mirror of
https://github.com/nvm-sh/nvm.git
synced 2026-07-18 21:08:23 +08:00
Payloads (binaries, plus source tarballs that nvm compiles and runs at install time) are trusted by construction, since nvm exists to build and run them; parsed metadata (index.tab, SHASUMS, LTS codenames) is not, and must never reach a command evaluator, an awk/sed program body, or an unvalidated filesystem path. This records why the existing version-string and checksum hardening exists, and scopes a malicious payload from a configured mirror as out of scope: no privilege boundary is crossed.