### 🚀 Features

- **(latest)** add --before flag to mise latest by @risu729 in
[#9168](#9168)
- **(npm)** add aube package manager support by @jdx in
[#9256](#9256)
- **(spm)** add filter_bins option to restrict built executables by @jdx
in [#9253](#9253)
- **(vfox)** support plugin-declared dependencies via metadata.lua by
@ahemon in [#9051](#9051)
- rename `mise prepare` to `mise deps` and add package management by
@jdx in [#9056](#9056)

### 🐛 Bug Fixes

- **(backend)** skip versions host for direct-source backends by @jdx in
[#9245](#9245)
- **(github)** route artifact attestation verification to custom api_url
by @jdx in [#9254](#9254)
- **(lockfile)** use unique temp file for atomic save to avoid
concurrent rename race by @jdx in
[#9250](#9250)
- **(log)** drop noisy third-party debug/trace logs by @jdx in
[#9248](#9248)
- **(progress)** disable animated clx output in ci by @jdx in
[#9249](#9249)
- **(use)** honor --quiet and --silent flags by @jdx in
[#9251](#9251)
- **(vfox)** opt backend plugins out of --locked URL check by @jdx in
[#9252](#9252)

### 📦 Registry

- add aqua backend for bitwarden-secrets-manager by @msuzoagu in
[#9255](#9255)

### New Contributors

- @ahemon made their first contribution in
[#9051](#9051)
- @msuzoagu made their first contribution in
[#9255](#9255)

## Summary

- Move the deps freshness state file from
`<project>/.mise/deps-state.toml` to `$MISE_STATE_DIR/deps/<hash>.toml`,
keyed by a SipHash of the project root — same pattern used for
`tracked-configs`.
- Stops mise from writing inside the project tree, where the file could
easily be committed or conflated with project config.
- Docs updated in `docs/dev-tools/deps.md`.

## Why

`deps` is brand new (landed in #9056, 2026.4.18) and the state file
currently sits inside the project directory. That's awkward — it's
per-machine state, but it lives where users keep versioned config.
Moving it under `$MISE_STATE_DIR` matches how other per-project state
(tracked/trusted/ignored configs, env cache, hook-env checks) is stored.

## Notes for reviewer

- No migration needed: the feature is only a few days old, and the state
is just a cache of blake3 hashes — on first run after upgrade, providers
look stale and rehash. The user experience is one extra run, no
breakage.
- The pre-commit prettier step flagged two unrelated files on `main`
(`docs/backend-plugin-development.md`, `docs/url-replacements.md`) where
prettier wants to collapse GitHub's `> [!WARNING]` callout syntax onto a
single line — that would actually break the GitHub alert rendering, so I
left them alone. I used `HK_SKIP_STEPS=prettier` for this commit; all
other lint steps (cargo-check, cargo-fmt, markdownlint, shellcheck,
taplo, shfmt, schema, etc.) passed.

## Test plan

- [ ] Run `mise deps` in a project; confirm
`$MISE_STATE_DIR/deps/<hash>.toml` is created and
`.mise/deps-state.toml` is not.
- [ ] Re-run `mise deps`; confirm providers report fresh (hashes matched
from state dir).
- [ ] Modify a source file; confirm provider reports stale.

*This PR was generated by an AI coding assistant.*

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes where deps freshness state is read/written, which can cause
all providers to appear stale once after upgrade or create unexpected
state collisions if hashing/scoping is wrong; otherwise it’s cache-only
state with limited blast radius.
> 
> **Overview**
> Deps freshness state is no longer written to
`<project>/.mise/deps-state.toml`; it is now persisted under
`$MISE_STATE_DIR/deps/<hash>.toml`, where `<hash>` is derived from the
project root path.
> 
> `DepsState` now computes its storage path via `dirs::STATE` and
`hash_to_str(project_root)`, keeping state per-project without touching
the repo tree, and the docs are updated to reflect the new location.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
e007c55. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* fix(progress): disable animated clx output in ci (jdx#9249)

## Summary

- Compute the clx progress UI decision once from settings, stderr,
force-progress, and CI state.
- Keep text output as the default in CI even when stderr looks
interactive because a CI runner allocated a PTY.
- Store the resulting `use_progress_ui` decision on
`MultiProgressReport` so later call sites reuse the same mode decision.

## Why

Some CI systems expose stderr as a TTY so tools keep colors enabled, but
their log capture strips cursor-control sequences. Animated progress
frames can then become thousands of near-duplicate log rows. This keeps
local interactive progress intact while making CI output quieter.

## Validation

- `cargo fmt --check`
- `cargo check -p mise`
- pre-commit hook suite during commit, including `cargo check
--all-features`, `cargo fmt --all -- --check`, `taplo`, `actionlint`,
`markdownlint`, and schema validation

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: changes only adjust progress UI enablement logic to prefer
plain text in CI, with minimal behavioral impact outside CI unless CI
detection is incorrect.
> 
> **Overview**
> Disables clx’s animated progress UI when `settings.ci` is true, even
if stderr appears interactive, to avoid CI logs being flooded by spinner
frames.
> 
> Refactors `MultiProgressReport` to compute and store a single
`use_progress_ui` flag during initialization (including logging `ci`)
and uses that flag when selecting `ProgressReport` vs text-based reports
and when creating the header job.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
13548a6. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

* fix(lockfile): use unique temp file for atomic save to avoid concurrent rename race (jdx#9250)

## Problem

`Lockfile::save` writes to a fixed `mise.lock.tmp` path, then renames it
over the real lockfile. When two mise processes update the same lockfile
concurrently, the second rename finds no source file and fails with `No
such file or directory (os error 2)`, surfaced as `failed to update
lockfiles`.

This reproduces reliably via [`hk`](https://github.com/jdx/hk): its
linter runner spawns multiple linters in parallel. If more than one
linter's bin is missing, each invocation triggers `install_missing_bin`
→ `rebuild_shims_and_runtime_symlinks` → `update_lockfiles` → `save`.
Two mise processes then race on the same `mise.lock.tmp`:

1. Both write `mise.lock.tmp` (second clobbers first — harmless,
contents are the same).
2. Process A renames `mise.lock.tmp` → `mise.lock`.
3. Process B renames `mise.lock.tmp` → `mise.lock` → **ENOENT** (source
already moved).

Caught in the wild during parallel `cargo-machete` + `cargo-msrv`
auto-install in CI:

```
cargo-machete – mise [email protected] ✓ installed
cargo-machete – mise ERROR failed to update lockfiles
cargo-machete – mise ERROR No such file or directory (os error 2)
cargo-machete – mise ERROR cargo-binstall failed
cargo-machete – mise ERROR Failed to install cargo:[email protected]: cargo-binstall exited with non-zero status: exit code 1
```

The fixed-path temp pattern was introduced in jdx#8589 (`fix(lockfile):
Resolve symlink when updating lockfiles`).

## Fix

Switch to `tempfile::NamedTempFile::with_prefix_in(parent)` +
`persist(target)`, matching the pattern already used in `src/http.rs`.
Each save gets a random temp name, so concurrent writers never collide
on the temp path. Persist remains atomic and same-filesystem.

Precedent in the codebase: `src/backend/conda.rs` already uses
`dest.with_extension(format!("tmp.{}", std::process::id()))` for the
same reason. `src/backend/s3.rs` still has a similar fixed-`.tmp`
pattern — worth a follow-up but out of scope here.

## Test

Added `test_concurrent_save_no_enoent` which spawns 8 threads × 20 saves
against the same lockfile and asserts none of them return ENOENT. The
test fails on `main` and passes with the fix.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes the lockfile persistence path and retry behavior during atomic
writes, which could affect correctness/permissions of `mise.lock`
updates across platforms. Scope is localized to `Lockfile::save` and is
covered by new concurrency and permission regression tests.
> 
> **Overview**
> Prevents concurrent `Lockfile::save` calls from failing with `ENOENT`
by replacing the fixed `mise.lock.tmp` rename flow with a uniquely named
`tempfile::NamedTempFile` written alongside the target and atomically
`persist`ed.
> 
> Adds helpers to *preserve existing file permissions* on Unix and to
*retry persist on Windows* for transient `PermissionDenied`, plus
regression tests for concurrent saves and Unix permission preservation.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
49120aa. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>

* feat(latest): add --before flag to mise latest (jdx#9168)

## Summary

Adds `--before <BEFORE>` to `mise latest` so one-off latest-version
lookups can be constrained by release date.

- Parses `--before` with the existing duration/date parser, supporting
absolute dates such as `2024-06-01` and relative durations such as `90d`
or `1y`.
- Passes the parsed CLI cutoff into the current
`Backend::latest_version(config, query, before_date)` API, keeping
fallback precedence centralized in the backend: CLI flag > backend/tool
options > config tool options > global `install_before`.
- Conflicts `--before` with `--installed`, because installed-version
lookup does not use release metadata.
- Regenerates CLI usage docs, manpage output, and Fig completion
metadata.
- Extends the npm `install_before` e2e coverage for CLI filtering, CLI
override of global `MISE_INSTALL_BEFORE`, CLI override of per-tool
`install_before`, and relative duration parsing.
- Removes the stale e2e prerequisite that required `npm` on the runner
`PATH` before `mise use node`; the test now exercises the same mise
dependency environment the npm backend uses.

## Test plan

- [x] `cargo fmt --check`
- [x] `git diff --check`
- [x] `cargo test --bin mise latest_version_tests`
- [x] `mise run render:usage`
- [x] `mise run test:e2e e2e/backend/test_npm_install_before`
- [x] `mise run lint-fix`

* fix(use): honor --quiet and --silent flags (jdx#9251)

## Summary
- `mise use` was printing `mise <path> tools: ...` via `miseprintln!`
(unconditional stdout), so `--quiet` and `--silent` had no effect on it.
- Switch the "tools:", "removed:", and "would update" messages to
`info!` so they route through the logger and get suppressed when those
flags raise the log level to `error`.

Fixes jdx#9152

## Test plan
- [x] `mise use [email protected]` — still prints `mise <path> tools:
[email protected]`
- [x] `mise use -q [email protected]` — silent
- [x] `mise use --silent [email protected]` — silent
- [x] `mise use -n [email protected]` — still prints `would update ...`
- [x] `mise use -qn [email protected]` — silent
- [x] `mise use --remove tiny` — still prints `removed: ...`
- [x] `mise use -q --remove tiny` — silent

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: only gates `mise use` success/dry-run status messages behind
the existing `Settings::quiet` flag, without changing install/remove
behavior or config writes.
> 
> **Overview**
> `mise use` now respects the global `--quiet` setting by suppressing
its post-action status output (the “would update…”, “tools: …”, and
“removed: …” messages) when quiet mode is enabled.
> 
> Behavior for installs/removals, dry-run exit codes, and config saving
is unchanged; only user-facing messaging is conditionally skipped.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
9a8fcc0. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>

* fix(vfox): opt backend plugins out of --locked URL check (jdx#9252)

## Summary

- Custom Lua backend plugins (those using `BackendInstall` instead of a
`PreInstall` hook) have no way to surface a download URL to mise. As a
result, `mise lock` writes a version-only entry and `mise install
--locked` then fails with `No lockfile URL found`.
- Override `supports_lockfile_url` on `VfoxBackend` to return `false`
when the plugin is a backend plugin. Same semantics as asdf / cargo /
npm / pipx: when the backend can't provide a URL, the pinned version is
the lock.

Reported by @bishopmatthew in
[jdx#7308](jdx#7308 (comment)).

## Test plan

- [ ] Added `--locked --dry-run` assertion with a version-only lockfile
entry to `e2e/backend/test_vfox_backend_npm`.
- [ ] `mise run lint-fix` passes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: narrows the `--locked` URL validation for vfox *backend*
plugins only, plus adds an e2e regression test. Main risk is allowing
locked installs to proceed without per-platform URLs for these plugins,
matching their current lockfile capabilities.
> 
> **Overview**
> Fixes `mise install --locked` for vfox custom backend plugins by
making `VfoxBackend::supports_lockfile_url()` return `false` when the
plugin is a backend plugin, so version-only lockfile entries no longer
fail with "No lockfile URL found".
> 
> Adds an e2e assertion in `test_vfox_backend_npm` that `--locked
--dry-run` succeeds with a version-only `mise.lock` entry for
`vfox-npm:prettier`.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
63ba299. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>

* feat(spm): add filter_bins option to restrict built executables (jdx#9253)

## Summary

- Adds a `filter_bins` tool option to the `spm` backend so users can
restrict which executable products are built and linked
- Filters before `swift build` runs, so unwanted products are never
compiled (not just hidden from `PATH`)
- Accepts either a TOML array (`filter_bins = ["swiftly"]`) or a
comma-separated string (`filter_bins = "swiftly"`) — the naming matches
the existing `filter_bins` option on the github backend
- Returns a clear error if any listed name does not match an executable
product in the package

Closes jdx#9148

The motivating example is
[`swiftlang/swiftly`](https://github.com/swiftlang/swiftly), which ships
both `swiftly` and `test-swiftly` products. Without this option, mise
builds and links both.

```toml
[tools]
"spm:swiftlang/swiftly" = { version = "latest", filter_bins = ["swiftly"] }
```

When unset, the existing behavior (build and link every executable
product) is preserved.

## Test plan

- [x] Added unit tests for `parse_filter_bins` (string, array, empty,
whitespace-only) and `filter_executables` (passthrough,
restrict+preserve-order, error on missing name)
- [x] `cargo test backend::spm` — all 8 tests pass
- [x] `mise run test:unit` — all 712 unit tests pass
- [x] `mise run lint-fix` — clean
- [ ] Manual verification with an actual Swift package that has multiple
executable products

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes SPM install behavior to optionally filter and error on unknown
executable names, which could impact tool installation when configured.
Default behavior is preserved when `filter_bins` is unset.
> 
> **Overview**
> Adds a new SPM tool option, `filter_bins`, to restrict which Swift
executable products are built and symlinked into `bin/` during
installation.
> 
> The backend now parses `filter_bins` from either a TOML array or
comma-separated string, validates the requested executables exist,
preserves the package-declared order when filtering, and fails fast with
a clear error on unknown names. Documentation and unit tests were added
to cover parsing, passthrough, ordering, and error cases.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
fa0a09a. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>

* fix(github): route artifact attestation verification to custom api_url (jdx#9254)

## Summary

- When a github backend tool is configured with a custom `api_url` (e.g.
a GitHub Enterprise Server instance like
`https://github.enterprise.com/api/v3`), artifact downloads correctly
hit the GHES API, but attestation verification was still dispatched to
`api.github.com` — causing `401 Unauthorized` because the GHES token
isn't valid there.
- Bumps `sigstore-verification` to 0.2.6 (which adds
[`verify_github_attestation_with_base_url`](jdx/sigstore-verification#45)
and `GitHubSource::with_base_url`) and switches all three call sites in
`src/backend/github.rs` to the new variants so the attestations API is
queried against the same host that served the release.

## Motivation

Reported in jdx#9176 — user
configured `api_url = \"https://github.enterprise.com/api/v3\"` and
`MISE_GITHUB_ENTERPRISE_TOKEN`, saw the download succeed, then the
`[2/3] verify GitHub artifact attestations` step failed against
`api.github.com` with a dotcom-only 401.

## Test plan

- [x] `cargo build` clean.
- [x] `mise run test:unit` — 708 passed.
- [x] `mise run lint` clean.
- [ ] Manual verification against a GHES instance with artifact
attestations (no instance available in CI).

Closes jdx#9176

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes the GitHub attestation verification path and underlying
`sigstore-verification` dependency, which affects supply-chain
verification behavior and could cause new verification failures if the
base URL is misconfigured.
> 
> **Overview**
> Ensures GitHub artifact attestation detection/verification uses the
configured `api_url` (e.g., GitHub Enterprise) instead of implicitly
querying `api.github.com`, by switching to `GitHubSource::with_base_url`
and `verify_github_attestation_with_base_url` at all GitHub backend call
sites.
> 
> Bumps `sigstore-verification` from `0.2.5` to `0.2.6` to pick up the
new base-URL-aware APIs.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
09ff8c3. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

* registry: add aqua backend for bitwarden-secrets-manager (jdx#9255)

# Summary
This PR adds/updates the _bitwarden-secrets-manager_ shorthand to point
to the _aqua:bitwarden/sdk-sm_ backend.

## Context
Currently, mise registry points bitwarden-secrets-manager to a legacy
asdf plugin. However, the bitwarden/sdk-sm repository now has a
verified, stable aqua definition that provides the bws (Bitwarden
Secrets) CLI across all major platforms (Darwin/Linux/Windows).

### Changes
- Added `full = "aqua:bitwarden/sdk-sm"` to
`registry/bitwarden-secrets-manager.toml`.
- Verified that the bws binary is correctly mapped and executable via
the aqua backend.

### Verification
I have tested this locally using:
1. `aqua exec -- argd test bitwarden/sdk-sm` (Success)
2. `mise use aqua:bitwarden/sdk-sm` (Success)
3. `./target/debug/mise registry | grep bitwarden-secrets-manager`
(Success)
4. `./target/debug/mise install bitwarden-secrets-manager@latest`
(Success)
5. `./target/debug/mise exec bitwarden-secrets-manager -- bws --version`
(Success)

### Impact
This move aligns with mise’s preference for the aqua backend over asdf
plugins for better security (checksum/SLSA verification) and a faster
installation experience.

* feat(vfox): support plugin-declared dependencies via metadata.lua (jdx#9051)

## Summary

Allow vfox/Lua plugins to declare tool dependencies directly in
`metadata.lua` via a new `depends` field:

```lua
PLUGIN.depends = {"node", "python"}
```

This surfaces dependencies through the `Backend` trait's
`get_dependencies()` method so mise resolves installation order
automatically — removing the need for users to manually add `depends =
[...]` on every tool entry in their config.

### Motivation

Currently, users of vfox backend plugins must repeat dependency
declarations in their `mise.toml` for every tool that needs another tool
installed first. For example, a plugin ecosystem where 10+ tools all
depend on `node` requires `depends = ["node"]` on each entry. With this
change, the plugin author declares it once and all users benefit.

Closes jdx#8774

### Changes

- **`crates/vfox/src/metadata.rs`**: Added `depends: Vec<String>` field
to `Metadata` struct, parsed from the Lua table (defaults to empty when
omitted — fully backward compatible)
- **`src/backend/vfox.rs`**: `VfoxBackend` now overrides
`get_dependencies()` to read from plugin metadata. Dependencies are
cached via `OnceLock` and loaded synchronously from the plugin
directory. Gracefully returns empty deps if the plugin isn't installed
yet.
- Updated snapshot for the new field in `Metadata`'s `Debug` output

### Plugin author usage

```lua
-- metadata.lua
PLUGIN = {}
PLUGIN.name = "my-tool"
PLUGIN.version = "1.0.0"
PLUGIN.depends = {"node", "python"}
```

User-specified `depends` in `mise.toml` still works and is additive —
this just provides a plugin-level default.

## Test plan

- [x] Unit tests for metadata parsing with and without `depends` field
- [x] Existing vfox test suite passes (66 tests)
- [x] `cargo check` passes for the full workspace
- [x] `cargo clippy -p vfox` clean
- [ ] CI validation

---------

Co-authored-by: Arthur Hemon <[email protected]>
Co-authored-by: Claude Opus 4.6 <[email protected]>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: jdx <[email protected]>

* feat: rename `mise prepare` to `mise deps` and add package management (jdx#9056)

## Summary

- Renames the experimental `mise prepare` command to `mise deps`,
positioning it as a proper dependency management command
- Adds `mise deps add npm:react` and `mise deps remove npm:lodash`
subcommands for managing individual packages
- Implements add/remove for all 4 JS package managers (npm, yarn, pnpm,
bun)
- `mise deps` (bare) defaults to `mise deps install` which is the
previous `mise prepare` behavior
- Renames all config (`[prepare]` -> `[deps]`), settings
(`show_prepare_stale` -> `show_deps_stale`), flags (`--no-prepare` ->
`--no-deps`), and state files (`prepare-state.toml` ->
`deps-state.toml`)
- No backwards compatibility needed since prepare was experimental

## Test plan

- [ ] `cargo build` compiles cleanly
- [ ] `mise run lint` passes
- [ ] `mise deps --help` shows subcommands (add, install, remove)
- [ ] `mise dep --help` alias works
- [ ] `mise deps add npm:react` installs react via npm
- [ ] `mise deps add -D npm:vitest` installs as devDependency
- [ ] `mise deps remove npm:lodash` uninstalls via npm
- [ ] `mise deps` (bare) runs all configured providers
- [ ] `mise deps install --dry-run` shows what would run
- [ ] `mise run --no-deps` skips auto deps
- [ ] e2e tests: `mise run test:e2e test_deps test_deps_depends
test_deps_tool_install`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Medium risk because this renames an end-to-end command/config surface
(`prepare`→`deps`) and threads the new flag/state/schema through
exec/run flows, which can break existing experimental users and monorepo
provider discovery. Behavior is largely a rename plus new JS package
add/remove execution, but touches multiple CLI entrypoints and config
parsing.
> 
> **Overview**
> **Renames the experimental dependency workflow from `mise prepare` to
`mise deps`.** This updates CLI wiring, help/manpages, usage spec,
interactive config editor UI, and all documentation references,
including the skip flag rename from `--no-prepare` to `--no-deps` in
`mise exec`/`mise run`.
> 
> **Promotes deps into a first-class config surface.**
Config/schema/settings are renamed from `[prepare]` to `[deps]`,
`status.show_prepare_stale` to `status.show_deps_stale`, and the
persisted freshness state file from `.mise/prepare-state.toml` to
`.mise/deps-state.toml`, with corresponding engine/provider renames.
> 
> **Adds package management subcommands.** Introduces `mise deps add`
and `mise deps remove`, parsing `ecosystem:package` specs, installing
required tools first, and executing provider-specific commands
(implemented for `npm`, `yarn`, `pnpm`, `bun`), while bare `mise deps`
defaults to `deps install`. E2E tests are updated/added to cover
listing/dry-run/explain, dependency ordering, tool-install-before-deps,
and aliasing (`dep` and hidden `prepare`).
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
9cb375e. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* feat(npm): add aube package manager support (jdx#9256)

## Summary

- Add `npm.package_manager = "auto"` as the default, with `auto`
preferring installed `aube` and falling back to `npm`.
- Add explicit `npm.package_manager = "aube"` support for npm backend
installs using `aube add --global` into mise-managed install/bin
directories.
- Make auto-selection consider the active install/exec toolset, so `mise
x node aube npm:<pkg>` uses the requested `aube` instead of falling back
to npm.
- Resolve Windows bin paths from the created install layout, so
aube-installed packages keep using `install_path/bin` even when aube is
not discoverable later.
- Normalize `.npmrc` path values to forward slashes and unit-test aube's
minute-based `minimumReleaseAge` conversion.
- Regenerate the settings schema and document the new npm backend
behavior.
- Add an e2e test that starts with `mise x node aube npm:cowsay`,
verifies aube-specific install artifacts (`global-aube` and
`aube-lock.yaml`), and executes `cowsay`.

## Validation

- `cargo test -q backend::npm::tests`
- `mise run test:e2e e2e/backend/test_npm_aube`
- `cargo check -q --all-features`
- `mise run render:schema`
- `mise run lint-fix`

*This PR was generated by an AI coding assistant.*

* chore: release 2026.4.18 (jdx#9246)

### 🚀 Features

- **(latest)** add --before flag to mise latest by @risu729 in
[jdx#9168](jdx#9168)
- **(npm)** add aube package manager support by @jdx in
[jdx#9256](jdx#9256)
- **(spm)** add filter_bins option to restrict built executables by @jdx
in [jdx#9253](jdx#9253)
- **(vfox)** support plugin-declared dependencies via metadata.lua by
@ahemon in [jdx#9051](jdx#9051)
- rename `mise prepare` to `mise deps` and add package management by
@jdx in [jdx#9056](jdx#9056)

### 🐛 Bug Fixes

- **(backend)** skip versions host for direct-source backends by @jdx in
[jdx#9245](jdx#9245)
- **(github)** route artifact attestation verification to custom api_url
by @jdx in [jdx#9254](jdx#9254)
- **(lockfile)** use unique temp file for atomic save to avoid
concurrent rename race by @jdx in
[jdx#9250](jdx#9250)
- **(log)** drop noisy third-party debug/trace logs by @jdx in
[jdx#9248](jdx#9248)
- **(progress)** disable animated clx output in ci by @jdx in
[jdx#9249](jdx#9249)
- **(use)** honor --quiet and --silent flags by @jdx in
[jdx#9251](jdx#9251)
- **(vfox)** opt backend plugins out of --locked URL check by @jdx in
[jdx#9252](jdx#9252)

### 📦 Registry

- add aqua backend for bitwarden-secrets-manager by @msuzoagu in
[jdx#9255](jdx#9255)

### New Contributors

- @ahemon made their first contribution in
[jdx#9051](jdx#9051)
- @msuzoagu made their first contribution in
[jdx#9255](jdx#9255)

* fix(vfox): use github token for lua http requests (jdx#9257)

## Summary
- pass mise's resolved GitHub token into vfox plugin runtimes
- add default GitHub auth headers in the vfox Lua HTTP bridge for GitHub
API requests
- preserve explicit plugin-provided Authorization headers and avoid auth
on GitHub release asset hosts

## Root Cause
Embedded vfox plugins such as `vfox-neovim` call `api.github.com`
through the Lua HTTP module. Those requests did not receive mise's
configured GitHub token, so rate-limited users could hit `HTTP 403`
while installing Neovim even when mise itself knew how to resolve a
GitHub token.

## Validation
- `cargo fmt --check`
- `cargo test -p vfox lua_mod::http`
- `cargo check -p mise`
- `MISE_LOG_HTTP=1 cargo run -q -p mise -- ls-remote neovim | sed -n
'1,20p'`

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Touches outbound HTTP behavior by automatically adding `Authorization`
headers for certain GitHub hosts, which could affect plugin networking
and token exposure if host matching is wrong. Scope is limited and
includes tests plus explicit opt-out when plugins already set
`Authorization` and for GitHub release asset hosts.
> 
> **Overview**
> Ensures embedded vfox plugins can authenticate GitHub API calls by
threading mise’s resolved GitHub token into the vfox Lua runtime and
having the Lua `http` bridge auto-attach GitHub auth headers.
> 
> The Lua HTTP module now conditionally adds `Authorization: Bearer …`
(and `x-github-api-version` for `api.github.com`) when a token is
available, while **preserving explicit plugin-provided `Authorization`**
and **skipping GitHub release asset hosts**; behavior is covered by new
unit tests.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
f4d9320. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

* fix(cli): retrieve token from github helper for `self-update` command (jdx#9259)

The `mise self-update` command now retrieves the GitHub API token via an
internal helper rather than directly from environment variables.
This ensures the token is fetched from the supported sources listed at
https://mise.jdx.dev/dev-tools/github-tokens.html.

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* chore: bump communique to 1.0.1 (jdx#9264)

## Summary
- Bump communique from 0.1.9 to 1.0.1

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: this only updates the pinned `communique` devtool
binary/version and its platform checksums/URLs in `mise.lock`, with no
application/runtime code changes.
> 
> **Overview**
> Bumps the pinned `communique` tool in `mise.lock` from `0.1.9` to
`1.0.1`, updating the associated per-platform download URLs, asset IDs,
and checksums so `mise` installs the new release.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
3ff3610. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>

* docs: add aube hero banner (jdx#9265)

## Summary

Adds a compact homepage hero banner that promotes aube as a new en.dev
tool by @jdx. The banner links to https://aube.en.dev/ and notes that
aube is currently in beta.

## Validation

- `mise run docs:build`
- commit hook suite via `hk`

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk since changes are limited to docs theme markup/CSS and add no
backend or data-handling logic.
> 
> **Overview**
> Adds a new homepage hero banner in `docs/.vitepress/theme/Layout.vue`
promoting `aube` (linking to `https://aube.en.dev/`) with kicker/message
text.
> 
> Includes new styling for the banner (hover + dark-mode variants) and
small responsive tweaks to center the banner and adjust message font
size on mobile.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
e1eb309. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

* docs: add en.dev footer (jdx#9267)

## Summary

- Add a custom VitePress footer matching the aube.en.dev footer style.
- Keep the visible brand mention to a single `en.dev` by using `MIT
License · Copyright © YEAR · en.dev`.
- Disable the built-in VitePress footer so only the custom footer
renders.

## Validation

- `mise run docs:build`
- commit hook: `hk` lint suite

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: documentation theme-only changes that affect site
layout/styling but not runtime logic beyond the docs build.
> 
> **Overview**
> Replaces the built-in VitePress footer with a custom `EndevFooter`
component that renders `MIT License · Copyright © YEAR · en.dev` (with
logo/link) at the bottom of the docs layout.
> 
> Updates the docs theme layout to inject the new footer via
`#layout-bottom`, and adds accompanying CSS styles for the new footer
elements in `custom.css`.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
4678b11. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

* docs: implement landing page design (jdx#9266)

## Summary

- implement the exported landing-page design on the VitePress homepage
- replace the default home feature cards with the hero, metaphor,
feature menu, pantry ticker, comparison, quickstart, and CTA sections
- keep every pantry ticker item in the same serif font

## Validation

- npm run docs:build
- pre-commit hook via git commit, including prettier, cargo-fmt,
cargo-check, shellcheck, shfmt, pkl, taplo, lua-check, stylua,
actionlint, markdownlint, and schema

This PR was generated by an AI coding assistant.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk since changes are limited to VitePress homepage
markup/styling plus a small clipboard-copy UX tweak; main risk is
visual/layout regressions across breakpoints or browsers.
> 
> **Overview**
> Replaces the VitePress homepage hero + default feature cards with a
new designed landing experience: updated hero copy/CTA, a terminal-style
workflow preview, and a new long-form homepage (`docs/index.md`) with
metaphor, feature menu, scrolling “pantry” ticker, aube promo, tabbed
quickstart recipe, and final CTA.
> 
> Updates theme styling to support the new layout (new `landing-*` and
terminal styles, revised hero grid/breakpoints, and smaller feature-card
rounding), and improves the install command copy interaction by
switching to a button with a `navigator.clipboard` path plus a textarea
fallback and clearer “copy/copied” state.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
818c9d2. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

* chore(deps): lock file maintenance (jdx#9268)

This PR contains the following updates:

| Update | Change |
|---|---|
| lockFileMaintenance | All locks refreshed |

🔧 This Pull Request updates lock files to use the latest dependency
versions.

---

### Configuration

📅 **Schedule**: (in timezone America/Chicago)

- Branch creation
  - "before 4am on monday"
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

---------

Co-authored-by: jdx <[email protected]>
Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
Co-authored-by: Taku Kodama <[email protected]>
Co-authored-by: MUA <[email protected]>
Co-authored-by: ahemon <[email protected]>
Co-authored-by: Arthur Hemon <[email protected]>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: mise-en-dev <[email protected]>
Co-authored-by: Kentaro Suzuki <[email protected]>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: richardthe3rd <[email protected]>