chore: release 2026.3.8

[mise-en-dev]

🐛 Bug Fixes

• (backend) skip cosign provenance in lockfile for opts-only aqua tools by @jdx in #8559
• (exec) resolve wrapper recursion when shims are in PATH by @jdx in #8560

📦 Registry

• add turbo by @igas in #8553
• add workmux by @ifraixedes in #8555

Chore

• (tmux) use aqua backend for tmux by @himkt in #8558

New Contributors

• @himkt made their first contribution in #8558
• @ifraixedes made their first contribution in #8555
• @igas made their first contribution in #8553

📦 Aqua Registry Updates

New Packages (1)

• raaymax/lazytail

Updated Packages (8)

• caarlos0/fork-cleaner
• containerd/containerd
• containerd/containerd/static
• hellux/jotdown
• suzuki-shunsuke/cmdx
• suzuki-shunsuke/ghir
• tmknom/actdocs
• twpayne/chezmoi

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request marks the release of mise version 2026.3.8, primarily focusing on synchronizing and updating the Aqua Registry with the latest package definitions. It ensures that users have access to current versions of various tools and includes a significant enhancement to the vfox-postgres plugin, improving its dependency resolution and command execution for PostgreSQL installations.

Highlights

• New Release Version: The mise project has been released as version 2026.3.8.
• Aqua Registry Updates: The Aqua Registry has been updated to 2026.3.5, including the addition of one new package (raaymax/lazytail) and updates to eight existing packages (caarlos0/fork-cleaner, containerd/containerd, containerd/containerd/static, hellux/jotdown, suzuki-shunsuke/cmdx, suzuki-shunsuke/ghir, tmknom/actdocs, twpayne/chezmoi).
• vfox-postgres Plugin Enhancements: The vfox-postgres plugin received improvements to its OpenSSL detection logic and shell quoting mechanisms for more robust installation processes.

Changelog

• CHANGELOG.md
  • Added release notes for version 2026.3.8, detailing new and updated Aqua Registry packages.
• Cargo.lock
  • Updated dependency versions for aqua-registry, mise, and vfox.
• Cargo.toml
  • Updated the mise package version to 2026.3.8.
• README.md
  • Updated the displayed mise version string.
• completions/_mise
  • Updated the temporary spec file version to 2026.3.8.
• completions/mise.bash
  • Updated the temporary spec file version to 2026.3.8.
• completions/mise.fish
  • Updated the temporary spec file version to 2026.3.8.
• completions/mise.ps1
  • Updated the temporary spec file version to 2026.3.8.
• crates/aqua-registry/Cargo.toml
  • Updated the aqua-registry package version to 2026.3.5.
• crates/aqua-registry/aqua-registry/pkgs/caarlos0/fork-cleaner/registry.yaml
  • Corrected signer-workflow key to signer_workflow.
• crates/aqua-registry/aqua-registry/pkgs/containerd/containerd/registry.yaml
  • Corrected signer-workflow key to signer_workflow.
• crates/aqua-registry/aqua-registry/pkgs/containerd/containerd/static/registry.yaml
  • Corrected signer-workflow key to signer_workflow.
• crates/aqua-registry/aqua-registry/pkgs/hellux/jotdown/registry.yaml
  • Added djot to search_words.
• crates/aqua-registry/aqua-registry/pkgs/raaymax/lazytail/registry.yaml
  • Added a new package definition for raaymax/lazytail.
• crates/aqua-registry/aqua-registry/pkgs/suzuki-shunsuke/cmdx/registry.yaml
  • Introduced a version constraint for semver("<= 2.0.1") with checksum and SLSA provenance, and added github_immutable_release flag.
• crates/aqua-registry/aqua-registry/pkgs/suzuki-shunsuke/ghir/registry.yaml
  • Added github_immutable_release flag.
• crates/aqua-registry/aqua-registry/pkgs/tmknom/actdocs/registry.yaml
  • Corrected signer-workflow key to signer_workflow.
• crates/aqua-registry/aqua-registry/pkgs/twpayne/chezmoi/registry.yaml
  • Added a version constraint for semver("<= 2.66.1") with checksum and cosign, and added github_immutable_release flag to multiple version constraints.
• crates/vfox/Cargo.toml
  • Updated the vfox package version to 2026.3.0.
• crates/vfox/embedded-plugins/vfox-postgres/hooks/post_install.lua
  • Refactored OpenSSL prefix detection, improved shell quoting, and updated file existence checks.
• default.nix
  • Updated the mise version to 2026.3.8.
• packaging/rpm/mise.spec
  • Updated the mise package version to 2026.3.8.
• snapcraft.yaml
  • Updated the mise snap version to 2026.3.8.
• src/assets/gpg/node.asc
  • Updated a PGP public key block.

Activity

• No specific activity has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[greptile-apps]

Greptile Summary

This is the routine release PR for mise 2026.3.8, bumping version numbers across all packaging manifests and shipping the changes merged since 2026.3.7. The substantive work landed in referenced PRs; this PR collects the version bumps, changelog entry, updated completions, and submodule/registry changes.

Key changes included:

• Bug fixes (#8559, #8560): skip cosign provenance in lockfile for opts-only aqua tools; resolve wrapper recursion when shims are in PATH.
• Registry additions/updates: new raaymax/lazytail aqua package; corrected signer-workflow → signer_workflow key name in four registry YAML files (caarlos0/fork-cleaner, containerd/containerd, containerd/containerd/static, tmknom/actdocs); added historical version constraint blocks and github_immutable_release: true flags to cmdx and chezmoi.
• vfox postgres plugin (crates/vfox): significantly improved post_install.lua with a proper shell_quote() helper (replacing bare single-quote wrapping) and a multi-strategy OpenSSL discovery function covering env-var overrides, pkg-config, Nix profiles, and Homebrew paths — both good improvements for correctness and portability.
• Node.js GPG keyring: updated UID for Antoine du Hamel from @rosa.be to @platformatic.dev; the primary key fingerprint is unchanged (see inline comment).
• Cosmetic: star count bump in docs/.vitepress/stars.data.ts (25.4k → 25.5k).

Confidence Score: 4/5

• This PR is safe to merge; all changes are routine release bookkeeping plus well-scoped bug fixes and registry updates.
• The vast majority of changes are mechanical version bumps and auto-generated artifacts. The only non-trivial code change is the enhanced post_install.lua for the vfox postgres plugin, which is a clear improvement in correctness (proper shell quoting, broader OpenSSL discovery). The one item requiring human verification is the Node.js GPG key UID update, which should be confirmed against official upstream sources before merging.
• src/assets/gpg/node.asc — the UID email change for a Node.js signing key should be verified against the official Node.js release keys list.

Important Files Changed

Filename	Overview
CHANGELOG.md	Adds new 2026.3.8 release section documenting bug fixes, registry additions, and aqua package updates.
Cargo.toml	Routine version bump from 2026.3.7 to 2026.3.8.
crates/vfox/embedded-plugins/vfox-postgres/hooks/post_install.lua	Major enhancement: adds proper shell quoting via shell_quote() and expands OpenSSL discovery to support pkg-config, Nix, and multiple Homebrew/fallback paths on macOS; logic looks correct with minor redundancy in handle:close() checks.
src/assets/gpg/node.asc	Updates Antoine du Hamel's UID in the Node.js release GPG keyring from @rosa.be to @platformatic.dev; the primary key fingerprint is retained, representing a routine email address change on an existing key.
crates/aqua-registry/aqua-registry/pkgs/raaymax/lazytail/registry.yaml	New package entry for lazytail; only linux/amd64 and darwin platforms supported, correctly reflecting upstream release availability.
crates/aqua-registry/aqua-registry/pkgs/caarlos0/fork-cleaner/registry.yaml	Fixes signer-workflow key to signer_workflow (hyphen → underscore) to match aqua registry schema.
crates/aqua-registry/aqua-registry/pkgs/twpayne/chezmoi/registry.yaml	Adds version_constraint block for ≤2.66.1 with cosign options, and adds github_immutable_release: true to ≤2.67.1, ≤2.68.1, and latest blocks.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[PostInstall called] --> B{os_type == darwin?}
    B -- Yes --> C[find_openssl_prefix]
    C --> C1{OPENSSL_ROOT_DIR / OPENSSL_DIR set?}
    C1 -- Yes, valid --> R[return prefix]
    C1 -- No --> C2{pkg-config openssl?}
    C2 -- Yes, valid --> R
    C2 -- No --> C3{Nix profile / NIX_SSL_CERT_FILE?}
    C3 -- Yes, valid --> R
    C3 -- No --> C4{Homebrew opt/openssl@3 or opt/openssl?}
    C4 -- Yes, valid --> R
    C4 -- No --> C5[Fallback paths: /usr/local /opt/local]
    C5 -- valid --> R
    C5 -- not found --> WARN[Warn: OpenSSL not found]
    R --> D[Add lib/include paths]
    WARN --> E[Skip OpenSSL paths]
    D --> F[Check ICU / UUID libs]
    E --> F
    F --> G[Build configureOptions]
    B -- No/Linux --> H[Linux: use e2fs UUID]
    H --> G
    G --> I[Run ./configure]
    I --> J[make && make install]
    J --> K[initdb unless POSTGRES_SKIP_INITDB]
    K --> L[Cleanup source files]

Loading

Comments Outside Diff (1)

1. crates/vfox/embedded-plugins/vfox-postgres/hooks/post_install.lua, line 429-435 (link)

   Redundant close_ok ~= 0 guard in pkg_config_openssl_prefix

   In Lua 5.2+, io.popen handle's close() returns either true (on exit code 0) or nil (on non-zero exit / error), never an integer. The close_ok ~= 0 condition is therefore never false in practice, making it dead code. The second close_code check is also redundant since the first check already returns nil for all failure cases.

_{Last reviewed commit: ed463ca}

[gemini-code-assist]

Code Review

This pull request is a release for version 2026.3.8, including version bumps, changelog updates, and modifications to Aqua registry packages. A security audit revealed several critical vulnerabilities: completion scripts use predictable temporary filenames, making them susceptible to symlink attacks; the PostgreSQL post-install Lua script is vulnerable to command injection via the POSTGRES_CONFIGURE_OPTIONS environment variable; and a new package was added to the Aqua registry without integrity verification. Additionally, a minor issue was found in the new lazytail package definition regarding its supported environments on macOS. These security issues require immediate attention to ensure the integrity and security of the tool and its ecosystem.

[gemini-code-assist]

The environment variable POSTGRES_CONFIGURE_OPTIONS is concatenated into the configureOptions string, which is then used to construct a shell command executed via os.execute. This allows for command injection if an attacker can control the environment variable (e.g., by setting it to ; malicious_command). Consider validating the environment variable to ensure it does not contain shell metacharacters like ;, &, |, etc.

[gemini-code-assist]

The completion script uses a predictable filename in a shared temporary directory (/tmp). This is vulnerable to a symlink attack where an attacker could create a symlink with this name pointing to a sensitive file owned by the user, causing it to be overwritten when the completion script runs. Consider using a user-specific directory (e.g., ${TMPDIR:-/tmp}/mise-completions-${UID}) or a non-predictable filename generated with mktemp.

[gemini-code-assist]

The completion script uses a predictable filename in a shared temporary directory (/tmp). This is vulnerable to a symlink attack where an attacker could create a symlink with this name pointing to a sensitive file owned by the user, causing it to be overwritten when the completion script runs. Consider using a user-specific directory or a non-predictable filename generated with mktemp.

[gemini-code-assist]

The completion script uses a predictable filename in a shared temporary directory (/tmp). This is vulnerable to a symlink attack where an attacker could create a symlink with this name pointing to a sensitive file owned by the user, causing it to be overwritten when the completion script runs. Consider using a user-specific directory or a non-predictable filename.

[gemini-code-assist]

The completion script uses a predictable filename in a temporary directory. While PowerShell's GetTempPath() is typically user-specific on modern Windows, if this script is run in an environment where the temp directory is shared, it could be vulnerable to symlink attacks. Consider using a more secure way to handle temporary files.

[gemini-code-assist]

The new package lazytail is added to the registry without any checksum or digital signature verification (e.g., checksum or cosign fields). This allows the package manager to download and install binaries without verifying their integrity, posing a risk of executing malicious code if the download source is compromised. Please add a checksum field with the expected hash of the package assets.

[gemini-code-assist]

The supported_envs for darwin seems too broad. According to the lazytail releases, only aarch64 (Apple Silicon) binaries are provided for macOS, not amd64 (Intel). Listing darwin implies support for all architectures on that OS, which could lead to installation failures on Intel-based Macs. It would be more accurate to specify darwin/arm64.

          - darwin/arm64

[github-actions]

Hyperfine Performance

mise x -- echo

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.3.7 x -- echo	21.5 ± 0.3	20.8	25.7	1.00
mise x -- echo	21.7 ± 0.5	21.1	26.5	1.01 ± 0.03

mise env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.3.7 env	21.0 ± 0.5	20.4	26.5	1.00
mise env	21.1 ± 0.2	20.6	23.4	1.00 ± 0.03

mise hook-env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.3.7 hook-env	21.6 ± 0.4	20.8	25.8	1.00
mise hook-env	21.7 ± 0.3	21.1	25.3	1.00 ± 0.03

mise ls

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.3.7 ls	21.2 ± 0.2	20.8	22.9	1.00
mise ls	21.2 ± 0.2	20.7	23.3	1.00 ± 0.02

xtasks/test/perf

Command	mise-2026.3.7	mise	Variance
install (cached)	140ms	140ms	+0%
ls (cached)	76ms	75ms	+1%
bin-paths (cached)	79ms	78ms	+1%
task-ls (cached)	776ms	⚠️ 2720ms	-71%

⚠️ Warning: task-ls cached performance variance is -71%

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[greptile-apps]

GPG key UID update — verify against official Node.js sources

This change updates the UID for Antoine du Hamel in the Node.js release keyring, replacing the rosa.be email address with platformatic.dev. The primary signing key fingerprint (5BE8A3F6C8A5C01D...) is retained, so this is a UID/email-address rotation on an existing key rather than a full key replacement.

Since this file is used to verify the authenticity of Node.js release artifacts, it is worth cross-referencing this update against the official Node.js release keys list at https://github.com/nodejs/node#release-keys or https://keybase.io/antoinedh to confirm the new UID is legitimate before merging.