v0.40.4

[Fix] sanitize NVM_AUTH_HEADER in wget path
[actions] add permissions to GHA workflow
2026-02-04 08:52:48 +08:00 · 2026-01-29 14:12:03 -08:00 · 2026-01-09 11:30:14 +09:00 · 2026-01-29 13:08:52 -08:00 · 2026-01-30 00:04:01 +08:00
9 changed files with 127 additions and 22 deletions
--- a/.github/workflows/nvm-install-test.yml
+++ b/.github/workflows/nvm-install-test.yml
@@ -10,6 +10,9 @@ on:
        required: false
        default: 'HEAD'
 permissions:
  contents: read
 jobs:
  matrix:
    runs-on: ubuntu-latest
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@
 </a>
-# Node Version Manager [![Tests](https://github.com/nvm-sh/nvm/actions/workflows/tests-fast.yml/badge.svg?branch=master)][3] [![nvm version](https://img.shields.io/badge/version-v0.40.3-yellow.svg)][4] [![CII Best Practices](https://bestpractices.dev/projects/684/badge)](https://bestpractices.dev/projects/684)
+# Node Version Manager [![Tests](https://github.com/nvm-sh/nvm/actions/workflows/tests-fast.yml/badge.svg?branch=master)][3] [![nvm version](https://img.shields.io/badge/version-v0.40.4-yellow.svg)][4] [![CII Best Practices](https://bestpractices.dev/projects/684/badge)](https://bestpractices.dev/projects/684)
 <!-- To update this table of contents, ensure you have run `npm install` then `npm run doctoc` -->
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
@@ -104,10 +104,10 @@ nvm is a version manager for [node.js](https://nodejs.org/en/), designed to be i
 To **install** or **update** nvm, you should run the [install script][2]. To do that, you may either download and run the script manually, or use the following cURL or Wget command:
 ```sh
-curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bash
+curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.4/install.sh | bash
 ```
 ```sh
-wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bash
+wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.4/install.sh | bash
 ```
 Running either of the above commands downloads a script and runs it. The script clones the nvm repository to `~/.nvm`, and attempts to add the source lines from the snippet below to the correct profile file (`~/.bashrc`, `~/.bash_profile`, `~/.zshrc`, or `~/.profile`). If you find the install script is updating the wrong profile file, set the `$PROFILE` env var to the profile file’s path, and then rerun the installation script.
@@ -134,7 +134,7 @@ Eg: `curl ... | NVM_DIR="path/to/nvm"`. Ensure that the `NVM_DIR` does not conta
 - The installer can use `git`, `curl`, or `wget` to download `nvm`, whichever is available.
- You can instruct the installer to not edit your shell config (for example if you already get completions via a [zsh nvm plugin](https://github.com/ohmyzsh/ohmyzsh/tree/master/plugins/nvm)) by setting `PROFILE=/dev/null` before running the `install.sh` script. Here's an example one-line command to do that: `PROFILE=/dev/null bash -c 'curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bash'`
+- You can instruct the installer to not edit your shell config (for example if you already get completions via a [zsh nvm plugin](https://github.com/ohmyzsh/ohmyzsh/tree/master/plugins/nvm)) by setting `PROFILE=/dev/null` before running the `install.sh` script. Here's an example one-line command to do that: `PROFILE=/dev/null bash -c 'curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.4/install.sh | bash'`
 #### Installing in Docker
@@ -150,7 +150,7 @@ RUN touch "${BASH_ENV}"
 RUN echo '. "${BASH_ENV}"' >> ~/.bashrc
 # Download and install nvm
-RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | PROFILE="${BASH_ENV}" bash
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.4/install.sh | PROFILE="${BASH_ENV}" bash
 RUN echo node > .nvmrc
 RUN nvm install
 ```
@@ -168,7 +168,7 @@ ARG NODE_VERSION=20
 RUN apt update && apt install curl -y
 # install nvm
-RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bash
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.4/install.sh | bash
 # set env
 ENV NVM_DIR=/root/.nvm
@@ -194,7 +194,7 @@ After creation of the image you can start container interactively and run comman
 docker run --rm -it nvmimage
 root@0a6b5a237c14:/# nvm -v
-0.40.3
+0.40.4
 root@0a6b5a237c14:/# node -v
 v19.9.0
@@ -257,7 +257,7 @@ You can use a task:
 ```yaml
 - name: Install nvm
  ansible.builtin.shell: >
-    curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bash
+    curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.4/install.sh | bash
  args:
    creates: "{{ ansible_env.HOME }}/.nvm/nvm.sh"
 ```
@@ -319,7 +319,7 @@ If you have `git` installed (requires git v1.7.10+):
 1. clone this repo in the root of your user profile
    - `cd ~/` from anywhere then `git clone https://github.com/nvm-sh/nvm.git .nvm`
-1. `cd ~/.nvm` and check out the latest version with `git checkout v0.40.3`
+1. `cd ~/.nvm` and check out the latest version with `git checkout v0.40.4`
 1. activate `nvm` by sourcing it from your shell: `. ./nvm.sh`
 Now add these lines to your `~/.bashrc`, `~/.profile`, or `~/.zshrc` file to have it automatically sourced upon login:
@@ -928,13 +928,13 @@ If installing nvm on Alpine Linux *is* still what you want or need to do, you sh
 ### Alpine Linux 3.13+
 ```sh
 apk add -U curl bash ca-certificates openssl ncurses coreutils python3 make gcc g++ libgcc linux-headers grep util-linux binutils findutils
-curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bash
+curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.4/install.sh | bash
 ```
 ### Alpine Linux 3.5 - 3.12
 ```sh
 apk add -U curl bash ca-certificates openssl ncurses coreutils python2 make gcc g++ libgcc linux-headers grep util-linux binutils findutils
-curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bash
+curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.4/install.sh | bash
 ```
 _Note: Alpine 3.5 can only install NodeJS versions up to v6.9.5, Alpine 3.6 can only install versions up to v6.10.3, Alpine 3.7 installs versions up to v8.9.3, Alpine 3.8 installs versions up to v8.14.0, Alpine 3.9 installs versions up to v10.19.0, Alpine 3.10 installs versions up to v10.24.1, Alpine 3.11 installs versions up to v12.22.6, Alpine 3.12 installs versions up to v12.22.12, Alpine 3.13 & 3.14 install versions up to v14.20.0, Alpine 3.15 & 3.16 install versions up to v16.16.0 (**These are all versions on the main branch**). Alpine 3.5 - 3.12 required the package `python2` to build NodeJS, as they are older versions to build. Alpine 3.13+ requires `python3` to successfully build newer NodeJS versions, but you can use `python2` with Alpine 3.13+ if you need to build versions of node supported in Alpine 3.5 - 3.15, you just need to specify what version of NodeJS you need to install in the package install script._
@@ -1037,9 +1037,9 @@ You have to make sure that the user directory name in `$HOME` and the user direc
 To change the user directory and/or account name follow the instructions [here](https://support.apple.com/en-us/HT201548)
 [1]: https://github.com/nvm-sh/nvm.git
-[2]: https://github.com/nvm-sh/nvm/blob/v0.40.3/install.sh
+[2]: https://github.com/nvm-sh/nvm/blob/v0.40.4/install.sh
 [3]: https://github.com/nvm-sh/nvm/actions/workflows/tests-fast.yml
-[4]: https://github.com/nvm-sh/nvm/releases/tag/v0.40.3
+[4]: https://github.com/nvm-sh/nvm/releases/tag/v0.40.4
 [Urchin]: https://git.sdf.org/tlevine/urchin
 [Fish]: https://fishshell.com
@@ -1097,7 +1097,7 @@ Here's what you will need to do:
  If one of these broken versions is installed on your system, the above step will likely still succeed even if you didn't include the `--shared-zlib` flag.
  However, later, when you attempt to `npm install` something using your old version of node.js, you will see `incorrect data check` errors.
  If you want to avoid the possible hassle of dealing with this, include that flag.
-  For more details, see [this issue](https://github.com/nodejs/node/issues/39313) and [this comment](https://github.com/nodejs/node/issues/39313#issuecomment-90.40.376)
+  For more details, see [this issue](https://github.com/nodejs/node/issues/39313) and [this comment](https://github.com/nodejs/node/issues/39313#issuecomment-90.40.476)
 - Exit back to your native shell.
@@ -1124,7 +1124,7 @@ Now you should be able to use node as usual.
 If you've encountered this error on WSL-2:
  ```sh
-  curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bash
+  curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.4/install.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload  Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:09 --:--:--     0curl: (6) Could not resolve host: raw.githubusercontent.com
@@ -1159,7 +1159,7 @@ Currently, the sole maintainer is [@ljharb](https://github.com/ljharb) - more ma
 ## Project Support
-Only the latest version (v0.40.3 at this time) is supported.
+Only the latest version (v0.40.4 at this time) is supported.
 ## Enterprise Support
--- a/install.sh
+++ b/install.sh
@@ -33,7 +33,7 @@ nvm_install_dir() {
 }
 nvm_latest_version() {
-  nvm_echo "v0.40.3"
+  nvm_echo "v0.40.4"
 }
 nvm_profile_is_bash_or_zsh() {
--- a/nvm.sh
+++ b/nvm.sh
@@ -149,7 +149,8 @@ nvm_download() {
    ")
    if [ -n "${NVM_AUTH_HEADER:-}" ]; then
-      ARGS="${ARGS} --header \"${NVM_AUTH_HEADER}\""
+      sanitized_header=$(nvm_sanitize_auth_header "${NVM_AUTH_HEADER}")
      ARGS="${ARGS} --header \"${sanitized_header}\""
    fi
    # shellcheck disable=SC2086
    eval wget $ARGS
@@ -3750,7 +3751,13 @@ nvm() {
      fi
      if ! nvm_is_version_installed "${VERSION}"; then
-        nvm_err "${VERSION} version is not installed..."
+        local REQUESTED_VERSION
        REQUESTED_VERSION="${PATTERN}"
        if [ "_${VERSION}" != "_N/A" ] && [ "_${VERSION}" != "_${PATTERN}" ]; then
          nvm_err "Version '${VERSION}' (inferred from ${PATTERN}) is not installed."
        else
          nvm_err "Version '${REQUESTED_VERSION}' is not installed."
        fi
        return
      fi
@@ -4490,7 +4497,7 @@ nvm() {
      NVM_VERSION_ONLY=true NVM_LTS="${NVM_LTS-}" nvm_remote_version "${PATTERN:-node}"
    ;;
    "--version" | "-v")
-      nvm_echo '0.40.3'
+      nvm_echo '0.40.4'
    ;;
    "unload")
      nvm deactivate >/dev/null 2>&1
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "nvm",
-  "version": "0.40.3",
+  "version": "0.40.4",
  "description": "Node Version Manager - Simple bash script to manage multiple active node.js versions",
  "directories": {
    "test": "test"
--- a/test/fast/Running
+++ b/test/fast/Running
@@ -0,0 +1,18 @@
 #!/bin/sh
 set -ex
 \. ../../nvm.sh
 \. ../common.sh
 VERSION='v0.0.1'
 PATTERN='0.0'
 mkdir -p "${NVM_DIR}/${VERSION}"
 set +ex # needed for stderr
 RETURN_MESSAGE="$(nvm uninstall "${PATTERN}" 2>&1 || echo)"
 set -ex
 EXPECTED_MESSAGE="Version '${VERSION}' (inferred from ${PATTERN}) is not installed."
 [ "${RETURN_MESSAGE}" = "${EXPECTED_MESSAGE}" ]
--- a/test/fast/Running
+++ b/test/fast/Running
@@ -0,0 +1,13 @@
 #!/bin/sh
 set -ex
 \. ../../nvm.sh
 \. ../common.sh
 set +ex # needed for stderr
 RETURN_MESSAGE="$(nvm uninstall 22 2>&1 || echo)"
 set -ex
 EXPECTED_MESSAGE="Version '22' is not installed."
 [ "${RETURN_MESSAGE}" = "${EXPECTED_MESSAGE}" ]
--- a/test/fast/Running
+++ b/test/fast/Running
@@ -5,7 +5,6 @@ set -x
 \. ../../nvm.sh
 cleanup() { rm -f .nvmrc; }
 die () { echo "$@" ; cleanup ; exit 1; }
 NVM_TEST_VERSION=v0.42
--- a/tests/security_wget_injection
+++ b/tests/security_wget_injection
@@ -0,0 +1,65 @@
 #!/bin/sh
 # Security test to verify that NVM_AUTH_HEADER is sanitized in wget path
 # This test ensures that command injection attacks are prevented
 cleanup () {
  unset -f die cleanup
  rm -f /tmp/nvm_security_test_file 2>/dev/null || true
 }
 die () { echo "$@" ; cleanup ; exit 1; }
 \. ../../../nvm.sh
 set -ex
 # Skip test if wget is not available
 if ! nvm_has "wget"; then
  echo "wget not available, skipping security test"
  exit 0
 fi
 # Test 1: Verify that malicious command injection in NVM_AUTH_HEADER is sanitized
 # This should not execute the command, but should sanitize it
 MALICIOUS_HEADER="Bearer test-token; touch /tmp/nvm_security_test_file; echo malicious"
 NVM_AUTH_HEADER="${MALICIOUS_HEADER}" nvm_download "https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/install.sh" >/dev/null 2>&1 || true
 # Verify that the malicious file was NOT created (sanitization worked)
 if [ -f /tmp/nvm_security_test_file ]; then
  die "SECURITY FAILURE: Command injection succeeded! Malicious file was created."
 fi
 # Test 2: Verify that sanitized header still works for legitimate requests
 # The sanitized header should only contain safe characters
 SANITIZED=$(nvm_sanitize_auth_header "${MALICIOUS_HEADER}")
 # Verify that dangerous characters were removed
 case "${SANITIZED}" in
  *";"*|*"touch"*|*"/tmp"*)
    die "SECURITY FAILURE: Sanitization did not remove dangerous characters properly"
    ;;
 esac
 # Test 3: Verify that legitimate header with safe characters still works
 LEGITIMATE_HEADER="Bearer test-token-123"
 NVM_AUTH_HEADER="${LEGITIMATE_HEADER}" nvm_download "https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/install.sh" >/dev/null 2>&1 || true
 # Test 4: Test with backticks (command substitution)
 MALICIOUS_HEADER2="Bearer \`touch /tmp/nvm_security_test_file\`"
 NVM_AUTH_HEADER="${MALICIOUS_HEADER2}" nvm_download "https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/install.sh" >/dev/null 2>&1 || true
 # Verify that the malicious file was NOT created
 if [ -f /tmp/nvm_security_test_file ]; then
  die "SECURITY FAILURE: Command injection with backticks succeeded! Malicious file was created."
 fi
 # Test 5: Test with $(command substitution)
 MALICIOUS_HEADER3="Bearer \$(touch /tmp/nvm_security_test_file)"
 NVM_AUTH_HEADER="${MALICIOUS_HEADER3}" nvm_download "https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/install.sh" >/dev/null 2>&1 || true
 # Verify that the malicious file was NOT created
 if [ -f /tmp/nvm_security_test_file ]; then
  die "SECURITY FAILURE: Command injection with \$() succeeded! Malicious file was created."
 fi
 cleanup
 echo "All security tests passed: Command injection attacks are properly sanitized"
Author	SHA1	Message	Date
Jordan Harband	62387b8f92	v0.40.4 Some checks failed Tests on Windows: `nvm install` / WSL nvm install (, 11, Alpine) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (, 18, Alpine) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (script, 18, Ubuntu-20.04) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (script, 21, Debian) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (script, 21, Ubuntu-20.04) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (, --lts, Alpine) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (, 10, Alpine) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (, 12, Alpine) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (, 14, Alpine) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (, 16, Alpine) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (, 21, Alpine) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (script, --lts, Alpine) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (script, 10, Alpine) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (script, 11, Alpine) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (script, 12, Alpine) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (script, 14, Alpine) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (script, 16, Alpine) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (script, 18, Alpine) (push) Has been cancelled Details Tests on Windows: `nvm install` / WSL nvm install (script, 21, Alpine) (push) Has been cancelled Details Tests: `nvm install-latest-npm` / nvm install-latest-npm (push) Has been cancelled Details Tests: linting / all linting (push) Has been cancelled Details Tests: nvm install with set -e / test (push) Has been cancelled Details Tests: nvm install with set -e / finisher (push) Has been cancelled Details Tests: shellcheck / shellcheck (push) Has been cancelled Details Tests: fast / all fast tests (push) Has been cancelled Details Tests: installation_iojs / all installation_iojs tests (push) Has been cancelled Details Tests: installation_node / all installation_node tests (push) Has been cancelled Details Tests: xenial / all xenial tests (push) Has been cancelled Details urchin tests / all test suites, all shells (push) Has been cancelled Details Tests on Windows: `nvm install` / tests, on windows (push) Has been cancelled Details	2026-01-29 14:12:03 -08:00
Sy2n0	44e2590cdf	[Fix] sanitize `NVM_AUTH_HEADER` in `wget` path	2026-01-09 11:30:14 +09:00
Jordan Harband	242d997da5	[actions] add permissions to GHA workflow	2026-01-29 13:08:52 -08:00
Peter Dave Hello	5533699ec5	Improve uninstall error message for missing versions Include the requested version in the uninstall error output when the target is not installed. Add a fast test to lock the behavior. Close #3767	2026-01-30 00:04:01 +08:00