chore(deps): update all dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Pending	Age	Confidence
actions/checkout	action	patch	v6.0.2 → v6.0.3
aqua:aquasecurity/trivy		minor	0.70.0 → 0.71.0	0.71.1
aqua:cli/cli		minor	2.92.0 → 2.93.0	2.94.0
aqua:crate-ci/typos		minor	1.46.1 → 1.47.2
aqua:zizmorcore/zizmor		minor	1.24.1 → 1.25.2
codecov/codecov-action	action	patch	v6.0.0 → v6.0.1	v6.0.2
github/codeql-action	action	minor	v4.35.4 → v4.36.2
jdx/mise		minor	v2026.5.3 → v2026.6.0	v2026.6.5 (+4)
jdx/mise-action	action	minor	v4.0.1 → v4.1.0
pnpm (source)	packageManager	minor	11.0.8+sha512.4c4097e1dd2d42372c4e7fa5a791ff28fc75a484c7ac192e64b1df0fdef17594ba982f9b4fed9adfb3c757846f565b799b2763fb3733d1de1bcb82cf46684912 → 11.5.2	11.6.0 (+1)
zizmorcore/zizmor-action	action	patch	v0.5.3 → v0.5.6

---

Release Notes

actions/checkout (actions/checkout)

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

aquasecurity/trivy (aqua:aquasecurity/trivy)

v0.71.0

Compare Source

⚡ Highlights ⚡

👉 https://redirect.github.com/aquasecurity/trivy/discussions/10767

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0710-2026-06-01

cli/cli (aqua:cli/cli)

v2.93.0: GitHub CLI 2.93.0

Compare Source

Security

A security vulnerability has been identified, and fixed, that would incorrectly include authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands.

Users are advised to update gh to version v2.93.0 as soon as possible.

For more information see: GHSA-8xvp-7hj6-mcj9

Support agents in gh secret command set

The gh secret command set can now set agent secrets. For more information, see "Configuring secrets and variables for Copilot cloud agent".

What's Changed

✨ Features

• Allow agents as application for secrets by @​tenjaa in #​13421

🐛 Fixes

• fix(pr): remove numberFieldOnly optimization that skips API validation by @​williammartin in #​13327
• Print gh auth refresh for 401 returns by @​333fred in #​13068
• Derive digest algorithm from ref length in release verify commands by @​bdehamer in #​13430

📚 Docs & Chores

• Add missing //go:build integration tag to verify_integration_test.go by @​pdostal in #​13303
• Fix flaky accessible prompter Password test timeout by @​pdostal in #​13304
• Enable extended PR screening for external PRs by @​tidy-dev in #​13312
• Grammar fixes by @​scop in #​13326
• Bump gh copilot telemetry sampling to 100% by @​williammartin in #​13362
• Record accessibility feature state in telemetry by @​williammartin in #​13363
• Poll TTY echo mode instead of sleeping in password tests by @​pdostal in #​13305
• Switch from actions/attest-build-provenance to actions/attest by @​scop in #​13325
• Fix skills acceptance tests by @​williammartin in #​13365
• Bump Go toolchain to 1.26.3 by @​Copilot in #​13367
• Trigger triage check-requirements on ready_for_review by @​BagToad in #​13383
• fix(copilot): hint to run copilot directly when exec fails by @​babakks in #​13393
• Update installation commands for GitHub CLI by @​sassdawe in #​13126
• Update CODEOWNERS for skills directory ownership by @​williammartin in #​13416
• fix(telemetry): prevent tzutil console flash on Windows by @​adehad in #​13353
• Fix bump-go.sh to tolerate missing toolchain directive by @​Copilot in #​12581
• docs: drop --repo gh-cli from dnf install lines by @​c-tonneslan in #​13444
• Remove third-party license debris by @​williammartin in #​13470
• Remove dependency on persistent token by @​williammartin in #​13474
• Remove discussion workflow by @​williammartin in #​13476
• Stop bumping homebrew on release by @​williammartin in #​13479
• build: update golang.org/x/crypto by @​tommaso-moro in #​13486
• Add 3 day dependabot cooldown period by @​williammartin in #​13488
• Run govulncheck daily instead of weekly by @​williammartin in #​13487
• SHA pin first-party GitHub Actions by @​williammartin in #​13491
• Link to Accessibility category for community discussions instead of ACR by @​mxie in #​13481
• docs: fix duplicated "of" in release-process-deep-dive by @​vip892766gma in #​13425
• chore(deps): bump golang.org/x/net from 0.54.0 to 0.55.0 by @​BagToad in #​13510
• docs: note immutable releases starting v2.93.0 by @​BagToad in #​13518
• fix CI attestation integration tests after rename by @​BagToad in #​13536

Dependencies

• chore(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1 by @​dependabot[bot] in #​13297
• chore(deps): bump github.com/klauspost/compress from 1.18.5 to 1.18.6 by @​dependabot[bot] in #​13328
• chore(deps): bump golang.org/x/sys from 0.43.0 to 0.44.0 by @​dependabot[bot] in #​13381
• chore(deps): bump golang.org/x/term from 0.42.0 to 0.43.0 by @​dependabot[bot] in #​13396
• chore(deps): bump google.golang.org/grpc from 1.80.0 to 1.81.0 by @​dependabot[bot] in #​13346
• chore(deps): bump golang.org/x/text from 0.36.0 to 0.37.0 by @​dependabot[bot] in #​13397
• chore(deps): bump golang.org/x/crypto from 0.50.0 to 0.51.0 by @​dependabot[bot] in #​13420
• chore(deps): bump google.golang.org/grpc from 1.81.0 to 1.81.1 by @​dependabot[bot] in #​13436
• chore(deps): bump goreleaser/goreleaser-action from 7.2.1 to 7.2.2 by @​dependabot[bot] in #​13461
• chore(deps): bump github/codeql-action from 4 to 4.35.5 by @​dependabot[bot] in #​13489
• chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.4.1 to 2.4.2 by @​dependabot[bot] in #​13462
• chore(deps): bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6 by @​dependabot[bot] in #​13457

New Contributors

• @​pdostal made their first contribution in #​13303
• @​333fred made their first contribution in #​13068
• @​scop made their first contribution in #​13326
• @​sassdawe made their first contribution in #​13126
• @​adehad made their first contribution in #​13353
• @​c-tonneslan made their first contribution in #​13444
• @​tenjaa made their first contribution in #​13421
• @​mxie made their first contribution in #​13481
• @​vip892766gma made their first contribution in #​13425

Full Changelog: cli/cli@v2.92.0...v2.93.0

crate-ci/typos (aqua:crate-ci/typos)

v1.47.2

Compare Source

Fixes

• Don't correct inferrable
• Correct unused inferible variant

v1.47.1

Compare Source

Fixes

• Don't correct requestors

v1.47.0

Compare Source

Features

• Updated the dictionary with the May 2026 changes

v1.46.3

Compare Source

Fixes

• Don't correct to sequentials
• Don't correct to subdolder

v1.46.2

Compare Source

Fixes

• Don't correct to criterias
• Don't correct to replaceables

v1.46.1

Compare Source

Fixes

• Don't correct to confidentials

zizmorcore/zizmor (aqua:zizmorcore/zizmor)

v1.25.2

Compare Source

Bug Fixes 🐛🔗

• Fixed a bug where the unpinned-tools audit would incorrectly flag the aquasecurity/trivy-action action as installing an unpinned tool version, rather than aquasecurity/setup-trivy (#​2018)

v1.25.1

Compare Source

Bug Fixes 🐛🔗

• Fixed a bug where the cache-poisoning audit would fail to consider release events as exempt from cache usage findings when filtered by a tag condition (#​2004)

• Fixed a typo when suggesting --fix flags for findings (#​2010)

  Many thanks to @​0xdea for implementing this fix!

• Fixed a typo in unpinned-tools annotations (#​2008)

  Many thanks to @​martincostello for implementing this fix!

• Fixed a bug where the github-app audit would incorrectly flag some safe uses of actions/create-github-app-token as unsafe (#​2011)

v1.25.0

Compare Source

New Features 🌈🔗

• zizmor's finding severities can now be remapped on a per-audit basis. See the configuration for details (#​1913)

  Many thanks to @​Proximyst for proposing and implementing this improvement!

• New audit: github-app detects dangerous usages of GitHub App installation tokens (#​1926)

• New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (#​1820)

• zizmor now accepts the --no-ignores flag to disable all ignore comments and configurations when reporting findings (#​1935)

• zizmor's LSP now honors the --persona flag on the CLI (#​1943)

• zizmor is now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (#​1965)

Enhancements🔗

• Recommend gh issue edit --add-label / gh pr edit --add-label as a replacement for actions-ecosystem/action-add-labels in superfluous-actions

• Recommend gh issue edit --remove-label / gh pr edit --remove-label as a replacement for actions-ecosystem/action-remove-labels in superfluous-actions

• Recommend jq as a replacement for sergeysova/jq-action in superfluous-actions

• Recommend git add, git commit, and git push as a replacement for stefanzweifel/git-auto-commit-action in superfluous-actions

• Recommend git add, git commit, and git push as a replacement for EndBug/add-and-commit in superfluous-actions

• tibdex/github-app-token is now recognized as an archived action by archived-uses (#​1910)

• The [dangerous-triggers] audit now explicitly exempts workflows that only invoke actions/labeler (#​1956)

• The unpinned-images audit now detects unpinned image references in Docker-based action definitions (#​1965)

• zizmor's SARIF output now provides slightly more detailed finding messages (#​1972)

• The archived-uses audit now detects more archived actions (#​1978)

• deno is now recognized as a package-ecosystem in dependabot.yml (#​1991)

Performance Improvements 🚄🔗

• The impostor-commit audit is now significantly faster (in addition to being more correct) when the user has pinned their action to a tag SHA instead of a commit SHA (#​1998)
  Bug Fixes 🐛🔗

• Fixed a crash in the template-injection audit when a workflow uses a parenthesized compound expression in context position (#​1904)

• Fixed a bug where local directory input collection could miss workflows for relative-path invocations from within .github subdirectories (#​1909)

• Fixed a bug where the unpinned-images audit would miss images defined in container: clauses (#​1944)

• Fixed a bug where inline ignore comments could not be easily applied to superfluous-actions findings (#​1945)

• Fixed a bug where the cache-poisoning audit would fail to detect some release trigger patterns (#​1946)

• Fixed a bug where inline ignore comments could not be easily applied to cache-poisoning findings (#​1962)

• Fixed a class of imprecisions where the cache-poisoning audit would incorrectly flag cache usage that doesn't actually occur on release events (#​1940)

  Many thanks to @​reubenwong97 for implementing this fix!

• Fixed a bug where dependabot.yml files containing a private cargo repository couldn't be parsed (#​1976)

• Fixed a bug where zizmor's input validation warnings lacked a mention of which files failed to validate (#​1980)

• Fixed a bug where the impostor-commit audit would falsely indicate impostor commits if an action was pinned to a tag SHA instead of a commit SHA (#​1998)

codecov/codecov-action (codecov/codecov-action)

v6.0.1

Compare Source

What's Changed

• fix: prevent template injection in run: steps (VULN-1652) by @​thomasrockhu-codecov in #​1947
• chore(release): 6.0.1 by @​thomasrockhu-codecov in #​1949

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

github/codeql-action (github/codeql-action)

v4.36.2

Compare Source

v4.36.1

Compare Source

v4.36.0

Compare Source

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #​3894
• Add support for SHA-256 Git object IDs. #​3893
• Update default CodeQL bundle version to 2.25.5. #​3926

v4.35.5

Compare Source

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #​3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #​3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #​3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #​3880

jdx/mise (jdx/mise)

v2026.6.0: : Corepack-managed npm and aqua Windows parity

Compare Source

A focused release that wires npm into Corepack when requested, brings aqua's Windows extension handling in line with upstream, and fixes task include ordering plus a Git Bash cygdrive regression.

Added

• (npm) Ensure npm itself is managed by Corepack when node.corepack=true and node.npm_shim=false, so the Corepack-managed npm shim is enabled alongside yarn/pnpm (#​10196 by @​roele).
• (cli) New mise sponsors subcommand and a sponsor block on the docs site that lists sponsors fetched from en.dev/sponsors.json (#​10182 by @​jdx).

Fixed

• (aqua) Mirror aqua's Windows extension semantics end-to-end (#​10167 by @​risu729):
  • complete_windows_ext is now tri-state — explicit true completes Windows asset/URL/file source names, explicit false leaves them alone, and an omitted value completes by default except for github_content/github_archive packages.
  • Registry windows_ext (default .exe, .sh for github_content/github_archive) and append_ext are honored when rendering assets, URLs, and Windows install links.
  • .exe and .jar assets are treated as already complete, existing extensions like .ps1 are preserved when format is omitted, and version dots in names like tool.1.0.0 no longer suppress Windows completion. The registry compilation cache is bumped to version 2 and will be regenerated on next use.
• (spm) Include provider, api_url, artifactbundle, and artifactbundle_asset in SPM lock identity so toggling between source builds and artifact bundles no longer silently reuses a stale mise.lock entry. provider is canonicalized to lowercase (default github omitted), api_url has trailing slashes trimmed, and filter_bins stays out of lock identity since it only affects which built executables are exposed (#​10160 by @​risu729).
• (bun) Improve musl detection on Linux: when the system libc preference is unset, fall back to runtime detection and treat unknown results as non-musl, fixing glibc-system installs that were incorrectly resolving to bun's musl build (#​10195 by @​roele).
• (task) Honor task_config.includes order so a local task can override a same-named git:: include. Previously a regression in #​9147 combined with non-git includes being loaded before all git:: includes meant a git:: include always clobbered a same-named local task regardless of position. Includes now load in their declared order with first-wins file-task dedup, so the earlier entry in the list takes precedence uniformly across directory, toml-file, and git:: includes (#​10191 by @​vmaleze).
• (task) Honor MISE_CYGDRIVE_PREFIX for Git Bash / MSYS2, not only Cygwin. Git Bash users with a custom /etc/fstab automount root can now set the prefix to fix the converted PATH; defaults are unchanged (/c/... for Git Bash, /cygdrive/c/... for Cygwin) (#​10190 by @​JamBalaya56562).
• (completion) Rely on usage 3.4.0's usage#649 for inherited global flags so -C/--cd, -j/--jobs, and -q/--quiet are recognized before a mounted task without the broad promotion workaround. The narrowed promotion now only covers orphan-short flags -r/-S (whose root globals are long-only), and min_usage_version is bumped to 3.4 so older usage CLIs warn to upgrade instead of silently regressing (#​10176 by @​JamBalaya56562).

Documentation

• Fix the choice template function example to use named-argument syntax (#​10197 by @​joekrill).

New Contributors

• @​joekrill made their first contribution in #​10197

Full Changelog: jdx/mise@v2026.5.18...v2026.6.0

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.18: : Hook script arrays and lock-identity fixes

Compare Source

A focused release that teaches hooks to accept script arrays, ships an npm install -g mise package, and tightens lock identity across several backends so mise.lock entries can no longer be reused for option combinations that resolve to a different artifact set.

Added

• (config) Hooks now accept script/scripts arrays for current-shell hooks (#​9836 by @​risu729):

  [hooks.enter]
  shell = "bash"
  script = [
    "source completions.sh",
    "export PROJECT_READY=1",
  ]

  Note that run is still string-only — to spawn multiple inline commands, use a list of { run = "..." } entries or one multiline run string.

Fixed

• (env) PATH entries under mise's installs directory are now treated as mise-managed during hook-env reactivation, so an inactive install path like installs/node/24/bin inherited from a parent shell can no longer sit ahead of the active project's installs/node/22.17.1/bin (#​10162 by @​risu729).
• (config) .miserc.toml discovery now stops at raw MISE_CEILING_PATHS entries (without recursing through the lazy fallback), preventing a parent .miserc.toml above the ceiling from injecting MISE_ENV (#​10165 by @​risu729).
• (task) mise tasks ls --json, tasks info --json, and the MCP tasks resource now serialize full run entries — including single task refs and task groups — instead of script-only strings (#​10163 by @​risu729).
• (task) Bump usage-lib to 3.4.0 and update the zsh completion to read display<TAB>insert pairs from usage complete-word, restoring task completions after the usage-cli 3.4.0 output change (#​10181 by @​jdx).
• (installer) Add the missing warn helper used by the standalone installer's checksum fallback paths (#​10157 by @​risu729, recreating @​olfway's original fix).

Lock identity

A batch of fixes ensures mise lock selects entries by an identity that actually reflects the installed result, so toggling an option no longer silently reuses a stale lock entry:

• (conda) Include the conda channel — the same tool@version resolved against conda-forge, bioconda, or a private channel can produce entirely different builds and checksums (#​9984 by @​risu729).
• (rust) Include rustup profile, components, and targets, read from both tool options and rust-toolchain.toml, with stable sorting (#​9988 by @​risu729).
• (github) Include target artifact selectors (api_url, version_prefix, per-platform asset_pattern, direct url, no_app) for GitHub, GitLab, and Forgejo backends, resolved per target platform (#​9985 by @​risu729).
• (python) Include non-default patch_sysconfig = false (the interpreter tree differs after install); virtualenv stays out as an activation-only overlay (#​10161 by @​risu729).

Changed

• (npm) mise is now published to npm under the unscoped mise package, so npm install -g mise and npx mise work directly. The legacy @jdxcode/mise scoped package continues to be published, and the new wrapper reuses the existing @jdxcode/mise-<os>-<arch> platform tarballs (#​10183 by @​jdx).

Full Changelog: jdx/mise@v2026.5.17...v2026.5.18

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.17: : Custom aqua registry cache and Windows fixes

Compare Source

A catch-up release for the tag that shipped the compiled custom aqua registry cache, several Windows task/shim fixes, and a handful of backend install improvements. This release is backfilled without binary assets; use v2026.5.18 or newer for downloadable artifacts.

Added

• (aqua) Add a compiled custom registry cache to speed up aqua registry lookups and reduce repeated parsing work (#​9583 by @​jdx).

Fixed

• (upgrade) Handle a lone v prefix in --bump latest queries (#​10130 by @​jdx).
• (env) Force the Unix environment key to uppercase PATH, avoiding mixed-case path handling surprises (#​9927 by @​jdx).
• (http) Limit fallback retries against the shared versions host (#​10142 by @​jdx).
• (bun) Use Bun's native windows-arm64 build for Bun 1.3.10 and newer (#​10150 by @​M1noa).
• (task) Honor explicit and quoted shell paths on Windows (#​10148 by @​M1noa).
• (task) Convert PATH to /cygdrive form for Cygwin bash tasks on Windows (#​10147 by @​M1noa).
• (ui) Honor color settings in interactive prompt themes (#​10151 by @​M1noa).
• (pipx) Upgrade the shared pip environment when using version constraints (#​10138 by @​jdx).
• (shim) Refresh stale Windows shims after a mise version update (#​10152 by @​M1noa).
• (completion) Keep global -C/--cd usable in task argument completion (#​10153 by @​M1noa).
• (github) Handle x86 release assets as x64 fallbacks where upstreams publish mismatched naming (#​10103 by @​jdx).
• (github) Strip OpenGrep platform suffixes before asset matching (#​10166 by @​jdx).
• (github) Penalize certificate assets as metadata so they are not selected as install archives (#​10158 by @​jdx).

Changed

• Registry: add herdr via github:ogulcancelik/herdr (#​10154 by @​ogulcan).
• Registry: add databricks-cli via aqua:databricks/cli (#​10072 by @​nstrug).
• (spm) Parse SwiftPM tool options locally (#​9959 by @​jdx).

Documentation

• Split glossary aliases into Tool Aliases and Shell Aliases (#​9983 by @​BenjaminChr).
• Update the webpage tooling copy to use current tools (#​10170 by @​jdx).

Full Changelog: jdx/mise@v2026.5.16...v2026.5.17

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.16: : versions-host metadata, fork-bomb fixes, and friendlier upgrades

Compare Source

Added

• (github) Use the shared mise-versions host for release metadata and artifact attestations before falling back to api.github.com, dramatically cutting anonymous GitHub API usage in CI/Docker (#​10127 by @​jdx).
• (node) New node.npm_shim setting (MISE_NODE_NPM_SHIM) to opt out of the bundled npm wrapper, letting corepack manage bin/npm cleanly (#​10082 by @​jjb).
• (npm) New allow_builds tool option for npm-backend installs that expands to --allow-build=<pkg> for aube and pnpm, accepting a string, array, or true for all builds (#​10116 by @​jdx).

Fixed

• (backend) Strip the system shims dir from dependency_env PATH to prevent npm/go shim re-entry fork-bombs in devcontainer/Docker setups using mise install --system (#​10019 by @​andrewjamesbrown).
• (backend) Improve libc detection on musl distros so installing gcompat on Alpine no longer flips mise to glibc binaries (#​10020 by @​thespags).
• (aqua) Skip in-place link creation when src and dst alias the same inode (fixes godot install on macOS/APFS) (#​10012 by @​tvararu).
• (aqua) Lock github_content packages using raw GitHub content URLs instead of archive URLs (#​10102 by @​risu729).
• (toolset) hook-env and other prefer-offline flows no longer fetch remote versions to resolve concrete/latest/prefix:* specs, speeding up shells with many fuzzy tools (#​10098 by @​jdx).
• (upgrade) Preserve installed versions still pinned by other tracked project lockfiles during upgrade cleanup (#​10114 by @​jdx).
• (upgrade) Improve current version detection so prefix requests like go = "1.25" show the best matching installed version in summaries (#​9973 by @​jdx).
• (lock) Allow mise lock and mise upgrade to refresh mise.lock even when locked = true is set (#​10111 by @​jdx).
• (install) Reject install requests whose resolved backend is in disable_backends, including explicit syntax like ubi:owner/repo (#​9905 by @​risu729).
• (use) Reject tool version strings that start with - (e.g. mise use dummy@--version) (#​10113 by @​jdx).
• (en) Preserve MISE_ENV / -E profile when an activated subshell sources mise activate (#​10124 by @​jdx).
• (unset) Respect MISE_GLOBAL_CONFIG_FILE when running mise unset from $HOME, matching mise set/use (#​10105 by @​jdx).
• (task) Set config_root on tasks loaded from global config so {{config_root}} renders correctly (#​10106 by @​jdx).
• (task) Render templates and expand ~/ in sandbox allow_read / allow_write paths (#​10112 by @​jdx).
• (shim) Skip dot-prefixed (hidden) executables when generating shims (#​10123 by @​jdx).
• (pipx) Combine --pip-args=VALUE into a single argv element so pipx's argparse accepts values starting with -- (#​10120 by @​iloveitaly).
• (security) Apply url_replacements to the GitHub attestations API base URL (#​9971 by @​SlaterByte).
• Show the mise version in friendly error output (#​10109 by @​jdx).
• (copr) Increase build timeout (#​10071 by @​jdx).

Performance

• Cache repeated successful path canonicalization across hot PATH/shim/activation lookups (#​10068 by @​jdx).

Changed

• Registry: use the npm backend for npm on Windows (aqua's standalone npm/cli tarball is broken on Windows) (#​10101 by @​risu729).
• Registry: allow narrow dependency builds for npm-primary tools (wrangler, gemini-cli, vercel, codebuff, jules, orval, serverless), and drop npm fallbacks for ast-grep, lefthook, claude, code (#​9916 by @​risu729).
• Registry: add modem-dev/hunk (#​10051 by @​naoki-mizuno), wacli (#​10043 by @​dovocoder), liquibase via the github backend (#​10052 by @​benberryallwood), longbridge-terminal (#​10073 by @​hogan-yuan), and make aube more resilient (#​10092 by @​bgeron, #​10110).

Documentation

• Fix Scoop installation section (#​10059 by @​ofek).
• Clarify untrusted config behavior (#​10097 by @​jdx).
• Remove outdated terraform main.tf reference (#​10099 by @​risu729).
• Remove broken "How I Use mise" link (#​10081 by @​HYP3R00T).

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.15: : loongarch64 and riscv64 support

Compare Source

A small release that recognizes loongarch64 and riscv64 as valid platform arches and refreshes the conda (rattler) backend.

Fixed

• Add loongarch64 and riscv64 to the set of arches accepted by Platform::validate(). Previously, lockfiles targeting linux-riscv64 or linux-loongarch64 would fall back to the common platform set instead of resolving to the requested single platform, so installs on those machines couldn't use lockfile-authoritative platform selection (#​10038 by @​k0tran).

Changed

• Bump rattler (used by the conda backend) from 0.42 to 0.43, picking up upstream fixes for missing symlinks during Windows installs, deterministic path ordering from link_package_sync, and accepting full URLs as the OAuth issuer host (#​10030).

New Contributors

• @​k0tran made their first contribution in #​10038

Full Changelog: jdx/mise@v2026.5.14...v2026.5.15

💚 Sponsor mise

mise is built by @​jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

v2026.5.14: : Reject wrong-arch release assets

Compare Source

A small fix release that hardens GitHub release asset auto-selection against picking binaries for the wrong CPU architecture.

Fixed

• (github) Asset auto-selection now hard-rejects any candidate whose filename explicitly declares a non-matching architecture, even when other scoring bonuses (preferred name, archive type, libc match) would otherwise rank it first. This fixes cases like cargo-msrv on aarch64 Linux, where cargo-msrv-x86_64-unknown-linux-gnu-*.tgz was being chosen over no-match-better-than-wrong-match. Explicit asset_pattern configuration is unchanged ([#​10018](https://redirect.github.com/jdx/mis

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • "every weekend"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[greptile-apps]

Greptile Summary

Bumps the packageManager field in package.json from pnpm@11.0.8 to pnpm@11.0.9 with an updated SHA512 integrity hash, as generated by Renovate.

• The new hash (34ce82e6…) is a valid 128-character SHA512 hex digest matching pnpm 11.0.9.
• The 11.0.9 release is a patch containing bug fixes for GitLab-hosted dependencies, NPM_CONFIG_USERCONFIG handling, pnpm pack bundling, CLI crash on old Node.js, and pnpm publish --provenance semver metadata.

Confidence Score: 5/5

This is a single-line patch bump to the package manager version with a verified integrity hash — no application logic is touched.

The only change is updating the packageManager field to pnpm 11.0.9, a patch release with exclusively bug fixes. The SHA512 hash is correctly formatted (128-character hex digest). No production code, dependencies, or configuration is affected beyond the toolchain version itself.

No files require special attention.

Important Files Changed

Filename	Overview
package.json	Updates packageManager field from pnpm 11.0.8 to 11.0.9 with a new SHA512 integrity hash; patch-only change with no structural modifications.

_{Reviews (1): Last reviewed commit: "chore(deps): update pnpm to v11.0.9" | Re-trigger Greptile}