The mirror-supplied (untrusted) version flows into download URLs,
filesystem paths, and the checksum awk match.
Reject any version outside the node/io.js grammar
(`[0-9A-Za-z._+-]`) before it is used.
A blocklist of metacharacters is used rather than a strict semver allowlist so RCs, nightlies, v8-canary, and io.js versions still install.
Completes the remediation of GHSA-3c52-35h2-gfmm.
The awk program string-interpolated the slug
(which embeds the untrusted, mirror-supplied version)
into its source, so a crafted version such as
`v1"==$2){system("touch${IFS}/tmp/x")}#`
was executed by awk's `system()`.
Pass the value via `-v tarball=...` so awk treats it as data and never as code.
See GHSA-3c52-35h2-gfmm
(a second injection sink fed by the same untrusted version field that `nvm_download`'s eval was; the source-install path reaches this during a normal `nvm install <version>`).
`nvm_download` built a curl/wget command string and ran it with `eval`.
The download URLs embed the version string taken from the mirror's `index.tab`,
which is untrusted.
Wrapping each argument in double quotes inside the `eval` does not prevent command substitution,
so a version field such as `v1$(touch /tmp/proof)` was executed by the shell.
This bypassed the earlier quoting hardening in 0ce8f5a.
Pass every argument as a literal argv element instead of constructing a string for `eval`,
on both the curl and wget paths,
so URL arguments are never re-parsed by the shell.
The wget flag translation is now done per-argument with a POSIX
`set --` loop rather than `sed` over the joined string.
The auth header is sanitized and added once,
before invoking the downloader.
The wget path passed `NVM_AUTH_HEADER` as the raw header line
(e.g. `--header "Bearer secret-token"`),
omitting the `Authorization:` header name that the curl path includes.
Per the documented usage
(`NVM_AUTH_HEADER="Bearer secret-token"`) the value is the credential,
so wget was sending a malformed header.
Prefix it with `Authorization: ` to match the curl path.
Container-based suites and the `nvm_download` httpbin check hard-fail whenever DockerHub is briefly unreachable
(observed: `dial tcp ...:443: connect: connection refused` while pulling images),
even though the change under test is fine.
This is unrelated to any test logic.
- tests-xenial / tests-installation-node: retry the `docker pull` up to 5 times before `docker run`, mirroring the existing apt-get retry
- `nvm_download` test: retry the httpbin pull and skip the auth-header checks (rather than fail) when the image cannot be pulled or run, and make cleanup tolerant of a missing container.
- `nvm-exec` test: expect "Found .nvmrc" message in output, since `nvm_rc_version` now outputs it to stdout via fd 3 redirection (ef162036)
- `nvm_install_binary_nosource`: fix exit code capture by running the command directly instead of inside a subshell with `echo $?` (05d78477)
- `nvm_iojs_version_has_solaris_binary`: bare versions like `v3.3.1` (without `iojs-` prefix) are node versions and should be rejected. The old tests relied on the buggy comparison that let them through (53e6244a)
- `nvm_get_arch_unofficial`: copy `uname` into the chroot. The old test passed only because the unconditional `NVM_ARCH=x64-musl` masked the missing binary, but the `case` fix now requires a real arch to match (39e71eab)
Missing `_` prefix on the right side of the comparison meant the guard clause that rejects non-iojs versions almost never matched, allowing non-iojs versions to fall through.
Bug introduced in 2d692d9d78 / #854.
`return` inside `(...)` subshells only exits the subshell, not the calling function.
Errors in mkdir, download, and checksum verification were silently ignored.
Use `{ ...; }` brace groups instead.
Bug introduced in ba3ad8e460.
When `nosource=1` (the `-b` flag) and binary download fails, the function returned 0 (success) instead of a non-zero exit code, masking the installation failure.
Bug introduced in 4fdef427e4 / #2439.
Alpine detection unconditionally set `x64-musl` regardless of actual architecture, which would be incorrect on ARM-based Alpine containers.
Bug introduced in ef7fc2f2c0 / #3212.
Fixes#3616.
The awk expression `$0 ~ "regex"` as a bare statement in the action block evaluates the match but doesn't affect the exit code.
awk always prints the line and exits 0, making the validation a no-op.
Bug introduced in b1fa143dd8.
`return $A || $B` only evaluates the first argument, since `return` always succeeds.
The io.js exit code was never checked, silently swallowing remote listing failures.
Bug introduced in ea12784629 / #616.
The error message for using `-s` and `-b` together was calling
`nvm err` (invoking nvm with subcommand "err") instead of the
`nvm_err` helper function, causing the error message to never be displayed and instead showing the help text with exit code 127.
Bug introduced in 4fdef427e4 / #2439
Add `--offline` flag to `nvm install` that resolves versions using only locally installed versions and cached downloads. No network calls are made.
New helper functions `nvm_ls_cached` and `nvm_offline_version` scan `$NVM_DIR/.cache/bin/` for previously downloaded tarballs.
In offline mode, `nvm_download_artifact` returns cached tarballs directly without checksum verification or download attempts.
The curl/wget requirement is skipped when `--offline` is set.
Supports `--lts` via locally stored LTS alias files.
Add `try` and `try_err` helper functions to `test/common.sh` that capture stdout/stderr and exit code from a single invocation, eliminating duplicate command executions in tests.
Convert all existing tests that used the `OUTPUT`/`EXIT_CODE` double-invocation pattern to use the new helpers.
Also fixes a pre-existing bug in the `nvm_die_on_prefix` test where ASCII apostrophes were used instead of U+2019 to match nvm.sh output.
Normalize `nvm_version` output when `nvm_ls` returns "system vX" so alias and .nvmrc resolutions treat system correctly.
Add fast tests for system alias behavior in `nvm ls`, `nvm use`, and `nvm which`.
nvm.sh uses `NVM_SCRIPT_SOURCE="$_"` to detect its source location.
Adding `: nvm.sh` before each source line ensures `$_` is set correctly, preventing breakage when the previous command (e.g., `set -ex`) overwrites it.
Old Node.js versions have Makefiles with unquoted glob patterns like
`rm -f *.o` that fail in zsh's strict glob mode. By passing
SHELL=/bin/sh to make, we ensure POSIX-compliant shell behavior
regardless of what shell nvm is running in.
Previously, `nvm install Argon` would succeed by matching the LTS name
in the version description (e.g., "v4.9.1 (Latest LTS: Argon)"), but
`nvm uninstall Argon` would fail because "Argon" is not a valid alias or not a valid version.
Changes:
- Added pattern matching check in nvm_remote_version (nvm.sh:785-791)
- Skips check for implicit aliases (node, stable, etc.) to preserve
existing functionality
- Added unit tests to verify LTS names are rejected while version
numbers still work
After this fix:
- `nvm install Argon` → fails (use `nvm install lts/argon` instead)
- `nvm install 4` → still works
- `nvm install node` → still works
- `nvm install lts/argon` → still works
This makes install and uninstall behavior consistent.
Fixes#3474.
When `.nvmrc` or alias files contained comments (lines with `#`),
the `#` character could end up in the search pattern passed to sed,
causing "unterminated regular expression" errors because `#` is
used as the sed address delimiter.
This commit fixes the issue in two places:
1. `nvm_alias`: Strip comments from alias file contents before
returning them, and trim trailing whitespace
2. `nvm_ls`: Escape `#` characters in SEARCH_PATTERN so they're
treated as literal characters in the sed address
Fixes#3761
In theory, `npx nvmrc` can now be used to validate an `.nvmrc` file that `nvm` will support. Allowances have been made for future extensibility, and aliases may no longer contain a `#`.
Fixes#3336. Closes#2288.
Co-authored-by: Jordan Harband <ljharb@gmail.com>
Co-authored-by: Yash Singh <saiansh2525@gmail.com>
Path lists in environmental variables often give special meaning to
empty entries (e.g. in PATH or MANPATH). These are represented by
leading or trailing colons, or by doubled colons in the middle of the
list.
Adjust the awk invocation to correctly deal with trailing colons by
printing the separator before every field except the first, and then
printing the final separator that is read from the input - this will
either be a colon or the null string. This preserves leading and
trailing colons in all cases while not adding extra colons in the wrong
place.
Add test to confirm the correct behaviour.
Fixes#3144
