fix(deps): update dependency jdx/mise to v2026.5.11

[renovate]

This PR contains the following updates:

Package	Update	Change	Pending
jdx/mise	patch	2026.5.0 → 2026.5.11	2026.5.15 (+3)

---

Release Notes

jdx/mise (jdx/mise)

v2026.5.11

Compare Source

🐛 Bug Fixes

• (backend) avoid release age cutoff for dependency envs by @​risu729 in #​9808
• (cache) honor plugin filter when pruning cache by @​risu729 in #​9914
• (config) report invalid miserc files by @​jdx in #​9937
• (doctor) list installed plugins from install state by @​risu729 in #​9863
• (erlang) respect compile false for precompiled installs by @​risu729 in #​9866
• (github) asset picker handles ambiguous patterns and runtime archives by @​jdx in #​9946
• (install) respect default inline shell in postinstall by @​risu729 in #​9812
• (install) store metadata alongside install dirs by @​jdx in #​9941
• (plugins) support remote git subdirectory sources by @​jdx in #​9893
• (task) preserve task env across nested hook-env by @​risu729 in #​9850
• (use) ignore system config for global shadow warning by @​risu729 in #​9900
• (vfox) use selected install path for env keys by @​risu729 in #​9907
• verify provenance during lock by @​jdx in #​9945

🚜 Refactor

• (aqua) parse tool options locally by @​risu729 in #​9872
• (cargo) parse tool options locally by @​risu729 in #​9922
• (npm) parse tool options locally by @​risu729 in #​9920
• (pipx) parse tool options locally by @​risu729 in #​9921
• (s3) parse tool options locally by @​risu729 in #​9871
• (ubi) parse tool options locally by @​risu729 in #​9873

📚 Documentation

• (configuration) trim global settings example by @​risu729 in #​9912

🛡️ Security

• (security) verify SLSA archive contents by @​sargunv in #​9898

📦️ Dependency Updates

• bump ctor to 1 by @​jdx in #​9938

📦 Registry

• fix sourcery platform archive format by @​risu729 in #​9902
• prefer aqua for tools also in aqua-registry by @​risu729 in #​9789
• add aqua backend for jbang by @​risu729 in #​9811
• alias dotnet-core to dotnet by @​risu729 in #​9807
• add lisette by @​ivov in #​9944

Chore

• (ci) require clear hyperfine regressions by @​risu729 in #​9874
• (ci) close failing or conflicted PRs sooner by @​jdx in #​9939

New Contributors

• @​ivov made their first contribution in #​9944

📦 Aqua Registry Updates

New Packages (1)

• glossia/cli

Updated Packages (1)

• dathere/qsv

v2026.5.10

Compare Source

🐛 Bug Fixes

• (s3) support SSO-based AWS profiles by enabling aws-config sso feature by @​Amir-Ahmad in #​9875

🚜 Refactor

• (backend) parse tool options per backend by @​risu729 in #​9838

📦️ Dependency Updates

• update rust crate sha2 to 0.11 by @​renovate[bot] in #​9885
• update ghcr.io/jdx/mise:alpine docker digest to 1a653b5 by @​renovate[bot] in #​9890
• update ghcr.io/jdx/mise:rpm docker digest to 7880c74 by @​renovate[bot] in #​9892
• update ghcr.io/jdx/mise:deb docker digest to a6fe62d by @​renovate[bot] in #​9891
• update rust docker digest to 39d8cb3 by @​renovate[bot] in #​9899

New Contributors

• @​Amir-Ahmad made their first contribution in #​9875

v2026.5.9

Compare Source

🚀 Features

• (config) add shell to watch_files run by @​risu729 in #​9810
• (spm) add artifact bundle support by @​ikesyo in #​9825

🐛 Bug Fixes

• (aqua) reject registry-invalid latest tags by @​risu729 in #​9834
• (patrons) point sponsor link to https://en.dev by @​jdx in #​9868
• (vfox) respect default inline shell in cmd.exec by @​risu729 in #​9837
• github oauth device flow paths by @​jasisk in #​9791

📚 Documentation

• Update Walkthrough guide by @​thernstig in #​9853

⚡ Performance

• (config) skip tera render for plain strings by @​risu729 in #​9833

📦️ Dependency Updates

• update ghcr.io/jdx/mise:rpm docker digest to d2471f2 by @​renovate[bot] in #​9879
• update rust docker digest to 5b1e348 by @​renovate[bot] in #​9880
• update ghcr.io/jdx/mise:deb docker digest to 0cde829 by @​renovate[bot] in #​9878
• update ubuntu docker tag to resolute-20260421 by @​renovate[bot] in #​9881
• update ghcr.io/jdx/mise:alpine docker digest to 2d0ea74 by @​renovate[bot] in #​9877
• update rust crate phf to 0.13 by @​renovate[bot] in #​9884
• update rust crate phf_codegen to 0.13 by @​renovate[bot] in #​9883

📦 Registry

• use aqua backend for npm by @​risu729 in #​9762
• add aqua for buck2 prereleases by @​risu729 in #​9805
• add SonarQube CLI (aqua:SonarSource/sonarqube-cli) by @​3PeatVR in #​9824

New Contributors

• @​3PeatVR made their first contribution in #​9824
• @​ikesyo made their first contribution in #​9825
• @​thernstig made their first contribution in #​9853

📦 Aqua Registry Updates

New Packages (4)

• SurgeDM/Surge
• roie/ovw
• so-dang-cool/sigi
• vjeantet/alerter

Updated Packages (2)

• alltuner/mise-completions-sync
• str4d/age-plugin-yubikey

v2026.5.8

Compare Source

🚀 Features

• (patrons) add mise patrons command by @​jdx in #​9841

🐛 Bug Fixes

• (task) skip shebang line in displayed task command by @​jdx in #​9844

🚜 Refactor

• (security) switch to sigstore-rust verification by @​jdx in #​9260

v2026.5.7

Compare Source

🐛 Bug Fixes

• (backend) use runtime paths for backend bin dirs by @​risu729 in #​9606
• (ci) preserve vendor/aqua-registry/ in PPA publish workflow by @​jdx in #​9782
• (ci) set UTF-8 locale in e2e Docker image by @​jdx in #​9820
• (ci) pass UTF-8 locale through to e2e tests by @​jdx in #​9823
• (conda) dedup repodata by archive identifier instead of URL by @​jdx in #​9831
• (github) use default shell for credential command by @​risu729 in #​9664
• (settings) distinguish unset known settings from unknown ones by @​jdx in #​9818
• (upgrade) remove completed progress jobs to prevent duplicate output by @​jdx in #​9779
• (vfox) resolve GitHub token lazily inside Lua plugins by @​jdx in #​9816

🚜 Refactor

• (config) separate core and backend tool options by @​risu729 in #​9753
• (schema) reuse env directive property schemas by @​risu729 in #​9651

📚 Documentation

• (aliases) fix Aliased Versions example and drop stale asdf callout by @​jdx in #​9830

⚡ Performance

• (aqua) use phf for baked registry lookups by @​risu729 in #​9763
• (task) cache per-file content hashes for source_freshness_hash_contents by @​jdx in #​9819

🧪 Testing

• (e2e) pin aube to known-good version in npm package_manager test by @​jdx in #​9794

📦 Registry

• replace unsupported exe options by @​risu729 in #​9587
• update pi by @​garysassano in #​9792

Chore

• (ci) use non-large runners for release builds by @​jdx in #​9786
• (ci) compare registry PRs from fork point by @​risu729 in #​9643
• (ci) make build-copr.sh the single source of truth for COPR chroots by @​jdx in #​9788
• (ci) use crates.io trusted publishing in release-plz by @​jdx in #​9793
• (ci) remove autofix.ci workflow by @​jdx in #​9801
• (ci) restore -large runner for Linux release builds by @​jdx in #​9815
• (ci) add zizmor workflow for github actions security analysis by @​jdx in #​9804
• (ci) assert mise run render produces no diff by @​jdx in #​9803
• (copr) publish EL9 builds via centos-stream+epel-next-9 chroot by @​jdx in #​9787

Ci

• remove pull_request_target workflow by @​jdx in #​9799
• remove caching from publishing workflows by @​jdx in #​9800

Security

• reject shell metacharacters in version strings and CI inputs by @​jdx in #​9814

📦 Aqua Registry Updates

New Packages (11)

• Code-Hex/Neo-cowsay
• SonarSource/sonarqube-cli
• earendil-works/pi
• hylo-lang/hylo-new
• jfernandez/bpftop
• modem-dev/hunk
• npm/cli
• racket/racket/minimal
• slackapi/slack-cli
• vectordotdev/vector
• wasilibs/go-yamllint

Updated Packages (10)

• DataDog/pup
• aquasecurity/trivy
• astral-sh/uv
• caarlos0/svu
• cargo-bins/cargo-binstall
• foundry-rs/foundry
• gastownhall/beads
• gruntwork-io/terragrunt
• pnpm/pnpm
• santosr2/TerraTidy

v2026.5.6

Compare Source

🚀 Features

• (cli) add minimum release age flag to lock and ls-remote by @​risu729 in #​9269
• (config) add run field for hooks by @​risu729 in #​9718
• (github) add native oauth token source by @​jdx in #​9654
• (oci) scope build to project config by default by @​jdx in #​9766
• add support for prefixed latest version queries in outdated checks by @​roele in #​9767

🐛 Bug Fixes

• (activate) guard bash chpwd hook under nounset by @​risu729 in #​9716
• (backend) date-check latest stable fast path by @​risu729 in #​9650
• (config) parse core tool options consistently by @​risu729 in #​9742
• (exec) propagate __MISE_DIFF so nested mise recovers pristine PATH by @​jdx in #​9765
• (forgejo) include prereleases when opted in by @​risu729 in #​9717
• (github) avoid caching empty release assets by @​risu729 in #​9616
• (java) resolve lockfile URLs from metadata by @​risu729 in #​9719
• (lock) cache unavailable github attestations by @​risu729 in #​9741
• (pipx) preserve options when reinstalling tools by @​risu729 in #​9663
• (python) skip redundant lockfile provenance verification by @​risu729 in #​9739
• (vfox) run pre_uninstall hook by @​risu729 in #​9662

🚜 Refactor

• (schema) extract tool options definition by @​risu729 in #​9649

⚡ Performance

• (aqua) bake rkyv aqua package blobs by @​risu729 in #​9535

📦️ Dependency Updates

• lock file maintenance by @​renovate[bot] in #​9773

📦 Registry

• add vector (github:vectordotdev/vector) by @​kquinsland in #​9761
• add oc and openshift-install (http backend) by @​konono in #​9669

New Contributors

• @​konono made their first contribution in #​9669
• @​kquinsland made their first contribution in #​9761

v2026.5.5

Compare Source

🚀 Features

• add --inactive option to outdated and upgrade commands for inactive tools by @​roele in #​9640

🐛 Bug Fixes

• (aqua) resolve bin paths for prefixed v tags by @​risu729 in #​9759
• (bun) create bunx alongside bun.exe on Windows install by @​JamBalaya56562 in #​9732
• (dotnet) use shared prerelease tool option by @​risu729 in #​9720
• (node) use matching node in npm shim by @​jdx in #​9749
• (task) resolve bash deterministically on Windows to avoid WSL launcher by @​JamBalaya56562 in #​9750

📚 Documentation

• (secrets) clarify age strict mode default by @​risu729 in #​9737
• (tasks) add bash shebang to conditional-dependencies example by @​JamBalaya56562 in #​9747
• update backend tool option docs by @​risu729 in #​9738

📦 Registry

• remove tools with zero users by @​jdx in #​9725
• add scalafmt (github:scalameta/scalafmt) by @​pokir in #​9757
• remove flarectl by @​risu729 in #​9756

Chore

• (release) strip pre-existing sponsor block before appending canonical one by @​jdx in #​9745

New Contributors

• @​pokir made their first contribution in #​9757

v2026.5.4

Compare Source

🚀 Features

• (java) remove musl feature in favor of autom. musl detection and alpine-linux versions by @​roele in #​9688

🚜 Refactor

• (schema) stop patching task_template in render script by @​risu729 in #​9680

📚 Documentation

• (deps) drop codegen example from configuration section by @​jdx in 6b2d851

⚡ Performance

• avoid spawning process to set exit code by @​vemoo in #​9723

📦️ Dependency Updates

• update ghcr.io/jdx/mise:rpm docker digest to b8b0b72 by @​renovate[bot] in #​9711
• update ghcr.io/jdx/mise:alpine docker digest to f130900 by @​renovate[bot] in #​9709
• update ghcr.io/jdx/mise:deb docker digest to 71bda11 by @​renovate[bot] in #​9710
• bump rattler crates together by @​jdx in #​9721
• update rust crate junction to v2 by @​renovate[bot] in #​9726
• update rust docker digest to 4d4ec51 by @​renovate[bot] in #​9734

📦 Registry

• use symlink_bins in ibmcloud by @​dnwe in #​9685

Chore

• (ci) pass mise github token to tests by @​risu729 in #​9684

📦 Aqua Registry Updates

New Packages (2)

• DataDog/managed-kubernetes-auditing-toolkit
• oracle.com/sqlcl

Updated Packages (3)

• alltuner/mise-completions-sync
• iann0036/iamlive
• pnpm/pnpm

v2026.5.3

Compare Source

🐛 Bug Fixes

• (aqua) resolve latest from GitHub releases by @​risu729 in #​9277

📦️ Dependency Updates

• update ubuntu:26.04 docker digest to f3d2860 by @​renovate[bot] in #​9697
• update ghcr.io/jdx/mise:alpine docker digest to d15f3f9 by @​renovate[bot] in #​9694
• update ghcr.io/jdx/mise:rpm docker digest to 9084f68 by @​renovate[bot] in #​9696
• update ghcr.io/jdx/mise:deb docker digest to dd8a908 by @​renovate[bot] in #​9695
• update rust crate ctor to 0.12 by @​renovate[bot] in #​9698

Chore

• (ci) increase lint job timeout for clippy by @​risu729 in #​9682
• (hk) drop jq from schema lint step by @​risu729 in #​9681

📦 Aqua Registry Updates

New Packages (2)

• DataDog/pup
• reviewdog/nightly

Updated Packages (1)

• gittuf/gittuf

v2026.5.2

Compare Source

🚀 Features

• (aqua) support registry libc variants by @​jdx in #​9652
• (bin-paths) add executable names output by @​risu729 in #​9617

🐛 Bug Fixes

• (aqua) preserve configured file extensions by @​risu729 in #​9611
• (aqua) support registry file links by @​risu729 in #​9610
• (backend) reject bare package backend names by @​risu729 in #​9608
• (backend) apply inline tool option overrides by @​risu729 in #​9306
• (backend) skip versions host for local tool opts by @​risu729 in #​9568
• (github) chmod explicit archive bin by @​risu729 in #​9609
• (install) skip remote-versions refresh in prefer-offline mode by @​jdx in #​9627
• (lock) scope targets to active project root by @​risu729 in #​9319
• (lockfile) respect existing platforms during auto-lock by @​jdx in #​9621
• (pipx) filter yanked pypi releases by @​risu729 in #​9607
• (pipx) declare python as a backend dependency by @​jdx in #​9678
• (schema) update refs to $defs in mise-registry-tool.json by @​risu729 in #​9671
• (task) terminate parallel siblings on failure via process groups by @​jdx in #​9655
• (task) stable MISE_PROJECT_ROOT for monorepo tasks, add MISE_MONOREPO_ROOT by @​jdx in #​9657
• (trust) run enter hooks after trusting config by @​risu729 in #​9634
• (ui) stop clearing screen for prompts by @​jdx in #​9619
• use /bin/cp on macos by @​pdehlke in #​9656

🚜 Refactor

• (aqua) store aqua var defaults as strings by @​risu729 in #​9645
• (config) support structured TOML values in registry backend options by @​risu729 in #​9584
• (deps) remove serde_derive dependency by @​risu729 in #​9670
• (deps) remove anyhow dependency by @​risu729 in #​9661
• (deps) use std::sync::LazyLock instead of once_cell::Lazy by @​risu729 in #​9668
• (schema) generate task schema from mise schema by @​risu729 in #​9581
• (schema) reuse task props with unevaluatedProperties by @​risu729 in #​9582
• (schema) reuse registry common types by @​risu729 in #​9648
• (schema) reuse plugin script config by @​risu729 in #​9647
• (schema) use $defs in schema files by @​risu729 in #​9646

📚 Documentation

• (node) add tips for enabling node idiomatic by @​fu050409 in #​9675

🧪 Testing

• (cli) remove nondeterministic tool depends assertion by @​risu729 in #​9633
• (e2e) pin uv to 0.11.8 around astral-sh/uv#19278 by @​jdx in #​9618
• (e2e) wait for docker env cleanup by @​risu729 in #​9631
• (zig) use official zig instead of mach mirror by @​jdx in #​9659

📦️ Dependency Updates

• fall through to hash check when providers have no outputs by @​jdx in #​9622
• bump Cargo.lock by @​jdx in #​9625

📦 Registry

• remove registry depends by @​risu729 in #​9571
• add code-review-graph (pipx:code-review-graph) by @​chautruonglong in #​9673

Chore

• (ci) split large registry test-tool changes by @​risu729 in #​9628
• (ci) make perf script robust to runner noise by @​jdx in #​9635
• (ci) skip hyperfine comments without permission by @​risu729 in #​9629

New Contributors

• @​chautruonglong made their first contribution in #​9673
• @​pdehlke made their first contribution in #​9656

📦 Aqua Registry Updates

New Packages (5)

• anthropics/anthropic-cli
• crates.io/wasmi_cli
• openclaw/gogcli
• racket-lang.org/racket-minimal
• runs-on/cli

Updated Packages (13)

• UpCloudLtd/upcloud-cli
• aristocratos/btop
• dprint/dprint
• j178/prek
• jdx/hk
• jdx/mise
• jdx/usage
• jreleaser/jreleaser
• jreleaser/jreleaser/standalone
• pnpm/pnpm
• suzuki-shunsuke/cmdx
• suzuki-shunsuke/ghir
• twpayne/chezmoi

v2026.5.1

Compare Source

🚀 Features

• (backend) support top-level aqua cosign verification by @​risu729 in #​9111

🐛 Bug Fixes

• (schema) validate all schema files with draft2020 and strict mode by @​risu729 in #​9594
• (shim) skip network resolution for installed tool dirs by @​jdx in #​9599

📚 Documentation

• (dev-tools) clarify vfox metadata depends for install hooks by @​risu729 in #​9573
• (plugins) remove registry submission guidance by @​risu729 in #​9577

📦️ Dependency Updates

• lock file maintenance by @​renovate[bot] in #​9586

📦 Registry

• remove bashly asdf fallback by @​risu729 in #​9578
• use github backend for rebar by @​risu729 in #​9576
• add wasm-tools (aqua:bytecodealliance/wasm-tools) by @​2xdevv in #​9596
• enable symlink_bins for elixir-ls by @​AlternateRT in #​9592

Chore

• (release) always append sponsor block to release notes by @​jdx in #​9580
• warn on vendored vfox embedded plugins by @​risu729 in #​9588
• prefer registry shorthands over cargo/npm backends in mise.toml by @​risu729 in #​9595

📦 Aqua Registry Updates

New Packages (2)

• salesforce/reactive-grpc/protoc-gen-reactor-grpc
• spinframework/spin

Updated Packages (1)

• pnpm/pnpm

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

This PR updates mise from v2026.5.0 to v2026.5.11, spanning 11 patch releases. Key changes include:

Security Enhancements:

• SLSA Archive Verification (v2026.5.11, PR #9898): Improved security verification for SLSA archives
• Shell Metacharacter Rejection (v2026.5.7): Added protection against shell injection in version strings and CI inputs
• Sigstore-rust Verification (v2026.5.8, PR #9260): Switched to sigstore-rust for cryptographic verification

Bug Fixes:

• Backend improvements for aqua, cargo, npm, pipx, s3, and ubi backends
• Runtime path resolution fixes (v2026.5.7, PR #9606)
• UTF-8 locale handling in e2e tests (v2026.5.7)
• PATH recovery improvements for nested mise invocations (v2026.5.6)
• Multiple configuration parsing and validation fixes

New Features:

• Native GitHub OAuth token source (v2026.5.6)
• SPM artifact bundle support (v2026.5.9)
• mise patrons command (v2026.5.8)
• Minimum release age flags for lock and ls-remote commands (v2026.5.6)

Refactoring & Performance:

• Tool options parsing improvements across multiple backends
• Schema validation enhancements
• Performance optimizations including phf-based registry lookups
• Dependency updates (ctor, sha2, junction, etc.)

Breaking Changes:

• None identified in the release notes

🎯 Impact Scope Investigation

Direct Usage Analysis:

1. Dockerfile Integration (PRIMARY USAGE):

   • mise is installed as a binary in the mise stage (line 6: ARG MISE_VERSION=2026.5.11)
   • Used exclusively for installing runtime tools (Node.js, Ruby, Go, Python, Rust)
   • Binary downloaded from GitHub releases and copied to the base image
   • Impact: The update only affects the mise binary itself, not its core functionality

2. Runtime Dependencies (34 references in runtime.go):

   • Hard-coded paths to mise-installed runtimes: /mise/installs/{runtime}/current/
   • Pre-installed caches and modules: /mise/go-cache, /mise/go-modcache, /mise/ruby-bundle, /mise/ts-node-modules
   • All paths are static and don't depend on mise's CLI behavior
   • Impact: No changes to runtime paths or installation directories

3. Test Suite (5 references in sandbox_test.go):

   • Tests verify correct runtime paths are used
   • All assertions use static paths like /mise/installs/node/current/bin/node
   • Impact: No test changes required

4. CI/CD Integration (.github/workflows/ci.yml):

   • Uses jdx/mise-action@1648a7812b9aeae629881980618f079932869151 for tool installation
   • The GitHub Action manages its own mise version independently
   • Impact: No CI changes required

Dependency Chain:

• mise is only used during Docker image build to install language runtimes
• Once runtimes are installed, mise is no longer actively used during sandbox execution
• The sandbox runtime directly invokes installed binaries (e.g., /mise/installs/node/current/bin/node)

Configuration Files:

• mise.toml: Defines tool versions but doesn't reference mise version itself
• No direct dependency on mise CLI features or flags in the codebase

💡 Recommended Actions

Immediate Actions:

1. ✅ Merge this PR - The update is safe and includes important security fixes
2. ✅ No code changes required - All usage is through stable binary paths

Post-Merge Validation:

1. Monitor the Docker build process to ensure mise successfully installs all runtimes
2. Run the E2E test suite to verify all runtimes function correctly (already runs in CI)
3. Verify no regressions in runtime installation times

Why This Is Safe:

• This is a patch version update (v2026.5.0 → v2026.5.11) with no breaking changes
• mise is used only as a tool installer during Docker build, not at runtime
• The sandbox relies on static paths to installed runtimes, not mise CLI features
• Security fixes in this update improve the overall security posture
• No API changes affecting runtime installation commands
• CI automatically validates the build and E2E tests before merge

🔗 Reference Links

• Release Notes v2026.5.11
• Release Notes v2026.5.10
• Release Notes v2026.5.9
• Release Notes v2026.5.8
• Release Notes v2026.5.7
• Release Notes v2026.5.6
• Release Notes v2026.5.5
• Release Notes v2026.5.4
• Release Notes v2026.5.3
• Release Notes v2026.5.2
• Release Notes v2026.5.1
• SLSA Verification PR #9898
• Sigstore Integration PR #9260
• Full Changelog Comparison

Generated by koki-develop/claude-renovate-review