v2026.2.23: : Stricter lockfile enforcement and vfox backend options

Compare Source

This release tightens lockfile behavior in --locked mode, fixes a stale PATH cache issue with aqua-based tools, resolves intermittent panics with remote git tasks, and adds the ability to pass custom options to vfox backend plugins.

Added

• Custom options for vfox backend plugins -- Options defined in mise.toml tool entries are now passed through to vfox backend plugins in both BackendInstall and BackendExecEnv contexts, accessible in Lua via ctx.options. This enables custom plugin use cases like controlling build parameters. #​8369 by @​Attempt3035

  [tools]
  "llvm:clang" = { version = "latest", build_cores = "22" }

  function PLUGIN:BackendInstall(ctx)
      local cores = ctx.options.build_cores
      -- use cores in your build logic
  end

• Registry: porter -- Added Porter, a CNAB bundle authoring and management tool (github:getporter/porter). #​8380 by @​lbergnehr

• Registry: entire -- Added entire CLI (aqua:entireio/cli). #​8378 by @​TyceHerrman

• Registry: topgrade -- Added topgrade (aqua:topgrade-rs/topgrade), an all-in-one system upgrade tool. #​8377 by @​TyceHerrman

Fixed

• --locked mode now strictly enforces the lockfile -- Previously, mise lock could still run while --locked was active, mise use tool@latest could bypass the lockfile, and tools missing from the lockfile would silently fall through to remote resolution. Now mise lock refuses to run in locked mode with a clear error and hint, mise use tool@latest respects the lockfile when locked, and missing tools fail fast with an actionable message instead of resolving remotely. #​8362 by @​jdx

• Aqua tool PATH entries no longer go missing after install -- The list_bin_paths() cache could be populated with stale (empty) data before extraction finished, or by a concurrent mise hook-env call during installation. The in-memory and on-disk bin_paths caches are now cleared after an aqua tool install completes so paths are recomputed from the freshly installed files. Fixes an issue where upgrading tools like uv caused their PATH entry to vanish. #​8374 by @​jdx

• Remote git task cache no longer panics or corrupts on concurrent access -- Replaced println!/eprintln! with non-panicking writeln! to handle EPIPE gracefully, and added file locking with clone-to-temp-then-rename to prevent concurrent cache corruption when multiple mise processes fetch the same remote git task simultaneously. #​8375 by @​vmaleze

New Contributors

• @​Attempt3035 made their first contribution in #​8369
• @​lbergnehr made their first contribution in #​8380

Full Changelog: jdx/mise@v2026.2.22...v2026.2.23

v2026.2.22: : Outdated plugins, rename_exe fixes, and smoother installs

Compare Source

A small release adding a new way to check for outdated plugins, along with three bug fixes for archive installs, tool environment resolution, and cross-platform Ruby lockfiles.

Added

• mise plugins ls --outdated flag -- A new -o/--outdated flag checks remote git refs in parallel and displays only plugins where the local SHA differs from the remote. Shows a table with plugin name, URL, ref, local SHA, and remote SHA. Prints "All plugins are up to date" when everything is current. #​8360 by @​jdx

  $ mise plugins ls --outdated
  Plugin  Url                                             Ref   Local    Remote
  tiny    https://github.com/mise-plugins/rtx-tiny.git    main  abc1234  def5678

Fixed

• rename_exe works with archives containing a bin/ subdirectory -- When an archive extracts to a layout like prefix/bin/binary, the rename_exe option was silently skipped because it searched the extraction root non-recursively instead of the bin/ subdirectory where the binary actually lives. Both the GitHub-style backend and the HTTP backend now auto-detect the bin/ subdirectory as the search directory, matching the same logic used by discover_bin_paths() for PATH construction. #​8358 by @​jdx

• Installing cargo/npm/pipx tools no longer crashes with tools = true env directives -- When [env] contained entries like NODE_VERSION = { value = "{{ tools.node.version }}", tools = true }, installing npm/cargo/pipx tools would fail with "Variable not found in context" because the referenced tools might not be installed yet. The cargo, npm, and pipx backends now skip tools = true env directive resolution during installation while still including tool paths in PATH. #​8356 by @​jdx

• Ruby lockfile resolves correct Windows checksums -- Running mise lock on macOS/Linux now correctly resolves RubyInstaller2 binary URLs and checksums for Windows platform entries, instead of incorrectly using the MRI source tarball checksum. The lockfile generator now fetches the correct .7z asset from the oneclick/rubyinstaller2 GitHub releases for Windows targets. #​8357 by @​jdx

Changed

• Registry: terradozer switched to GitHub fork -- The terradozer registry entry now points to github:chenrui333/terradozer (replacing the archived asdf plugin and unavailable aqua backend), and is restricted to Linux and macOS. #​8365 by @​chenrui333

New Contributors

• @​chenrui333 made their first contribution in #​8365

Full Changelog: jdx/mise@v2026.2.21...v2026.2.22