Jordan Harband 70fb4ede6b [Fix] nvm_download_artifact: reject version strings with disallowed characters ...

The mirror-supplied (untrusted) version flows into download URLs,
filesystem paths, and the checksum awk match.
Reject any version outside the node/io.js grammar
(`[0-9A-Za-z._+-]`) before it is used.
A blocklist of metacharacters is used rather than a strict semver allowlist so RCs, nightlies, v8-canary, and io.js versions still install.

Completes the remediation of GHSA-3c52-35h2-gfmm.

2026-06-03 13:09:07 -07:00

153 KiB

Executable File

Raw Blame History

View Raw