Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request performs a routine release of Highlights
Changelog
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
Greptile SummaryThis is the automated release PR for mise 2026.3.4 (released 2026-03-07), bumping the version across all packaging manifests ( Key changes bundled in this release:
Confidence Score: 5/5
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[sccache version requested] --> B{Version == v0.3.2?}
B -- Yes --> C[no_asset]
B -- No --> D{Version in v0.5.1 or v0.6.0?}
D -- Yes --> E[tar.gz, limited OS support\nwindows_arm_emulation]
D -- No --> F{Version == v0.13.0?}
F -- Yes --> G[tar.gz, linux/darwin/arm64\nspecial darwin override]
F -- No --> H{semver <= 0.2.13?}
H -- Yes --> I[error: version too old]
H -- No --> J{semver <= 0.3.1?}
J -- Yes --> K[tar.gz, musl linux\nno ARM darwin]
J -- No --> L{semver <= 0.4.0-pre.1?}
L -- Yes --> M[tar.gz, darwin/windows/amd64\nARM darwin override]
L -- No --> N{semver <= 0.8.1?}
N -- Yes --> O[tar.gz, all platforms\nARM support added]
N -- No --> P[true: latest format\ntar.gz, all platforms\nfull ARM support]
Last reviewed commit: 907b89a |
There was a problem hiding this comment.
Code Review
This pull request prepares for the release of version 2026.3.4, primarily through version bumps in files like Cargo.toml, CHANGELOG.md, README.md, and shell completion scripts. While the version updates are consistent, a security vulnerability has been identified: the completion scripts for zsh, bash, fish, and powershell use predictable filenames in a world-writable temporary directory to cache usage specs. This pattern is vulnerable to local symlink attacks, which could lead to arbitrary file overwrite. It is recommended to move these temporary files to a user-specific directory such as ~/.cache/mise/completions.
| fi | ||
|
|
||
| local spec_file="${TMPDIR:-/tmp}/usage__usage_spec_mise_2026_3_3.spec" | ||
| local spec_file="${TMPDIR:-/tmp}/usage__usage_spec_mise_2026_3_4.spec" |
There was a problem hiding this comment.
The completion script uses a predictable filename in a world-writable directory (/tmp or $TMPDIR) to store a spec file. This is vulnerable to a local symlink attack, where an attacker could create a symlink at this path pointing to a sensitive file, causing mise usage to overwrite it when completions are triggered. Consider using a user-specific directory like ~/.cache/mise/completions instead.
| local cur prev words cword was_split comp_args | ||
| _comp_initialize -n : -- "$@" || return | ||
| local spec_file="${TMPDIR:-/tmp}/usage__usage_spec_mise_2026_3_3.spec" | ||
| local spec_file="${TMPDIR:-/tmp}/usage__usage_spec_mise_2026_3_4.spec" |
There was a problem hiding this comment.
The completion script uses a predictable filename in a world-writable directory (/tmp or $TMPDIR) to store a spec file. This is vulnerable to a local symlink attack, where an attacker could create a symlink at this path pointing to a sensitive file, causing mise usage to overwrite it when completions are triggered. Consider using a user-specific directory like ~/.cache/mise/completions instead.
| end | ||
| set -l tmpdir (if set -q TMPDIR; echo $TMPDIR; else; echo /tmp; end) | ||
| set -l spec_file "$tmpdir/usage__usage_spec_mise_2026_3_3.spec" | ||
| set -l spec_file "$tmpdir/usage__usage_spec_mise_2026_3_4.spec" |
There was a problem hiding this comment.
The completion script uses a predictable filename in a world-writable directory (/tmp or /tmp by default) to store a spec file. This is vulnerable to a local symlink attack, where an attacker could create a symlink at this path pointing to a sensitive file, causing mise usage to overwrite it when completions are triggered. Consider using a user-specific directory like ~/.cache/mise/completions instead.
|
|
||
| $tmpDir = if ($env:TEMP) { $env:TEMP } else { [System.IO.Path]::GetTempPath() } | ||
| $specFile = Join-Path $tmpDir "usage__usage_spec_mise_2026_3_3.kdl" | ||
| $specFile = Join-Path $tmpDir "usage__usage_spec_mise_2026_3_4.kdl" |
There was a problem hiding this comment.
The completion script uses a predictable filename in a temporary directory to store a spec file. This is vulnerable to a local symlink attack, where an attacker could create a symlink at this path pointing to a sensitive file, causing mise usage to overwrite it when completions are triggered. Consider using a user-specific directory like ~/.cache/mise/completions instead.
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.3 x -- echo |
23.5 ± 0.5 | 22.7 | 28.7 | 1.00 |
mise x -- echo |
23.8 ± 0.7 | 22.6 | 28.9 | 1.02 ± 0.03 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.3 env |
25.0 ± 0.9 | 23.1 | 30.9 | 1.05 ± 0.05 |
mise env |
23.9 ± 0.6 | 22.7 | 26.5 | 1.00 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.3 hook-env |
24.6 ± 0.5 | 23.4 | 26.4 | 1.02 ± 0.04 |
mise hook-env |
24.0 ± 0.7 | 22.7 | 26.3 | 1.00 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.3 ls |
23.0 ± 0.6 | 22.3 | 29.4 | 1.00 |
mise ls |
23.2 ± 0.7 | 22.1 | 25.8 | 1.01 ± 0.04 |
xtasks/test/perf
| Command | mise-2026.3.3 | mise | Variance |
|---|---|---|---|
| install (cached) | 153ms | 150ms | +2% |
| ls (cached) | 83ms | 82ms | +1% |
| bin-paths (cached) | 85ms | 84ms | +1% |
| task-ls (cached) | 822ms | 832ms | -1% |
f9e3efc to
3686c6e
Compare
🚀 Features
interactivefield for exclusive terminal access by @jdx in #8491🐛 Bug Fixes
dirwhen set by @jdx in #8472📦️ Dependency Updates
📦 Registry
New Contributors
📦 Aqua Registry Updates
New Packages (5)
datadog-labs/pupk1LoW/mortk-ai/rtksuzuki-shunsuke/docfreshyashikota/exiftool-goUpdated Packages (6)
cloudflare/cloudflaredmozilla/sccacheowenlamont/rylspinel-coop/rvtechnicalpickles/envsenseweaviate/weaviate