such -- #​8618 by @​roele
• Tasks: handle broken pipe in mise tasks ls -- Piping task output (e.g. mise tasks ls | head) no longer panics with EPIPE. #​8608 by @​vmaleze
• Tasks: correctly resolve _default files with extensions -- test/_default.sh is now correctly loaded as the test task instead of test:_default. #​8646 by @​youta1119
• Tasks: fix argument completion with flags in zsh -- Completing task arguments after flags (e.g. mise run build -- -c <TAB>) no longer produces errors. #​8601 by @​KevSlashNull
• Git: use "origin" as remote name -- Cloned registries now consistently use "origin" as the remote name, fixing fetch failures in some configurations. #​8626 by @​bentinata
• Shared tools: fix failing rebuild of runtime symlinks -- Installing tools with --system no longer fails when rebuilding runtime symlinks due to incorrect install path resolution. #​8647 by @​roele
• Flutter: fix version_expr Tera parser collision -- Added spaces around the current element operator in Flutter's version_expr to prevent Tera parser errors. #​8616 by @​roele

Changed

• Removed hidden --prefix and --interleave flags from mise run -- These flags were hidden in December 2024 when --output was introduced as their replacement. Their short forms (-p, -i) could silently consume flags intended for tasks. Use --output prefix or --output interleave instead. #​8669 by @​nkakouros

Breaking Changes

• .tool-versions with Tera templates now require trust -- If you have .tool-versions files using template syntax ({{, {%, {#), you will need to run mise trust in those directories. Plain .tool-versions files are unaffected. #​8675
• Trust hash files regenerated -- Due to the hash collision fix, previously trusted configs in paranoid mode may need a one-time mise trust after upgrading. #​8628
• --prefix/-p and --interleave/-i removed from mise run -- Use --output prefix or --output interleave instead (available since December 2024). #​8669

New Contributors

• @​nkakouros made their first contribution in #​8669
• @​jianglu made their first contribution in #​8667
• @​tak848 made their first contribution in #​8521
• @​bentinata made their first contribution in #​8626
• @​tdragon made their first contribution in #​8628
• @​nygmaaa made their first contribution in #​8642
• @​youta1119 made their first contribution in #​8646
• @​chancez made their first contribution in #​8589
• @​dector made their first contribution in #​8635

Full Changelog: jdx/mise@v2026.3.9...v2026.3.10

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.