feat(install): add --locked flag for strict lockfile mode #7098
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces a strict lockfile mode to enforce reproducible installations by requiring pre-resolved URLs from lockfiles, preventing runtime API calls to external services like GitHub or aqua registry.
Key changes:
- Adds
--lockedglobal flag,MISE_LOCKEDenvironment variable, andsettings.lockedconfig option - Implements centralized validation in
Backend::install_version()to fail early when lockfile URLs are missing - Optimizes backends (ubi, aqua, github) to prefer lockfile URLs when available
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/cli/mod.rs | Adds --locked as a global CLI flag with documentation |
| src/config/settings.rs | Syncs CLI flag value to settings configuration |
| src/toolset/mod.rs | Adds locked field to InstallOptions struct |
| src/install_context.rs | Adds locked field to InstallContext struct |
| src/backend/mod.rs | Implements centralized locked mode validation with early failure |
| src/backend/ubi.rs | Optimizes to use lockfile URLs when available |
| src/backend/aqua.rs | Refactors to skip API calls when lockfile URL exists |
| src/backend/github.rs | Adds null check for lockfile URL usage |
| src/cli/install.rs | Applies locked setting from configuration |
| src/cli/install_into.rs | Explicitly disables locked mode for install-into command |
| settings.toml | Documents the new locked setting with usage examples |
| schema/mise.json | Adds schema definition for locked setting |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+95
to
+96
| let tag = if existing_platform.is_some() { | ||
| None // We'll determine version from URL instead |
There was a problem hiding this comment.
When a lockfile URL exists, setting tag to None may cause issues downstream. The code later uses tag.is_none() at line 108 to determine if version prefixing is needed, which could lead to incorrect version handling when using lockfile URLs. Consider extracting version information from the lockfile URL or maintaining the tag lookup even when a lockfile URL exists.
Suggested change
| let tag = if existing_platform.is_some() { | |
| None // We'll determine version from URL instead | |
| let tag = if let Some(ref url) = existing_platform { | |
| // Try to extract version from the URL using VERSION_REGEX | |
| VERSION_REGEX | |
| .captures(get_filename_from_url(url)) | |
| .and_then(|caps| caps.get(1).map(|m| m.as_str().to_string())) |
Adds a `--locked` global flag and `MISE_LOCKED` setting that requires lockfile URLs to be present during installation. When enabled: - Installation fails early with a clear error if no lockfile URL exists - Prevents API calls to GitHub, aqua registry, etc. - Useful for CI/CD and reproducible builds Changes: - Add `locked` setting to settings.toml with MISE_LOCKED env var support - Add `--locked` as a global CLI flag (available on all commands) - Add centralized locked check in Backend::install_version() - Add `locked` field to InstallOptions and InstallContext - Backends (aqua, ubi, github) use lockfile URLs when available 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
jdx
force-pushed
the
feat/locked-install
branch
from
545e004 to
82c7e4e
Compare
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.11.10 x -- echo |
19.2 ± 0.2 | 18.7 | 21.6 | 1.00 |
mise x -- echo |
19.6 ± 0.3 | 19.0 | 21.1 | 1.02 ± 0.02 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.11.10 env |
18.8 ± 0.6 | 18.3 | 24.3 | 1.00 |
mise env |
19.1 ± 0.4 | 18.5 | 23.2 | 1.02 ± 0.04 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.11.10 hook-env |
18.9 ± 0.2 | 18.4 | 19.7 | 1.00 |
mise hook-env |
19.3 ± 0.5 | 18.7 | 21.7 | 1.02 ± 0.03 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.11.10 ls |
16.3 ± 0.2 | 15.8 | 17.8 | 1.00 |
mise ls |
16.6 ± 0.3 | 16.1 | 18.1 | 1.02 ± 0.02 |
xtasks/test/perf
| Command | mise-2025.11.10 | mise | Variance |
|---|---|---|---|
| install (cached) | 106ms | 107ms | +0% |
| ls (cached) | 64ms | 64ms | +0% |
| bin-paths (cached) | 70ms | 71ms | -1% |
| task-ls (cached) | 417ms | 429ms | -2% |
2 tasks
jdx
added a commit
that referenced
this pull request
Nov 28, 2025
## Summary Updates the lockfile documentation (`docs/dev-tools/mise-lock.md`) to reflect the recent changes since v2025.11.10: - **#7091** - Cross-platform lockfile generation - **#7093** - Always use TOML array format `[[tools.name]]` - **#7092** - Added `options` field for backend-specific artifact identity - **#7098** - Added `locked` setting for strict lockfile mode - **#7099** - Added `env` field and `mise.local.lock` support ### Changes - Update file format examples to use array syntax `[[tools.name]]` - Add documentation for new fields: `options`, `env` - Add **Environment-Specific Versions** section (env field, MISE_ENV workflow) - Add **Local Lockfiles** section (mise.local.lock, --local flag) - Add **Strict Lockfile Mode** section (locked setting) - Remove outdated **Legacy Format Migration** and **Benefits of the New Format** sections ## Test plan - [ ] Verify docs build correctly with `mise run docs` - [ ] Review documentation renders correctly on the site 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > Refreshes `mise.lock` docs to use `[[tools.name]]` array syntax, add `options`/`env`, document environment-specific and local lockfiles, and introduce strict `locked` mode while removing obsolete sections. > > - **Docs (lockfile)** > - **File format**: > - Switch examples to `[[tools.name]]` array syntax > - Add fields: `options`, `env`; clarify `platforms` metadata and platform key formats > - **Environment-specific versions**: > - Document `MISE_ENV` workflow and resolution priority; show `mise.test.toml` example > - **Local lockfiles**: > - Explain `mise.local.toml` → `mise.local.lock`, `--local` usage and commands > - **Strict lockfile mode**: > - Add `locked` setting (`mise settings locked=true`, `MISE_LOCKED=1`) and `mise lock` URL pre-resolution workflow > - **Cleanup**: > - Remove Legacy Format Migration and Benefits sections > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit e6fe67f. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Claude <[email protected]>
jdx
pushed a commit
that referenced
this pull request
Nov 30, 2025
### 🚀 Features - **(backend)** add filter_bins option to github/gitlab backends by @risu729 in [#7105](#7105) - **(ci)** auto-close PRs from non-maintainers by @jdx in [#7108](#7108) - **(conda)** add conda backend for installing packages from conda-forge by @jdx in [#7139](#7139) - **(github)** add rename_exe option and switch elm, opam, yt-dlp from ubi by @jdx in [#7140](#7140) - **(install)** add --locked flag for strict lockfile mode by @jdx in [#7098](#7098) - **(lock)** implement cross-platform lockfile generation by @jdx in [#7091](#7091) - **(lockfile)** add options field for tool artifact identity by @jdx in [#7092](#7092) - **(lockfile)** add env field and local lockfile support by @jdx in [#7099](#7099) - **(lockfile)** add URL support for deno, go, and zig backends by @jdx in [#7112](#7112) - **(lockfile)** add URL support for vfox backend by @jdx in [#7114](#7114) - **(lockfile)** add multi-platform checksums without downloading tarballs by @jdx in [#7113](#7113) ### 🐛 Bug Fixes - **(backend)** allow platform-specific strip_components by @risu729 in [#7106](#7106) - **(backend)** prefer path root for bin path if it contains an executable by @risu729 in [#7151](#7151) - **(bash)** avoid deactivate error on (no)unset PROMPT_COMMAND by @scop in [#7096](#7096) - **(ci)** use updatedAt instead of createdAt for stale PR detection by @jdx in [#7109](#7109) - **(github)** search subdirectories for executables in discover_bin_paths by @jdx in [#7138](#7138) - **(lockfile)** combine api_url with asset_pattern for GitHub release URLs by @jdx in [#7111](#7111) ### 🚜 Refactor - **(lock)** simplify lockfile to always use array format by @jdx in [#7093](#7093) - **(lockfile)** use compact inline table format by @jdx in [#7141](#7141) ### 📚 Documentation - **(gitlab)** document rename_exe option also for gitlab backend by @risu729 in [#7149](#7149) - **(lockfile)** update documentation for recent lockfile changes by @jdx in [#7107](#7107) - **(node)** use config_root in _.path for pnpm example by @risu729 in [#7146](#7146) - **(registry)** add github/gitlab backends to the preferred backends list by @risu729 in [#7148](#7148) - **(registry)** add url mappings for all backends by @risu729 in [#7147](#7147) ### 📦️ Dependency Updates - update docker/metadata-action digest to c299e40 by @renovate[bot] in [#7101](#7101) - update ghcr.io/jdx/mise:alpine docker digest to 693c5f6 by @renovate[bot] in [#7102](#7102) - update ghcr.io/jdx/mise:deb docker digest to 9985cab by @renovate[bot] in [#7104](#7104) - update ghcr.io/jdx/mise:copr docker digest to 564d8e1 by @renovate[bot] in [#7103](#7103) - update rust crate ubi to 0.8.4 by @risu729 in [#7154](#7154) ### 📦 Registry - add aqua backend as primary for e1s by @jdx in [#7115](#7115) - add gem backend for bashly by @jdx in [6af6607](6af6607) - switch 1password from asdf to vfox backend by @jdx in [#7116](#7116) - add vfox backend for bfs by @jdx in [#7126](#7126) - add github backend for btrace by @jdx in [#7129](#7129) - add github backend for cf by @jdx in [#7131](#7131) - add vfox backend for bpkg by @jdx in [#7130](#7130) - switch apollo-ios from asdf to github backend by @jdx in [#7118](#7118) - add vfox backend for chromedriver by @jdx in [#7134](#7134) - switch superhtml, vespa-cli, xcsift from ubi to github backend by @jdx in [#7137](#7137) - add vfox backend for clickhouse by @jdx in [#7136](#7136) - switch chicken to vfox plugin by @jdx in [#7135](#7135) - switch chezscheme from asdf to vfox backend by @jdx in [#7132](#7132) - add vfox backend for carthage by @jdx in [#7133](#7133) - switch azure-functions-core-tools from asdf to vfox backend by @jdx in [#7128](#7128) - switch aapt2 to vfox backend by @jdx in [#7117](#7117) - switch ant to vfox backend by @jdx in [#7119](#7119) - switch asciidoctorj from asdf to vfox backend by @jdx in [#7121](#7121) - switch awscli-local to pipx backend by @jdx in [#7120](#7120) - add omnictl by @risu729 in [#7145](#7145) - remove pnpm asdf plugin from fallback by @risu729 in [#7143](#7143) - switch tanzu to github backend by @jdx in [#7124](#7124) - switch android-sdk to vfox plugin by @jdx in [#7127](#7127) - add vfox backend for ag (The Silver Searcher) by @jdx in [#7122](#7122) ### Chore - **(registry)** ignore deleted tools in test-tool workflow by @risu729 in [#7081](#7081) - **(release)** show registry section last in changelog by @jdx in [#7156](#7156) - update mise.lock with checksums by @jdx in [71e9123](71e9123) - disable cancel-in-progress for test workflow on main branch by @risu729 in [#7152](#7152) ## 📦 Aqua Registry Updates #### Updated Packages (1) - [`orf/gping`](https://github.com/orf/gping)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
--lockedglobal flag that requires lockfile URLs to be present during installationMISE_LOCKEDenvironment variable andsettings.lockedconfig optionBackend::install_version()methodUse Cases
Changes
settings.toml: Addlockedsetting withMISE_LOCKEDenv var supportsrc/cli/mod.rs: Add--lockedas a global CLI flagsrc/backend/mod.rs: Add centralized locked check inBackend::install_version()src/config/settings.rs: Sync CLI flag to settingssrc/toolset/mod.rs: Addlockedfield toInstallOptionssrc/install_context.rs: Addlockedfield toInstallContextTest plan
mise install --lockedfails with clear error when no lockfile URL existsMISE_LOCKED=1 mise installworks--helpfor all commands (global flag)🤖 Generated with Claude Code
Note
Adds a global --locked flag (and settings.locked/MISE_LOCKED) that requires pre-resolved lockfile URLs for installs, with backends optimized to use lockfile URLs and fail fast when missing.
--lockedflag; newsettings.locked(env:MISE_LOCKED).lockedthroughInstallOptionsandInstallContext.Backend::install_version, error if--lockedand no lockfile URL for current platform.docs/cli, manpage,mise.usage.kdl, completions (xtasks/fig), settings docs, and JSON schema (schema/mise.json) forlocked.Written by Cursor Bugbot for commit 82c7e4e. This will update automatically on new commits. Configure here.