chore(deps): update dependency mise to v2026.4.20

[renovate]

This PR contains the following updates:

Package	Update	Change
mise	patch	2026.4.17 → 2026.4.20

---

Release Notes

jdx/mise (mise)

v2026.4.20: : Lockfile cleanup and path: fixes

Compare Source

A focused patch release that cleans up two long-standing lockfile and path-resolution bugs, makes GitHub attestation verification tolerant of regex-based aqua registry URLs, and reworks how the aqua registry is baked into mise.

Highlights

• mise lock tool@latest now writes a concrete version and heals lockfiles already poisoned with version = "latest".
• path: tool versions with relative paths resolve correctly against the config root.
• Aqua registry is now baked from the upstream merged registry.yaml, pinned by tag.
• GitHub artifact attestation works for registry entries that use regex URLs.

Fixed

• (config) Relative path: tool versions are now resolved at parse time against the config's root directory (or CWD for CLI args), with ~/ expansion and leading ./ stripped. Previously, a value like path:./packages/logr was joined with installs_path at install time and produced a bogus directory such as ~/.local/share/mise/installs/logr/./packages/logr. (#​9320) by @​jdx

• (lock) mise lock handling of @latest has been overhauled (#​9321 by @​jdx):

  • mise lock tool@latest now resolves latest to the newest installed version instead of writing the literal string "latest" into the lockfile.
  • mise lock no longer produces duplicate [[tools.<name>]] entries when the config uses tool = "latest".
  • Lockfiles already poisoned with version = "latest" are cleaned up in a single mise lock run.

• GitHub artifact attestation verification now works when the aqua registry entry uses a regex in the workflow URL, unblocking installs such as aqua:updatecli/updatecli. (#​9327) by @​monotek

Changed

• (aqua) The baked aqua registry source has been swapped for the upstream merged registry.yaml, pinned by tag via crates/aqua-registry/aqua-registry/metadata.json. The build script generates a canonical package-id map plus an alias lookup table, so runtime lookups only parse the selected package YAML. The pinned tag is now visible in mise doctor. (#​9043) by @​risu729

Added

• New registry entry: grafana-kubernetes-plugin. (#​9300) by @​monotek

Documentation

• A dismissible announcement banner has been added to the docs site, driven by a remote JSON config. Link schemes are restricted to http/https, dismissals persist per-id in localStorage, and the banner height is kept in sync with --vp-layout-top-height via a ResizeObserver. The expires field is respected so banners automatically hide after a given date. (#​9326, #​9330, #​9334) by @​jdx

Aqua Registry

Updated aqua-registry from v4.492.0 to v4.498.0, which includes:

• v4.493.0
• v4.494.0
• v4.494.1
• v4.495.0
• v4.496.0
• v4.497.0
• v4.498.0

Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

Full Changelog: jdx/mise@v2026.4.19...v2026.4.20

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.4.19: : OCI images, aqua templates, and more resilient installs

Compare Source

2026.4.19: OCI images, aqua templates, and more resilient installs

This release adds a new way to package environments as OCI images, improves backend flexibility with aqua variable templating, and tightens several authentication and concurrency edge cases that were causing friction in real workflows.

The biggest addition is mise support for building OCI images directly from mise.toml, with per-tool layering to make image rebuilds more efficient. Alongside that, aqua-backed tools can now use templated variables, which should make more registries and package definitions work cleanly without custom glue. On the reliability side, fixes in conda, GitHub auth handling, vfox token usage, and interactive CLI cancellation should make automation and authenticated installs behave more predictably.

Highlights

• Build OCI images directly from mise.toml with per-tool image layers.
• Support aqua variable templates in backends.
• Fix several GitHub and token-handling issues affecting authenticated requests.
• Improve install reliability for conda and backend path handling.
• Add new registry entries including gsudo, kiro-cli, llama.cpp, and Flux operator tooling.

Changes

Features

• (oci) build OCI images from mise.toml with per-tool layers by @​jdx in #​9273
• (backend) support aqua vars templates by @​jdx in #​9110
• add gsudo (Sudo for Windows) to registry by @​jdx in #​9281

Bug Fixes

• (cli) suppress error output after interactive cancel by @​jdx in #​9294
• (backend) stop fuzzy requests installing literal dirs by @​jdx in #​9276
• (conda) avoid temp file collisions during parallel package downloads by @​jdx in #​9293
• (github) scope auth headers to API URLs by @​jdx in #​9271
• (cli) retrieve token from github helper for self-update command by @​jdx in #​9259
• (vfox) use github token for lua http requests by @​jdx in #​9257

Registry

• add flux-operator & flux-operator-mcp by @​tiyee in #​8852
• add kiro-cli by @​jdx in #​9274
• add llama.cpp (github:ggml-org/llama.cpp) by @​jdx in #​9282

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.4.18: : Deps management, aube support, and vfox plugin dependencies

Compare Source

A feature-packed release that renames mise prepare to mise deps with new package management subcommands, adds aube as an npm backend package manager, enables vfox plugins to declare their own dependencies, and ships several important fixes for version resolution, lockfile concurrency, and GitHub Enterprise attestation verification.

Highlights

• mise prepare renamed to mise deps with add/remove subcommands -- The experimental dependency management command is now mise deps, with new mise deps add npm:react and mise deps remove npm:lodash subcommands for managing individual packages. All config keys, settings, state files, and CLI flags have been updated accordingly ([prepare] to [deps], --no-prepare to --no-deps).
• Aube package manager support for npm backend -- npm.package_manager now defaults to "auto", which prefers the aube package manager when available and falls back to npm. Explicit npm.package_manager = "aube" is also supported.
• vfox plugins can declare dependencies -- Plugin authors can now specify PLUGIN.depends = {"node", "python"} in metadata.lua, so mise resolves installation order automatically without users needing depends = [...] in their config.
• Stale versions host cache bypassed for package-registry backends -- npm, pipx, cargo, gem, go, and http/s3 backends with version_list_url now query their upstream sources directly, fixing the issue where tools like Flutter showed outdated versions.

Added

• mise deps command with add/remove subcommands -- The experimental mise prepare command has been renamed to mise deps. New mise deps add and mise deps remove subcommands let you manage individual packages using ecosystem:package syntax. Currently supports npm, yarn, pnpm, and bun ecosystems. Bare mise deps defaults to mise deps install (the previous mise prepare behavior). #​9056 by @​jdx

  mise deps add npm:react           # add a dependency
  mise deps add -D npm:vitest       # add as dev dependency
  mise deps remove npm:lodash       # remove a dependency
  mise deps                         # install all project dependencies

  # Configuration uses [deps] instead of [prepare]
  [deps.npm]
  auto = true

• --before flag for mise latest -- One-off latest-version lookups can now be constrained by release date. Supports absolute dates (2024-06-01) and relative durations (90d, 1y). Overrides per-tool install_before options and the global install_before setting. #​9168 by @​risu729

  mise latest node --before 2024-01-01
  mise latest node --before 90d

• Aube package manager support for npm backend -- The npm backend now supports aube as an alternative package manager. The new default npm.package_manager = "auto" prefers aube when it is available in the active toolset and falls back to npm otherwise. #​9256 by @​jdx

• filter_bins option for SPM backend -- Restrict which executable products are built and linked from a Swift package. Filtering happens before swift build, so unwanted products are never compiled. #​9253 by @​jdx

  [tools]
  "spm:swiftlang/swiftly" = { version = "latest", filter_bins = ["swiftly"] }

• vfox plugin-declared dependencies via metadata.lua -- Plugin authors can now declare tool dependencies directly in their plugin's metadata.lua. User-specified depends in mise.toml remains additive. #​9051 by @​ahemon

  -- metadata.lua
  PLUGIN = {}
  PLUGIN.name = "my-tool"
  PLUGIN.version = "1.0.0"
  PLUGIN.depends = {"node", "python"}

• Registry: bitwarden-secrets-manager -- Now available via the aqua backend (aqua:bitwarden/sdk-sm), replacing the legacy asdf plugin for better checksum/SLSA verification. #​9255 by @​msuzoagu

Fixed

• Stale version listings for package-registry backends -- Backends with canonical upstream sources (npm, pipx, cargo, gem, go, and http/s3 with version_list_url) now skip the mise-versions.jdx.dev cache and query upstream directly. This fixes the issue where tools like Flutter showed outdated versions until users set MISE_USE_VERSIONS_HOST=0. #​9245 by @​jdx

• Concurrent lockfile save race condition -- Fixed ENOENT errors when multiple mise processes updated the same lockfile simultaneously (commonly seen with parallel tool installs in CI via hk). Each save now uses a uniquely named temp file instead of a fixed mise.lock.tmp path. #​9250 by @​jdx

• GitHub Enterprise attestation verification -- Artifact attestation verification now routes to the configured api_url instead of always hitting api.github.com, fixing 401 Unauthorized errors for GHES users. #​9254 by @​jdx

• Noisy third-party debug/trace logs suppressed -- Debug and trace logs from dependency crates (h2, hyper, reqwest, rustls, etc.) are now filtered out of -v/-vv output. Set MISE_LOG_VERBOSE_DEPS=1 to restore them. #​9248 by @​jdx

• Animated progress UI disabled in CI -- CI environments no longer show animated progress frames even when stderr is allocated as a TTY, preventing thousands of duplicate log lines. #​9249 by @​jdx

• mise use respects --quiet and --silent -- The "tools:", "removed:", and "would update" messages are now suppressed when --quiet or --silent is passed. #​9251 by @​jdx

• --locked works for vfox backend plugins -- Custom Lua backend plugins that cannot provide download URLs no longer fail with "No lockfile URL found" when using mise install --locked. #​9252 by @​jdx

New Contributors

• @​ahemon made their first contribution in #​9051
• @​msuzoagu made their first contribution in #​9255

Full Changelog: jdx/mise@v2026.4.17...v2026.4.18

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	biwa-docs	fab1949	Commit Preview URL Branch Preview URL	Apr 24 2026, 04:17 PM

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 47.87%. Comparing base (7e848bd) to head (fab1949).
⚠️ Report is 199 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #562      +/-   ##
==========================================
+ Coverage   41.28%   47.87%   +6.59%     
==========================================
  Files          16       20       +4     
  Lines         671     1387     +716     
==========================================
+ Hits          277      664     +387     
- Misses        394      723     +329     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.