Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

The go backend previously used `go list -m -versions -json` to resolve
versions, which returns 200 with an empty version list for subpath
packages (e.g. github.com/foo/bar/cmd/baz). This is indistinguishable
from a real module with no tagged versions. This meant mise could never
resolve "latest" for these tools, producing a "no latest version found"
warning on every `mise up` and preventing version bumps via `mise up
-l`.

This change replaces the version resolution with direct HTTP queries to
the Go module proxy ($GOPROXY), matching the logic used by `go install`:

1. Generate all path prefix candidates from the tool path
2. Query $GOPROXY/<path>/@v/list for all prefixes in parallel
3. The proxy returns 404 for non-modules (vs 200 for real modules),
giving a clean signal to continue truncating
4. For 200-but-empty responses, follow up with @latest to distinguish
real modules using pseudo-versions from non-module paths
5. Pick the longest prefix that resolved with tagged versions

This approach uses HTTP GETs, respects the GOPROXY env var (comma/pipe
separators, direct, off), handles Go proxy module path encoding for
uppercase letters, and falls back to `go list -m -versions` for
GOPROXY=direct setups.

### Manual testing

#### go:github.com/ankitpokhrel/jira-cli/cmd/jira

Subpath package (cmd/jira) within a module that has tagged releases.
Previously, `go list -m -versions` returned 200 with empty versions for
the subpath, and mise treated that as authoritative, never falling back
to the root module github.com/ankitpokhrel/jira-cli which has versions
v0.0.0 through v1.7.0.

Previously, `mise up` warned "no latest version found" on every run. Now
resolves correctly via the proxy (subpath returns 404, root module
returns versions).

####  go:github.com/GoogleCloudPlatform/scion/cmd/scion

Subpath package where the root module
(github.com/GoogleCloudPlatform/scion) exists but has no tagged releases
at all.

The proxy returns 200 with empty versions for the root, and @latest
resolves to a pseudo-version. Same "no latest version found" warning as
jira-cli. Now correctly identified as a real module with no tags,
returns empty versions so `go install ...@latest` can resolve via
pseudo-version at install time.

#### go:github.com/go-kratos/kratos/cmd/kratos/v2

Deep subpath with a /v2 major version suffix. This is a real Go
submodule (has its own go.mod) but no tagged versions, it resolves via
pseudo-version. The root module github.com/go-kratos/kratos has v1.x
tags, which would be wrong to use. The proxy correctly returns 200-empty
for the exact path, @latest confirms it's a real module, so we return
empty and let go install handle it (no regression from #8823).

#### go:github.com/go-task/task/v3/cmd/task

Subpath under a /v3 major version module. The exact path returns 404,
and truncation finds github.com/go-task/task/v3 (which is a proper
prefix) with v3.x tags. Works correctly.

#### go:github.com/charmbracelet/vhs

Simple case, no subpath. Module root has tagged versions. Works as
before (proxy returns versions directly for the exact path).

## Summary
- Fix race condition in `emit_leaves()` where a failed `tx.send()` on a
dead channel leaves the task marked in `self.sent`, preventing it from
being re-emitted on the next live channel
- When a task with `sources`/`outputs` is skipped (up-to-date), its
downstream dependents could hang indefinitely due to this race between
`subscribe()` calls in `pump_deps`
- Remove the key from `self.sent` when `send()` fails so the task can be
re-emitted

## Test plan
- [x] Existing e2e test `test_task_run_sources` passes
- [x] Manual loop test (50 iterations locally, 500 on Linux) passes
- [ ] Reporter (@patrickhoefler) to confirm fix resolves their CI hang

Fixes #8932

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Touches task dependency scheduling around an mpsc channel send
failure; while the change is small, it affects concurrency/control flow
and could impact whether tasks are (re)scheduled or streams terminate
correctly.
> 
> **Overview**
> Prevents a potential task-run hang by updating `Deps::emit_leaves()`
to roll back `self.sent` when `tx.send(Some(task))` fails, allowing the
leaf task to be emitted again on a subsequent subscription/channel.
> 
> Additionally tweaks docs rendering by converting two warning callouts
in `backend-plugin-development.md` and `url-replacements.md` to the
correct `> [!WARNING]` blockquote format.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
6df0b8b. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>

## Summary
- Add glob wildcard support (`*`) to `allow_env` in sandbox config,
enabling env var namespace filtering (e.g., `MYAPP_*` allows all vars
with that prefix)
- Works in both CLI flags (`--allow-env='MYAPP_*'`) and task config
(`allow_env = ["NODE_*", "npm_*"]`)
- Uses fast prefix/suffix matching for single-wildcard patterns, falls
back to `globset` for complex patterns

Inspired by
#8878 (comment)

## Test plan
- [x] Unit tests for pattern matching (exact, prefix wildcard, suffix
wildcard, star-only)
- [x] Unit test for `filter_env` with wildcard patterns
- [x] E2E test for `--allow-env` with wildcard patterns
- [ ] Manual test on Linux/macOS

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes environment-variable filtering behavior for sandboxed `mise
exec`/`mise run`, so mis-matched patterns could unexpectedly allow or
block vars and affect task/tool execution. Scope is contained to sandbox
env handling and is covered by new unit and e2e tests.
> 
> **Overview**
> Adds wildcard (`*`) support to sandbox `allow_env` so users can pass
through namespaces of environment variables (via `--allow-env='MYAPP_*'`
or task `allow_env = ["NODE_*", ...]`).
> 
> Updates env filtering to match allow patterns (fast path for single
`*`, fallback to `globset` for complex patterns) and to import matching
vars from the parent environment when wildcard patterns are used.
Documentation and CLI help text are updated, with new unit tests and an
e2e test validating wildcard behavior.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
2ef30b0. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

…tforms (#8966)

## Summary

- Adds a new `lockfile_platforms` setting that controls which platforms
are targeted during lockfile operations
- When set, `mise install`, `mise use`, and `mise lock` (without
`--platform`) only resolve checksums/URLs for the configured platforms
instead of all 7 common platforms
- Uses the same validation as `mise lock --platform` — invalid platform
strings produce a hard error
- Does NOT override explicit `mise lock --platform` flags

Closes #8610

## Usage

```toml
[settings]
lockfile_platforms = ["macos-arm64", "linux-x64"]
```

Or via environment variable:
```sh
MISE_LOCKFILE_PLATFORMS=macos-arm64,linux-x64
```

## Test plan

- [x] `cargo check` — compiles cleanly
- [x] `mise run lint` — all lints pass
- [x] `mise run test:e2e test_lockfile_platforms_setting` — new e2e test
passes (4 test cases: auto-lock restriction, `mise lock` restriction,
`--platform` override, setting via `mise.toml`)
- [x] `mise run test:e2e test_lockfile_existing_platforms` — existing
test still passes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Cameron Brill <[email protected]>
Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

)

## Summary
- When a task with `sources` depends on another task that also has
`sources`, and the dependency actually runs (its sources changed), the
dependent task now also runs even if its own sources haven't changed
- Only dependencies **with `sources` defined** propagate invalidation —
sourceless deps (which always run) do not trigger downstream re-runs, so
`sources` on dependents remain useful
- Tracks which tasks actually executed (vs skipped due to fresh sources)
in the dependency graph, and uses this to bypass source freshness checks
on downstream tasks

Fixes #8960

## Test plan
- [x] New e2e test `test_task_dep_invalidates_sources` covers:
  - Core scenario: dep sources change → both dep and dependent re-run
- Edge case: sourceless dep always runs but does NOT invalidate
dependent
  - Edge case: sourceless dependent always runs regardless of dep status
- [x] Existing e2e tests pass (sources, depends, monorepo tests)
- [ ] Manual test with monorepo `tsc` setup as described in the
discussion

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes task scheduling/skip logic for `sources`-based caching, which
can affect when tasks execute or are skipped in complex dependency
graphs. Risk is mitigated by new end-to-end coverage, but may surface
edge cases with nested/parallel dependencies.
> 
> **Overview**
> Fixes `sources` caching behavior so a task with `sources` will re-run
when any of its direct dependencies *with `sources`* actually ran
(rather than being skipped as up-to-date).
> 
> Implements this by tracking which tasks truly executed vs were skipped
in `Deps` and passing a `dep_ran` flag into
`TaskExecutor::run_task_sched` to bypass `sources_are_fresh` checks when
needed; sourceless dependencies (which always run) do **not** trigger
invalidation. Adds an e2e regression test and updates docs to describe
the new dependency invalidation semantics.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
1491ab8. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

## Summary
- Tool-level postinstall scripts (e.g. `[tools.ripgrep] postinstall`)
were passing the script directly to the shell without tera template
rendering
- Template variables like `{{tools.ripgrep.path}}` would fail silently
as invalid shell syntax
- Now renders through tera before execution, matching the behavior of
project-level `[hooks] postinstall`

Fixes #8366

## Test plan
- [ ] Configure a tool with `postinstall = "echo
{{tools.ripgrep.path}}"` and verify the path is rendered

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: this only changes how tool-level `postinstall` scripts are
prepared (template rendering) before being passed to the shell, without
altering installation/download logic.
> 
> **Overview**
> Tool-level `postinstall` hooks are now rendered through Tera before
execution, enabling template variables like `{{tools.ripgrep.path}}` to
work in tool configuration.
> 
> `run_postinstall_hook` now builds a Tera context from the resolved
toolset, renders the script with `get_tera` (scoped to the tool source
directory), and executes the rendered result instead of the raw script.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
84fd7b8. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>

…#8976)

## Summary
- Fixes deadlock when `MISE_JOBS=1` and a task's `run` array contains
both sub-task references (`{ task = "foo" }`) and scripts
- The parent task acquires the single semaphore permit, then waits for
the sub-task which also needs that permit — classic deadlock
- Fix: temporarily release the parent's permit before `inject_and_wait`,
re-acquire afterward

Fixes #8967

## Test plan
- [x] Added e2e test `test_run_subtask_jobs1` that reproduces the exact
scenario from the discussion
- [x] Verified the test hangs without the fix and passes with it
- [x] Verified normal (non-MISE_JOBS=1) execution still works

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Touches core task scheduling/concurrency by changing how semaphore
permits are managed across nested sub-task execution; mistakes could
lead to hangs or unintended parallelism changes.
> 
> **Overview**
> Fixes a deadlock when `MISE_JOBS=1` and a task’s `run` array mixes
sub-task references and inline scripts by **temporarily releasing the
parent task’s semaphore permit** while waiting for injected sub-tasks,
then reacquiring it afterward.
> 
> This threads the scheduler `semaphore` and the task’s `permit` through
`run.rs` → `TaskExecutor::run_task_sched` so `exec_task_run_entries` can
drop/reacquire the permit around `inject_and_wait`. Adds an e2e
regression test `e2e/cli/test_run_subtask_jobs1` covering the hang
scenario.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
8d0b304. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>

## Summary
- Set `MISE_CONFIG_ROOT` and `MISE_PROJECT_ROOT` env vars in tool-level
`postinstall` hooks, matching the behavior of project-level `[hooks]
postinstall`

Fixes #8366

## Test plan
- [ ] Verify `$MISE_CONFIG_ROOT` and `$MISE_PROJECT_ROOT` are set in
tool postinstall hooks

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: only adjusts environment passed to tool `postinstall` hook
execution, with no changes to install logic beyond adding two env vars
derived from the source config path.
> 
> **Overview**
> Tool-level `postinstall` hooks now receive `MISE_CONFIG_ROOT` and
`MISE_PROJECT_ROOT`, derived from the tool request’s source config path
via `config_root::config_root`.
> 
> This aligns tool `postinstall` hook execution with project-level hook
behavior by extending the `CmdLineRunner` environment before running the
rendered script.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
1bb2998. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>

## Summary
- Fixes spurious `failed to parse task file` warning when running remote
git tasks with arguments
- Remote task files were not fetched before
`parse_usage_values_from_task` attempted to read them (introduced when
the `{{usage.*}}` dependency template feature was added)
- Fetches remote files early in `run.rs` (before usage spec parsing) and
in `deps.rs` (for dependency tasks resolved from config)

Closes #8973

## Test plan
- [x] New e2e test `test_task_remote_dep_no_warning` verifies no warning
when running remote tasks with args
- [x] Test fails on `main` and passes with fix
- [x] Existing tests pass: `test_task_remote_git_https`,
`test_task_dep_args`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes the task-run and dependency-graph build flow to fetch remote
task files earlier, which could affect task resolution/caching behavior
and ordering for remote tasks and their dependencies.
> 
> **Overview**
> Prevents spurious `failed to parse task file ... with usage` warnings
when running *remote file-based tasks* with extra args by ensuring
remote task files are fetched to a local cache **before**
`parse_usage_values_from_task` attempts to read usage specs.
> 
> `mise run` now pre-fetches remote task files right after task list
resolution, and dependency graph construction (`Deps::new`) also fetches
remote task files for dependency tasks and updates the graph node with
the fetched version. Adds an e2e regression test
(`test_task_remote_dep_no_warning`) that runs a remote git task with
`--` args against a local git HTTP server and asserts no warning is
emitted.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
682ea94. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>

…ersion (#8983)

## Summary
- `mise upgrade tool@version` now properly updates the lockfile with the
specified version instead of silently ignoring it
- `mise lock tool@version` now respects the `@version` argument instead
of ignoring it
- When the specified version doesn't match the current config prefix
(e.g., upgrading from `tiny = "2"` to `3.0.1`), the config is updated to
match (e.g., `"2"` → `"3"`), preserving the original version precision
- When the version matches (e.g., `tiny = "latest"` upgrading to
`3.0.1`), the config is left unchanged

Fixes #8980

## Test plan
- [x] E2E: `mise upgrade [email protected]` with `tiny = "latest"` → lockfile
updated, config unchanged
- [x] E2E: `mise upgrade [email protected]` with `tiny = "2"` → config bumped
to `"3"`, lockfile updated
- [x] E2E: `mise lock [email protected]` with `tiny = "latest"` → lockfile
updated, config unchanged
- [x] E2E: `mise lock [email protected]` with `tiny = "2"` → config bumped to
`"3"`, lockfile updated
- [x] All existing `test_upgrade`, `test_lock`, `test_lock_creation`,
`test_lock_global`, `test_lock_local_config` tests pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes `mise lock`/`mise upgrade` behavior around explicit
`tool@version` arguments, including automatically rewriting project
config files and lockfile entries; mistakes could cause unexpected
version pinning or config churn.
> 
> **Overview**
> **`mise lock tool@version` and `mise upgrade tool@version` now respect
the explicit version** when writing `mise.lock`, instead of resolving
and locking the config-selected version.
> 
> When the requested version’s major/prefix doesn’t match the current
`mise.toml` spec (e.g., `tiny = "2"` and `[email protected]`), the CLI now
**auto-bumps the config specifier** to the matching prefix (preserving
precision), with dry-run output showing the intended edits. `upgrade`
also normalizes upgraded `ToolVersion` requests/sources so lockfile
updates replace the existing entry (e.g., keep `"latest"` request)
rather than creating duplicates.
> 
> Adds E2E coverage for `lock` and `upgrade` explicit-version flows, and
updates lockfile docs with guidance/table for version pinning and
command behavior.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
32935d3. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

…ng output (#8986)

## Summary
- Fixes panic (`unwrap()` on `None`) when running parallel sub-tasks
(via `tasks = [...]` in run steps) with `output = "replacing"` mode
- Dynamically injected sub-tasks were never initialized in the
`task_prs` map, so accessing their progress reporter panicked
- Changed `task_prs` to `Arc<Mutex<IndexMap>>` with lazy initialization
via `get_or_init_task_pr()`

Closes discussion #8985

## Test plan
- [x] Added `e2e/tasks/test_task_parallel_replacing` that reproduces the
panic
- [x] Verified test panics without the fix and passes with it
- [x] `cargo check` passes
- [x] Lints pass

🤖 Generated with [Claude Code](https://claude.ai/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes task output/progress reporter bookkeeping in `Replacing` mode
by introducing shared locking and lazy initialization, which could
affect concurrency behavior and performance under parallel task
execution.
> 
> **Overview**
> Prevents a panic in `output = "replacing"` when parallel/injected
sub-tasks emit output before being registered by lazily creating
per-task progress reporters via `OutputHandler::get_or_init_task_pr()`.
> 
> `task_prs` is now a shared `Arc<Mutex<...>>` and all call sites that
previously `unwrap()`ed a missing reporter now fetch-or-create it; adds
an e2e regression test covering `mise run` of parallel sub-tasks in
replacing mode.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
772b03d. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>

#8988)

## Summary
- Use `${arr[@]+"${arr[@]}"}` pattern to safely expand the
`__MISE_FLAGS` array when empty
- Bash < 4.4 (including macOS's default bash 3.2) treats `"${arr[@]}"`
on an empty array as an unbound variable under `set -u` (nounset)
- This causes scripts that source `.bashrc` (which contains `eval
"$(mise activate bash)"`) to fail with: `__MISE_FLAGS[@]: unbound
variable`

## Test plan
- [x] Verified the bug reproduces on bash 3.2 (via `docker run
bash:3.2`) with `set -u` and empty `__MISE_FLAGS=()`
- [x] Verified the fix works on bash 3.2 with `set -u` and empty flags
- [x] Verified non-empty flags still pass through correctly (`--status`)
- [x] Snapshot tests updated and passing

Fixes #8987

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: small change to Bash activation script argument expansion,
mainly affecting older Bash with `set -u`; behavior should be unchanged
when flags are present.
> 
> **Overview**
> Fixes Bash activation hooks to safely expand `__MISE_FLAGS` even when
the array is empty under `set -u` (notably on Bash 3.2), by switching to
the `${arr[@]+"${arr[@]}"}` expansion pattern.
> 
> Updates the corresponding snapshot
(`mise__shell__bash__tests__activate.snap`) to match the new generated
activation script output.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
15c7af0. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>

…8995)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| ghcr.io/jdx/mise | container | digest | `4b8b285` → `17a29f2` |

---

### Configuration

📅 **Schedule**: (in timezone America/Chicago)

- Branch creation
  - Only on Friday (`* * * * 5`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [docker/dockerfile](https://redirect.github.com/moby/buildkit) |
syntax | digest | `4a43a54` → `2780b5c` |

---

### Configuration

📅 **Schedule**: (in timezone America/Chicago)

- Branch creation
  - Only on Friday (`* * * * 5`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

### 🚀 Features

- **(config)** add lockfile_platforms setting to restrict lockfile
platforms by @cameronbrill in
[#8966](#8966)
- **(sandbox)** support wildcard patterns in allow_env by @jdx in
[#8974](#8974)
- bump usage-lib v2 → v3 to render examples in task --help by @baby-joel
in [#8890](#8890)

### 🐛 Bug Fixes

- **(activate)** handle empty __MISE_FLAGS array with set -u on bash 3.2
by @jdx in [#8988](#8988)
- **(env)** add trace logging for module hook PATH diagnostics by @jdx
in [#8981](#8981)
- **(go)** Query module proxy directly for version resolution by @c22 in
[#8968](#8968)
- **(install)** render tera templates in tool postinstall hooks by @jdx
in [#8978](#8978)
- **(install)** add missing env vars to tool postinstall hooks by @jdx
in [#8977](#8977)
- **(task)** prevent hang when skipped task has dependents by @jdx in
[#8937](#8937)
- **(task)** invalidate dependent task sources when dependency runs by
@jdx in [#8975](#8975)
- **(task)** prevent deadlock when MISE_JOBS=1 with sub-task references
by @jdx in [#8976](#8976)
- **(task)** fetch remote task files before parsing usage specs by @jdx
in [#8979](#8979)
- **(task)** prevent panic when running parallel sub-tasks with
replacing output by @jdx in
[#8986](#8986)
- **(upgrade)** update lockfile and config when upgrading to specific
version by @jdx in [#8983](#8983)

### 📚 Documentation

- **(node)** remove "recommended for teams" from pin example by @jdx in
[b334363](b334363)

### 📦️ Dependency Updates

- update ghcr.io/jdx/mise:alpine docker digest to 17a29f2 by
@renovate[bot] in [#8995](#8995)
- update docker/dockerfile:1 docker digest to 2780b5c by @renovate[bot]
in [#8994](#8994)

### New Contributors

- @baby-joel made their first contribution in
[#8890](#8890)
- @cameronbrill made their first contribution in
[#8966](#8966)
- @c22 made their first contribution in
[#8968](#8968)