Release Watcher - mise-en-place v2026.4.17: install_before fixes, lockfile repair, and new registry tools

Release list
2026.5.1: Aqua cosign and a reshim rescue	2026-05-05 RECENT
2026.5.0: Conda graduates, smarter pres, and Windows POSIX tasks	2026-05-03 RECENT
2026.4.28: Remote tasks pinned by commit SHA	2026-04-30 RECENT
2026.4.27: npm install args, smarter watch, and a macOS shim recursion fix	2026-04-29 RECENT
2026.4.25: Sharper task tooling and lockfile fixes	2026-04-28
2026.4.24: Resilient downloads and global pre- opt-in	2026-04-27
2026.4.23: Pre-s, libc preference, and a Node musl fix	2026-04-26
2026.4.21: untrust command and prune lockfile fixes	2026-04-25
2026.4.22: Repaired latest resolution and clearer deps output	2026-04-25
2026.4.20: Lockfile cleanup and path: fixes	2026-04-24
2026.4.19: OCI images, aqua templates, and more resilient installs	2026-04-23
2026.4.18: Deps management, aube support, and vfox plugin dependencies	2026-04-19
2026.4.17: install_before fixes, lockfile repair, and new registry tools	2026-04-18
2026.4.16: Tera templates in inline tasks, raw_args passthrough, and runtime symlink paths	2026-04-17
2026.4.15: Windows path separator fix and improved GitHub token detection	2026-04-16
2026.4.13: Remote cache, Go install_before, and task tool objects	2026-04-16
2026.4.14: Fix GitHub attestation verification for some tools	2026-04-15
2026.4.12: OS/arch filtering, task confirmation defaults, and npm supply chain improvements	2026-04-15
2026.4.11: Task dependency templates and npm semver range support	2026-04-13
2026.4.10: Fix spurious warnings from postinstall hooks running tasks	2026-04-12

A fix-heavy release that addresses several install_before edge cases across npm, pipx, and backend latest lookups, repairs lockfile generation for aqua tools with custom version prefixes, and adds six new tools to the registry.

Highlights

install_before now works consistently across backends -- The date-based version cutoff is now respected in direct latest lookups, npm no longer drifts by a day due to double timestamp sampling, and pipx/uv installs forward the cutoff via --exclude-newer / --uploaded-prior-to.
Lockfile fix for aqua tools with version prefixes -- mise lock now correctly propagates version_prefix (e.g. jq-) to GitHub release lookups, fixing empty platform URLs that broke --locked mode.
Deprecation warnings for legacy config keys and mise b -- env_file, dotenv, env_path, and the mise b shorthand now emit deprecation warnings with removal scheduled for 2027.4.0.

Fixed

install_before respected in backend latest lookups -- Direct calls like mise latest npm:prettier now apply the effective install_before cutoff, not just install/upgrade flows. #9193 by @risu729
tool@latest routes through stable lookup -- An explicit @latest suffix now follows the same backend-specific fast path as an unqualified tool name, so both forms return the same version. #9228 by @risu729
npm install_before day drift -- Fixed an off-by-one where install_before = "3d" could compute --min-release-age=4 due to a second Timestamp::now() call drifting past the day boundary. A stable per-process timestamp and a 60-second tolerance window eliminate the issue. #9157 by @risu729
install_before forwarded to pipx and uv installs -- pipx: tools now pass --exclude-newer to uv and --uploaded-prior-to (via --pip-args) to pipx, so Python package installs respect the date cutoff. #9190 by @risu729
Warning for old bun/pnpm with install_before -- When install_before is active and the detected bun or pnpm version is below the minimum that supports release-age flags, mise now warns instead of silently ignoring the cutoff. #9232 by @risu729
Lockfile version prefix propagation -- mise lock now uses version_prefix when looking up GitHub releases for aqua tools, fixing empty platform URLs that caused --locked installs to fail. #9242 by @effati
shfmt available on Windows -- The shfmt registry entry no longer restricts to Linux/macOS, so mise use shfmt works on Windows via the aqua backend. #9191 by @zeitlinger
GitLab expired OAuth2 token warning -- When mise reads a GitLab token from glab's config and the OAuth2 expiry has passed, it now warns the user to refresh (e.g. glab api user) instead of failing silently. #9195 by @stanhu
GitHub auth skipped on release asset downloads -- Token lookup is now skipped for GitHub release asset CDN hosts (objects.githubusercontent.com, etc.), avoiding unnecessary authentication failures on public downloads. #9060 by @risu729
Empty enable_tools disables all tools -- An explicitly empty enable_tools list now means "disable all tools" rather than "no filter", matching user expectations as an allowlist. #9108 by @risu729
Deprecation warnings for legacy env keys -- env_file, dotenv, and env_path now warn when used, directing users to env._.file and env._.path. Removal is scheduled for 2027.4.0. #9205 by @risu729
mise b shorthand deprecated -- The mise b alias for mise backends now emits a deprecation warning with removal scheduled for 2027.4.0. #9234 by @risu729

Added

Registry: sheldon -- sheldon is a fast, configurable shell plugin manager. #9104 by @3w36zj6
Registry: pocketbase -- pocketbase is an open-source backend in a single file. #9123 by @ranfdev
Registry: worktrunk -- worktrunk provides a CLI for git worktree management, designed for running AI agents in parallel. #8796 by @edouardr
Registry: dependency-check -- dependency-check detects publicly disclosed vulnerabilities in application dependencies. #9204 by @kapitoshka438
Registry: janet -- janet is a lightweight, expressive programming language. #9241 by @ranfdev
Registry: aube -- #9244 by @jdx

New Contributors

@ranfdev made their first contribution in #9123
@stanhu made their first contribution in #9195
@effati made their first contribution in #9242
@jjt made their first contribution in #9233
@marianwolf made their first contribution in #9208
@edouardr made their first contribution in #8796

Full Changelog: https://github.com/jdx/mise/compare/v2026.4.16...v2026.4.17