mise-en-place

jdx/mise last check 263 releases recent
Notes

The front-end to your dev env Pronounced "MEEZ ahn plahs"

Release notes
v2026.3.17: Shims PATH Ordering, GitHub Auth Improvements, and Supply Chain Security
view on github

This release brings improvements to shims PATH ordering, GitHub authentication, and supply chain security, along with several bug fixes for env plugin watch file tracking, Python precompiled build selection, and the --silent flag.

Highlights

  • Shims always at the front of PATH -- mise activate --shims now guarantees shims are prepended even when already present (e.g. after VS Code re-sources shell config), fixing tools being silently bypassed.
  • Supply chain security for github: tools -- Upgrading a github: backend tool to a version that drops provenance verification (e.g. GitHub Attestations) is now blocked with an explicit error, protecting against supply chain attacks.
  • New GitHub auth features -- github_tokens.toml for per-host tokens, optional git credential fill integration, and a new mise github token command to inspect which token mise would use.
  • hook-env stabilization fixes -- A comprehensive fix for env plugin watch_files not being tracked, and hook-env failing to stabilize when mise.lock is absent or directory mtimes change.

Added

  • Supply chain protection for github: tools -- When running mise lock or installing/upgrading a github: backend tool, mise now checks whether the new version has provenance verification if the previously-locked version did. If provenance would be lost, the operation is blocked with an error citing the prior verified version (e.g. github:jdx/usage@1.6.0 has no provenance verification on linux-x64, but github:jdx/usage@1.5.0 had github-attestations). The old lockfile entry is preserved so the error persists until manually resolved. #8706 by @jdx

  • github_tokens.toml and mise github token command -- A new $MISE_CONFIG_DIR/github_tokens.toml file lets you store per-host GitHub tokens without touching the gh CLI's hosts.yml. Optional git credential fill integration (opt-in via github.use_git_credentials = true) enables using macOS Keychain, Windows Credential Manager, and other git credential helpers. The new mise github token [host] command shows which token mise would use and its source; pass --unmask to reveal the full value. #8742 by @jdx

    Updated token priority for github.com:

    # Source
    1 MISE_GITHUB_TOKEN env var
    2 GITHUB_API_TOKEN env var
    3 GITHUB_TOKEN env var
    4 credential_command (if set)
    5 github_tokens.toml (per-host)
    6 gh CLI token (from hosts.yml)
    7 git credential fill (if enabled)

  • Registry: added acli (Atlassian CLI for Jira, Confluence, and Bitbucket) via the aqua backend. #8721 by @ggoggam

  • Registry: added tart (macOS and Linux VMs on Apple Silicon using Apple's Virtualization.framework) via the aqua backend. #8727 by @mnm364

Fixed

  • Shims always prepended in --shims mode -- When using mise activate bash --shims (or any shell), if the shims directory was already in PATH (e.g. from a prior activation), mise would skip the prepend and leave shims at their existing position. This meant tools could be silently bypassed by system binaries earlier in PATH. Shims are now always moved to the front. For fish, MovePrependEnv is used to avoid duplicates; for other shells, PrependEnv is emitted unconditionally. #8757 by @ctaintor

  • Shim detection no longer hangs on macOS -- A previous change switched shim detection from checking the binary name to checking whether argv[0] exists in the shims directory. This caused mise to hang on startup for users with slow or network-mounted filesystems, and could falsely detect mise itself as a shim. Detection has been reverted to the binary-name approach. e1b8ca4 by @jdx

  • hook-env watch_files and stabilization -- Env plugins (MiseEnv modules) can declare watch_files, but those files were never tracked in the hook-env session or cache. Modifying a watched file (e.g. a secrets config) would not trigger re-evaluation. Four tracking gaps were fixed across the slow-path check, session building, and cache invalidation. Additionally, projects without a mise.lock file could prevent hook-env from ever stabilizing because the nonexistent file was unconditionally added to the watch set. Directory mtime changes also prevented stabilization after a slow-path run. All three issues are now fixed. #8716 by @rpendleton

  • mise install --system runtime symlinks -- Installing a tool with mise install --system failed to create latest and partial-version symlinks (e.g. node@22) in the system install directory. The symlink rebuild logic now iterates all install directories (user and shared/system) and creates symlinks based on versions present in each. #8722 by @jdx

  • Python freethreaded build exclusion -- When a precompiled_flavor was set (e.g. install_only_stripped), mise lock could incorrectly select a freethreaded Python build. The exclusion logic now only allows freethreaded builds when the requested flavor explicitly includes freethreaded. #8745 by @risu729

  • --silent flag now suppresses mise's own output -- The global --silent CLI flag was never written to Settings, so mise --silent run foo would suppress task output but still print mise's own info and warning messages. --silent now sets quiet = true internally, making it a proper superset of --quiet. #8720 by @nkakouros

  • credential_command priority -- The github.credential_command setting now takes priority over github_tokens.toml and the gh CLI's hosts.yml, since it represents an explicit user configuration. Previously it sat below both file-based sources. 74570de by @jdx

  • Zsh completions -- Updated to match usage v3.1.0's new _describe completion pattern. #8715 by @jdx

  • Python docs: Fixed swapped default values in the documentation for python.precompiled_arch and python.precompiled_os. #8744 by @risu729

Changed

  • The cargo install mise command in documentation now includes --locked to prevent build failures from dependency version mismatches. #8731 by @rtharston

New Contributors

  • @ctaintor made their first contribution in #8757
  • @ggoggam made their first contribution in #8721
  • @mnm364 made their first contribution in #8727
  • @rpendleton made their first contribution in #8716
  • @nkakouros made their first contribution in #8720
  • @rtharston made their first contribution in #8731
  • @risu729 made their first contribution in #8744 and #8745

Full Changelog: https://github.com/jdx/mise/compare/v2026.3.16...v2026.3.17