[Fix] install.sh: do not log when user has requested no profile modifications

[Tests] `install.sh`: add tests for PROFILE=/dev/null profile skip

Verify that when PROFILE="/dev/null" is set:
- The "Profile not found" warning is suppressed
- Profile modification is skipped as expected

Co-authored-by: Wes Todd <wes@wesleytodd.com>
Co-authored-by: Jordan Harband <ljharb@gmail.com>

.github/SECURITY.md

@@ -2,6 +2,13 @@
 
 Please file a private vulnerability report via GitHub, email [@ljharb](https://github.com/ljharb), or see https://tidelift.com/security if you have a potential security vulnerability to report.
 
+## Escalation
+
+If you do not receive an acknowledgement of your report within 6 business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA at `security@lists.openjsf.org`.
+
+If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate.
+
+
 ## OpenSSF CII Best Practices
 
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/684/badge)](https://bestpractices.coreinfrastructure.org/projects/684)

README.md

@@ -443,7 +443,7 @@ Node has a [schedule](https://github.com/nodejs/Release#release-schedule) for lo
 
 Any time your local copy of `nvm` connects to https://nodejs.org, it will re-create the appropriate local aliases for all available LTS lines. These aliases (stored under `$NVM_DIR/alias/lts`), are managed by `nvm`, and you should not modify, remove, or create these files - expect your changes to be undone, and expect meddling with these files to cause bugs that will likely not be supported.
 
-To get the latest LTS version of node and migrate your existing installed packages, use
+To get the latest LTS version of node and migrate your existing installed packages, use:
 
 ```sh
 nvm install --reinstall-packages-from=current 'lts/*'
@@ -496,7 +496,10 @@ stevemao/left-pad
 
 ### io.js
 
-If you want to install [io.js](https://github.com/iojs/io.js/):
+> [!WARNING]
+> io.js was a [fork of Node.js](https://en.wikipedia.org/wiki/Node.js#History), created in 2014 and merged back in 2015. io.js shipped v1, v2, and v3 release lines; post-merge, node.js began releasing with v4.
+
+If you want to install io.js:
 
 ```sh
 nvm install iojs
@@ -1040,7 +1043,7 @@ To change the user directory and/or account name follow the instructions [here](
 [Urchin]: https://git.sdf.org/tlevine/urchin
 [Fish]: https://fishshell.com
 
-**Homebrew makes zsh directories unsecure**
+**Homebrew makes zsh directories insecure**
 
 ```shell
 zsh compinit: insecure directories, run compaudit for list.

install.sh

@@ -428,7 +428,10 @@ nvm_do_install() {
   COMPLETION_STR='[ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion"  # This loads nvm bash_completion\n'
   BASH_OR_ZSH=false
 
-  if [ -z "${NVM_PROFILE-}" ] ; then
+  if [ "${PROFILE-}" = '/dev/null' ] ; then
+    # the user has specifically requested NOT to have nvm touch their profile
+    echo
+  elif [ -z "${NVM_PROFILE-}" ] ; then
     local TRIED_PROFILE
     if [ -n "${PROFILE}" ]; then
       TRIED_PROFILE="${NVM_PROFILE} (as defined in \$PROFILE), "

nvm-exec

@@ -9,9 +9,12 @@ unset NVM_CD_FLAGS
 
 if [ -n "$NODE_VERSION" ]; then
   nvm use "$NODE_VERSION" > /dev/null || exit 127
-elif ! nvm use >/dev/null 2>&1; then
-  echo "No NODE_VERSION provided; no .nvmrc file found" >&2
-  exit 127
+else
+  nvm_rc_version > /dev/null && nvm_ensure_version_installed "$NVM_RC_VERSION";
+  if ! nvm use >/dev/null 2>&1; then
+    echo "No NODE_VERSION provided; no .nvmrc file found" >&2
+    exit 127
+  fi
 fi
 
 exec "$@"

nvm.sh

@@ -781,6 +781,15 @@ nvm_remote_version() {
   else
     VERSION="$(NVM_LTS="${NVM_LTS-}" nvm_remote_versions "${PATTERN}" | command tail -1)"
   fi
+
+  if [ -n "${PATTERN}" ] && [ "_${VERSION}" != "_N/A" ] && ! nvm_validate_implicit_alias "${PATTERN}" 2>/dev/null; then
+    local VERSION_NUM
+    VERSION_NUM="$(nvm_echo "${VERSION}" | command awk '{print $1}')"
+    if ! nvm_echo "${VERSION_NUM}" | nvm_grep -q "${PATTERN}"; then
+      VERSION='N/A'
+    fi
+  fi
+
   if [ -n "${NVM_VERSION_ONLY-}" ]; then
     command awk 'BEGIN {
       n = split(ARGV[1], a);

test/fast/Running 'nvm-exec' should display required node version

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -x
+\. ../../nvm.sh
+
+die () { echo "$@" ; rm .nvmrc ; exit 1; }
+
+NVM_TEST_VERSION=v0.42
+
+# Write it to nvmrc
+echo "$NVM_TEST_VERSION" > .nvmrc
+
+OUTPUT="$(../../nvm-exec 2>&1)";
+EXPECTED="N/A: version \"${NVM_TEST_VERSION}\" is not yet installed.
+
+You need to run \`nvm install ${NVM_TEST_VERSION}\` to install and use it.
+No NODE_VERSION provided; no .nvmrc file found";
+
+# Skip install, we want to test the error message
+[ "${EXPECTED}" = "${OUTPUT}" ] || die "expected >${EXPECTED}<, got >${OUTPUT}<"

test/fast/Set Colors/nvm_print_versions calls nvm_get_colors

@@ -2,7 +2,7 @@
 
 \. ../../../nvm.sh
 
-set -e
+#set -e #nvm use system returns 127 and No system set message
 
 die () {
   # echo "$@" ;
@@ -24,7 +24,7 @@ fi
 # default system color
 nvm use system
 OUTPUT=$(nvm_print_versions system)
-FORMAT="\033[0;32m-> %12s\033[0m"
+FORMAT="\033[0;33m%15s\033[0m"
 VERSION='system'
 EXPECTED_OUTPUT=$(command printf -- "${FORMAT}\\n" "${VERSION}")
 
@@ -34,7 +34,7 @@ nvm_ls_current() { echo "current";}
 
 # default current color
 OUTPUT=$(nvm_print_versions current)
-FORMAT="\033[0;32m-> %12s\033[0m"
+FORMAT="\033[0;32m->%13s\033[0m"
 VERSION="current"
 EXPECTED_OUTPUT=$(command printf -- "${FORMAT}\\n" "${VERSION}")
 
@@ -43,7 +43,7 @@ EXPECTED_OUTPUT=$(command printf -- "${FORMAT}\\n" "${VERSION}")
 # custom current color
 nvm set-colors YCMGR
 OUTPUT=$(nvm_print_versions current)
-FORMAT="\033[1;35m-> %12s\033[0m"
+FORMAT="\033[1;35m->%13s\033[0m"
 VERSION="current"
 EXPECTED_OUTPUT=$(command printf -- "${FORMAT}\\n" "${VERSION}")
 

test/fast/Unit tests/nvm_is_version_installed

@@ -31,7 +31,7 @@ check_version() {
   mkdir -p "$NODE_PATH/$VERSION/bin" && cd "$NODE_PATH/$VERSION/bin" && touch "$NODE_PATH/$VERSION/bin/$BINARY"
   ! nvm_is_version_installed "$VERSION" || die "nvm_is_version_installed $VERSION should fail with non executable existing version"
 
-  # nvm_is_version_installed whould work
+  # nvm_is_version_installed would work
   chmod +x "$NODE_PATH/$VERSION/bin/$BINARY"
   nvm_is_version_installed "$VERSION" || die "nvm_is_version_installed $VERSION should work"
 }

test/fast/Unit tests/nvm_remote_version

@@ -75,4 +75,24 @@ EXIT_CODE="$(nvm_remote_version node >/dev/null 2>&1 ; echo $?)"
   || die "nvm_remote_version node did not return contents of nvm_ls_remote node; got $OUTPUT"
 [ "_$EXIT_CODE" = "_0" ] || die "nvm_remote_version node did not exit with 0, got $EXIT_CODE"
 
+# Test LTS name rejection (Issue #3474)
+# When nvm_remote_versions returns a line with LTS name in description,
+# nvm_remote_version should reject it if the pattern doesn't match the version number
+
+nvm_remote_versions() {
+    echo "v4.9.1 Argon *"
+}
+OUTPUT="$(nvm_remote_version Argon)"
+EXIT_CODE="$(nvm_remote_version Argon >/dev/null 2>&1 ; echo $?)"
+[ "_$OUTPUT" = "_N/A" ] || die "nvm_remote_version Argon should return N/A (LTS name not in version), got $OUTPUT"
+[ "_$EXIT_CODE" = "_3" ] || die "nvm_remote_version Argon should exit with code 3, got $EXIT_CODE"
+
+nvm_remote_versions() {
+  echo "v4.9.1"
+}
+OUTPUT="$(nvm_remote_version 4)"
+EXIT_CODE="$(nvm_remote_version 4 >/dev/null 2>&1 ; echo $?)"
+[ "_$OUTPUT" = "_v4.9.1" ] || die "nvm_remote_version 4 should return v4.9.1, got $OUTPUT"
+[ "_$EXIT_CODE" = "_0" ] || die "nvm_remote_version 4 should exit with code 0, got $EXIT_CODE"
+
 cleanup

test/install_script/nvm_install_profile_skip

@@ -0,0 +1,62 @@
+#!/bin/sh
+
+die () { echo "$@" ; cleanup ; exit 1; }
+
+cleanup() {
+  unset -f install_nvm_from_git install_nvm_as_script nvm_detect_profile nvm_has
+  unset -f setup cleanup die
+  unset NVM_ENV METHOD PROFILE
+}
+
+setup() {
+  NVM_ENV=testing \. ../../install.sh
+
+  # Mock installation functions to do nothing
+  install_nvm_from_git() { :; }
+  install_nvm_as_script() { :; }
+
+  # Mock nvm_has to return true for git (to take the git path)
+  nvm_has() {
+    case "$1" in
+      git) return 0 ;;
+      xcode-select) return 1 ;;
+      *) return 1 ;;
+    esac
+  }
+
+  # Mock nvm_detect_profile to return empty (no profile found)
+  nvm_detect_profile() {
+    echo ""
+  }
+}
+
+setup
+
+#
+# Test: When PROFILE="/dev/null", no "Profile not found" warning should appear
+#
+
+OUTPUT="$(PROFILE='/dev/null' METHOD='' NVM_DIR="$(mktemp -d)" nvm_do_install 2>&1)"
+if echo "$OUTPUT" | grep -q "Profile not found"; then
+  die "nvm_do_install should NOT show 'Profile not found' when PROFILE=/dev/null, got: $OUTPUT"
+fi
+
+#
+# Test: When PROFILE is empty/unset, the "Profile not found" warning SHOULD appear
+#
+
+OUTPUT="$(PROFILE='' METHOD='' NVM_DIR="$(mktemp -d)" nvm_do_install 2>&1)"
+if ! echo "$OUTPUT" | grep -q "Profile not found"; then
+  die "nvm_do_install should show 'Profile not found' when PROFILE is empty, got: $OUTPUT"
+fi
+
+#
+# Test: When PROFILE points to a non-existent file, the "Profile not found" warning SHOULD appear
+#
+
+OUTPUT="$(PROFILE='/nonexistent/profile' METHOD='' NVM_DIR="$(mktemp -d)" nvm_do_install 2>&1)"
+if ! echo "$OUTPUT" | grep -q "Profile not found"; then
+  die "nvm_do_install should show 'Profile not found' when PROFILE points to nonexistent file, got: $OUTPUT"
+fi
+
+cleanup