Add initial support for mise

[efcasado]

What are you trying to accomplish?

Add support for mise to dependabot, so we can use it to automatically update the dependencies defined in mise.toml files.

This feature is being discussed in #12320.

Anything you want to highlight for special attention from reviewers?

The current implementation supports the following manifest files: mise.toml, .mise.toml, mise.<env>.toml and .mise.<env>.toml).

MISE_YES=1 is set when invoking the mise CLI so commands can run safely in non-interactive environments such as Dependabot jobs and test containers.

FileParser relies on mise ls --current --local --json to interpret mise.toml and determine which tools should be modeled as Dependabot dependencies. Using the mise CLI avoids reimplementing mise’s own resolution logic in Ruby. The --local flag is important because it limits the result set to tools defined by the target repository configuration, rather than inheriting tools from parent mise.toml files that may exist in ancestor directories.

UpdateChecker uses mise ls-remote --json to retrieve available versions for a given tool. The response includes created_at, which is mapped onto Dependabot::Package::PackageRelease#released_at. That allows mise to reuse Dependabot’s existing cooldown support through PackageLatestVersionFinder, rather than implementing cooldown behavior separately in the ecosystem.

The implementation distinguishes between:

• the resolved version returned by mise (i.e. version), which is used as the dependency’s current version for update comparisons, and
• the declared version from mise.toml (i.e. requested_version), which is preserved as the dependency requirement and used when rewriting the manifest.

For example, a partial pin such as node = "20" may resolve to a concrete installed version like 20.20.2. In that case, Dependabot compares against the resolved version while still tracking the original manifest requirement.

mise also supports “external” backends such as npm: (for example, "npm:@redocly/cli"). These backends may depend on additional tooling being present in the environment. In particular, npm: resolution requires Node.js and npm. The ecosystem Docker image installs Node.js via mise itself (mise use -g node@lts) so that npm:-backed tools can be resolved correctly during parsing and update checking. Support for additional external backends can be expanded in future iterations as needed.

mise supports different types of manifest files. This first implementation supports mise.toml, .mise.toml, mise.<env>.toml and .mise.<env>.toml manifest files. Support for more complex manifest files and/or locations (eg. .mise/config.toml) could be added in a future pull request.

Although mise supports lockfiles, they are disabled by default and are intentionally left out of scope for this initial implementation. The current ecosystem only manages versions declared in mise.toml.

Known limitations of the current implementation:

• fuzzy aliases such as latest and lts are skipped during parsing for now
• partial pins are currently updated to concrete versions when Dependabot rewrites the manifest
• lockfile support is not included in this change
• support for external backends other than npm: is not included in this change

How will you know you've accomplished your goal?

Running bin/dry-run.rb on a GitHub repository like software-mansion/popcorn and confirming that the implementation can be used to keep dependencies updated.

bin/docker-dev-shell mise
 > image dependabot/dependabot-core-development-mise already exists

=> running docker development shell
[dependabot-core-dev] ~ $ bin/dry-run.rb mise software-mansion/popcorn --enable-beta-ecosystems

...
=> updating 3 dependencies: elixir, erlang, node

=== elixir (1.17.3-otp-26)
 => checking for updates 1/3
I, [2026-03-25T18:10:06.643320 #11]  INFO -- : Started process PID: 101 with command: {"MISE_YES" => "1"} mise ls-remote --json elixir {}
I, [2026-03-25T18:10:07.145400 #11]  INFO -- : Process PID: 101 completed with status: pid 101 exit 0
I, [2026-03-25T18:10:07.145461 #11]  INFO -- : Total execution time: 0.5 seconds
 => latest available version is 1.20.0.pre.rc.3
 => latest allowed version is 1.20.0.pre.rc.3
 => requirements to unlock: own
 => requirements update strategy: 
 => bump elixir from 1.17.3-otp-26 to 1.20.0.pre.rc.3

    ± mise.toml
    ~~~
    --- /tmp/original20260325-11-1ytpbn	2026-03-25 18:10:07.921137001 +0000
    +++ /tmp/updated20260325-11-5hr7ej	2026-03-25 18:10:07.921137001 +0000
    @@ -1,5 +1,5 @@
     [tools]
    -elixir = "1.17.3-otp-26"
    +elixir = "1.20.0.pre.rc.3"
     erlang = "26.0.2"
     node = "22"
     pnpm = "latest"
    ~~~
    2 insertions (+), 2 deletions (-)

=== erlang (26.0.2)
 => checking for updates 2/3
I, [2026-03-25T18:10:07.925872 #11]  INFO -- : Started process PID: 118 with command: {"MISE_YES" => "1"} mise ls-remote --json erlang {}
I, [2026-03-25T18:10:08.292014 #11]  INFO -- : Process PID: 118 completed with status: pid 118 exit 0
I, [2026-03-25T18:10:08.292070 #11]  INFO -- : Total execution time: 0.37 seconds
 => latest available version is 29.0.pre.rc2
 => latest allowed version is 29.0.pre.rc2
 => requirements to unlock: own
 => requirements update strategy: 
 => bump erlang from 26.0.2 to 29.0.pre.rc2

    ± mise.toml
    ~~~
    --- /tmp/original20260325-11-4cieez	2026-03-25 18:10:08.720137001 +0000
    +++ /tmp/updated20260325-11-1nw7z1	2026-03-25 18:10:08.720137001 +0000
    @@ -1,6 +1,6 @@
     [tools]
     elixir = "1.17.3-otp-26"
    -erlang = "26.0.2"
    +erlang = "29.0.pre.rc2"
     node = "22"
     pnpm = "latest"
     rebar = "latest"
    ~~~
    2 insertions (+), 2 deletions (-)

=== node (22.22.1)
 => checking for updates 3/3
I, [2026-03-25T18:10:08.724603 #11]  INFO -- : Started process PID: 134 with command: {"MISE_YES" => "1"} mise ls-remote --json node {}
I, [2026-03-25T18:10:09.141022 #11]  INFO -- : Process PID: 134 completed with status: pid 134 exit 0
I, [2026-03-25T18:10:09.141087 #11]  INFO -- : Total execution time: 0.42 seconds
 => latest available version is 25.8.2
 => latest allowed version is 25.8.2
 => requirements to unlock: own
 => requirements update strategy: 
 => bump node from 22.22.1 to 25.8.2

    ± mise.toml
    ~~~
    --- /tmp/original20260325-11-bou3l1	2026-03-25 18:10:09.602137001 +0000
    +++ /tmp/updated20260325-11-mxfn0k	2026-03-25 18:10:09.602137001 +0000
    @@ -1,7 +1,7 @@
     [tools]
     elixir = "1.17.3-otp-26"
     erlang = "26.0.2"
    -node = "22"
    +node = "25.8.2"
     pnpm = "latest"
     rebar = "latest"
     watchexec = "latest"
    ~~~
    2 insertions (+), 2 deletions (-)
🌍 Total requests made: '0'
Dry-run completed successfully.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

Adds a new mise ecosystem to Dependabot Core so Dependabot can fetch, parse, check, and update tool versions declared in mise.toml, using the mise CLI inside a dedicated ecosystem container. This fits the existing ecosystem plugin architecture (FileFetcher/FileParser/UpdateChecker/FileUpdater + CI/image plumbing).

Changes:

• Introduces a new dependabot-mise ecosystem gem (fetcher/parser/checker/updater + fixtures/specs) and a mise Docker image.
• Wires mise into local tooling and entrypoints (bin/dry-run.rb, docker dev shell, omnibus, config mapping).
• Adds CI/image build and smoke-test matrix entries for the new ecosystem.

Reviewed changes

Copilot reviewed 37 out of 39 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
updater/lib/dependabot/setup.rb	Adds mise to Sentry app dir pattern (but missing ecosystem require).
script/dependabot	Mounts mise/ into the dev container wrapper script.
rakelib/support/helpers.rb	Registers the new mise gemspec in Rake helper lists.
omnibus/lib/dependabot/omnibus.rb	Requires dependabot/mise from the omnibus gem.
mise/spec/spec_helper.rb	Adds ecosystem-local spec helper to reuse common spec helpers.
mise/spec/fixtures/mise_toml/unsupported.toml	Adds fixture for unsupported/alias/scoped version formats.
mise/spec/fixtures/mise_toml/simple.toml	Adds fixture for simple tool pins.
mise/spec/fixtures/mise_toml/no_tools.toml	Adds fixture for config without a [tools] section.
mise/spec/fixtures/mise_toml/mixed.toml	Adds fixture mixing multiple tool declaration formats.
mise/spec/dependabot/mise/update_checker_spec.rb	Adds update checker specs (mocking mise outdated).
mise/spec/dependabot/mise/file_updater_spec.rb	Adds file updater specs for multiple TOML formats.
mise/spec/dependabot/mise/file_parser_spec.rb	Adds file parser specs for extracting dependencies.
mise/spec/dependabot/mise/file_fetcher_spec.rb	Adds file fetcher specs and required-files assertions.
mise/script/ci-test	Adds ecosystem CI test script.
mise/script/build	Adds ecosystem build script (no native helpers).
mise/lib/dependabot/mise/update_checker.rb	Implements update checking via mise outdated --bump --json.
mise/lib/dependabot/mise/requirement.rb	Adds requirement class registration for mise.
mise/lib/dependabot/mise/metadata_finder.rb	Adds placeholder metadata finder for mise.
mise/lib/dependabot/mise/helpers.rb	Adds helper to write fetched files before invoking mise CLI.
mise/lib/dependabot/mise/file_updater.rb	Implements updating mise.toml content via regex replacements.
mise/lib/dependabot/mise/file_parser.rb	Implements parsing dependencies via mise ls --current --json.
mise/lib/dependabot/mise/file_fetcher.rb	Fetches mise.toml and enforces beta-ecosystem gating.
mise/lib/dependabot/mise.rb	Registers mise ecosystem classes, labels, and version class.
mise/dependabot-mise.gemspec	Adds new ecosystem gemspec.
mise/README.md	Documents local dev workflow for the new ecosystem.
mise/Dockerfile	Adds mise ecosystem image (installs mise, sets up Node via mise).
mise/.rubocop.yml	Inherits repo RuboCop config for the mise gem.
mise/.gitignore	Adds gem-local ignores.
mise/.bundle/config	Points bundler to the updater Gemfile for local dev.
common/lib/dependabot/config/file.rb	Adds mise to package-manager mapping.
bin/dry-run.rb	Adds mise to dry-run supported ecosystems and load paths/requires.
bin/docker-dev-shell	Adds bind mounts for the mise ecosystem into the dev shell container.
.github/workflows/images-latest.yml	Adds mise image build to latest-image workflow.
.github/workflows/images-branch.yml	Adds mise image build to branch-image workflow.
.github/workflows/ci.yml	Adds mise to CI matrix.
.github/smoke-matrix.json	Adds mise to smoke-test matrix.
.github/smoke-filters.yml	Adds smoke filters for mise/** changes.
.github/issue-labeler.yml	Adds issue labeler rule for mise-related changes.
.github/ci-filters.yml	Adds CI filters for mise/** changes.

[efcasado]

This pull request is now ready for a first review 😃 I believe the current implementation is a good foundation for the mise ecosystem and additional features such as support for lockfiles (still experimental), additional backends, etc. could be added in future iterations. What do you think?

@kbukum1 - I am very curious to here what you think! Ignoring a small change I contributed to the hex ecosystem a few weeks ago, this is my first contribution to this project and whilst I've tried to use other ecosystems as a reference, I may have missed something or gotten something completely wrong.

I see there are a few jobs still failing, but I believe the failures aren't related to the changes introduced by this pull request and a simple re-try may get them green.

[efcasado]

@kbukum1 - I tried following the instructions on how to contribute smoke tests for a new ecosystem and peeked at what was done recently for Nix, but I suspect I am at a dead end and won't be able to contribute these until this contribution gets some traction first, right?

dependabot update mise dependabot/smoke-tests -o tests/smoke-mise.yaml
    cli | 2026/03/30 10:12:21 Using hostname: github.com api endpoint: https://api.github.com
    cli | 2026/03/30 10:12:21 updater failure: unknown package manager: mise

Is there anything else I should/could focus on in the meantime? 😊

UPDATE: Never mind 😊 I found my way around the smoke-tests repository. I created an empty smoke test for the mise ecosystem by hand and I then ran script/regen.sh --local-core ../dependabot-core tests/smoke-mise.yaml, which built a local dependabot-updater-mise image I could use to bootstrap the smoke tests.

[jdx]

unfortunately right now I don't have the bandwidth to own this, I will report back though if that changes since I very much would like to see dependabot support.

[Maks3w]

Do this PR support Lockfiles?
A typical pattern is set the tool version in the TOML file as latest because the version is pinned in mise.*.lock

In case of give support to Lockfiles I would expect some stability on the definition of them. It has recently change the format between different Mise versions and overtime is introducing more metadata. cc @jdx

[efcasado]

@Maks3w it doesn't. I decided against it because lockfiles are not enabled by default in mise, but also because I thought it would be best to keep this initial pull request intentionally simple and then work on incremental improvements as we would see need (and because I don't use them myself and lack firsthand experience and understanding of what to expect 😛).

@robaiken, @JamieMagee - I see you tend to be very active when it comes to new ecosystems. If you are interested and have the time, I would be very much interested in hearing your thoughts on this pull request and see if you have any ideas on how we could push this forward 😊

The result of the unit tests and the output from the dry-run seem to suggest that we may be ready for beta-testing. There is also a pull-request with the smoke tests and I believe the main thing we are missing is a first review from someone from the dependabot team and see if there is anything that may need to be addressed?

[gperdomor]

Thanks for this... I hope can be merged soon ❤️

[robaiken]

@efcasado @gperdomor Really appreciate the work that's gone into this, @efcasado. Our current approach for new ecosystems requires backing from the upstream maintainers to ensure long-term support, and since the Mise team isn't able to take that on right now, we can't proceed at this stage. If the Mise team are able to commit to maintaining it in the future, we'd be happy to pick this back up

[tfrancisl]

@efcasado @gperdomor Really appreciate the work that's gone into this, @efcasado. Our current approach for new ecosystems requires backing from the upstream maintainers to ensure long-term support, and since the Mise team isn't able to take that on right now, we can't proceed at this stage. If the Mise team are able to commit to maintaining it in the future, we'd be happy to pick this back up

This is an unusual policy. Isn't this an open source project? Why not merge this and, if someone out there who cares about it has issues, let them contribute and maintain it? And if this goes unmaintained, simply drop support. Thoughts?

[lorengordon]

Oh, shucks, I thought this was already a feature in Dependabot. Would love to see this ecosystem as a feature! Mise is great for managing tool versions, using it everywhere I can!