fix(use): reject leading-dash tool versions#10113
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces validation to reject tool version strings that start with a dash ('-'), preventing backend installation tools from misinterpreting versions as CLI flags. This change includes updates to the validate_version_string function, new unit tests for invalid version strings like --version and -v, and an end-to-end test verifying the expected failure behavior. There are no review comments to address, and the implementation looks solid.
Greptile SummaryAdds a leading-dash guard to
Confidence Score: 5/5Minimal, well-scoped guard added to two validation functions with unit and e2e coverage; no install-path or auth behavior is affected. The change is a two-line guard in each of two validation helpers, both paths are exercised by the new unit tests and the e2e test, and the fix is consistent across validate_version_string and validate_ref_string. No regressions are expected. No files require special attention. Important Files Changed
Reviews (2): Last reviewed commit: "fix(use): reject leading-dash ref versio..." | Re-trigger Greptile |
|
Addressed the Greptile feedback in 6b65680 by adding the same leading-dash guard to Tested with:
This comment was generated by an AI coding assistant. |
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.5.15 x -- echo |
19.1 ± 2.8 | 16.8 | 34.8 | 1.02 ± 0.16 |
mise x -- echo |
18.8 ± 0.9 | 17.0 | 27.2 | 1.00 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.5.15 env |
18.4 ± 1.0 | 16.4 | 22.8 | 1.00 |
mise env |
18.4 ± 0.7 | 16.7 | 21.8 | 1.00 ± 0.07 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.5.15 hook-env |
19.3 ± 0.9 | 17.7 | 22.7 | 1.01 ± 0.07 |
mise hook-env |
19.2 ± 0.9 | 17.5 | 25.2 | 1.00 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.5.15 ls |
15.8 ± 0.7 | 14.4 | 19.8 | 1.00 |
mise ls |
16.1 ± 0.7 | 14.7 | 19.9 | 1.02 ± 0.07 |
xtasks/test/perf
| Command | mise-2026.5.15 | mise | Variance |
|---|---|---|---|
| install (cached) | 133ms | 134ms | +0% |
| ls (cached) | 61ms | 61ms | +0% |
| bin-paths (cached) | 66ms | 66ms | +0% |
| task-ls (cached) | 126ms | 124ms | +1% |
1 participant
Summary
-before backend installation runsmise use dummy@--versionfails and leavesmise.tomlunchangedTests
cargo fmt --checkRUSTFLAGS="-C linker=/usr/bin/gcc -C link-arg=-fuse-ld=bfd -C link-self-contained=no" /home/coder/.cargo/bin/cargo test -q toolset::tool_request::tests::test_validate_version_string_rejects_metacharactersPATH=/home/coder/.cargo/bin:$PATH RUSTFLAGS="-C linker=/usr/bin/gcc -C link-arg=-fuse-ld=bfd -C link-self-contained=no" mise run test:e2e e2e/cli/test_useAddresses discussion #9975.
Note
Low Risk
Small validation guard at parse time with no auth or data-path changes; versions like
1.2.3-betaremain valid.Overview
mise useand other tool-version parsing now reject version and ref strings that start with-, with a clear error (must not start with '-'), so values like--versioncannot be passed through to backends that might treat them as CLI flags.The same rule applies to
ref:/branch:/tag:/rev:values. Unit tests cover--versionand-v; an e2e case assertsmise use dummy@--versionfails andmise.tomlstays unchanged.Reviewed by Cursor Bugbot for commit 6b65680. Bugbot is set up for automated code reviews on this repo. Configure here.