Merge cae2eb71a2 into 977563e97d

[Fix] specify 'origin' remote name with git clone ... installs
`git` may be configured locally to use a non-'origin' default remote name. So, specify 'origin' as the remote name when cloning to get the expected setup.
2026-01-12 18:27:17 +08:00 · 2025-04-27 14:18:14 +00:00 · 2024-05-03 00:36:04 -05:00
12 changed files with 40 additions and 642 deletions
--- a/.github/INCIDENT_RESPONSE_PLAN.md
+++ b/.github/INCIDENT_RESPONSE_PLAN.md
@@ -1,117 +0,0 @@
 # Incident Response Process for **nvm**
 ## Reporting a Vulnerability
 We take the security of **nvm** very seriously. If you believe you’ve found a security vulnerability, please inform us responsibly through coordinated disclosure.
 ### How to Report
 > **Do not** report security vulnerabilities through public GitHub issues, discussions, or social media.
 Instead, please use one of these secure channels:
 1. **GitHub Security Advisories**
    Use the **Report a vulnerability** button in the Security tab of the [nvm-sh/nvm repository](https://github.com/nvm-sh/nvm).
 2. **Email**
    Follow the posted [Security Policy](https://github.com/nvm-sh/nvm/security/policy).
 ### What to Include
 **Required Information:**
 - Brief description of the vulnerability type
 - Affected version(s) and components
 - Steps to reproduce the issue
 - Impact assessment (what an attacker could achieve)
 **Helpful Additional Details:**
 - Full paths of affected scripts or files
 - Specific commit or branch where the issue exists
 - Required configuration to reproduce
 - Proof-of-concept code (if available)
 - Suggested mitigation or fix
 ## Our Response Process
 **Timeline Commitments:**
 - **Initial acknowledgment**: Within 24 hours
 - **Detailed response**: Within 3 business days
 - **Status updates**: Every 7 days until resolved
 - **Resolution target**: 90 days for most issues
 **What We’ll Do:**
 1. Acknowledge your report and assign a tracking ID
 2. Assess the vulnerability and determine severity
 3. Develop and test a fix
 4. Coordinate disclosure timeline with you
 5. Release a security update and publish an advisory and CVE
 6. Credit you in our security advisory (if desired)
 ## Disclosure Policy
 - **Coordinated disclosure**: We’ll work with you on timing
 - **Typical timeline**: 90 days from report to public disclosure
 - **Early disclosure**: If actively exploited
 - **Delayed disclosure**: For complex issues
 ## Scope
 **In Scope:**
 - **nvm** project (all supported versions)
 - Installation and update scripts (`install.sh`, `nvm.sh`)
 - Official documentation and CI/CD integrations
 - Dependencies with direct security implications
 **Out of Scope:**
 - Third-party forks or mirrors
 - Platform-specific installs outside core scripts
 - Social engineering or physical attacks
 - Theoretical vulnerabilities without practical exploitation
 ## Security Measures
 **Our Commitments:**
 - Regular vulnerability scanning via GitHub Actions
 - Automated security checks in CI/CD pipelines
 - Secure scripting practices and mandatory code review
 - Prompt patch releases for critical issues
 **User Responsibilities:**
 - Keep **nvm** updated
 - Verify script downloads via PGP signatures
 - Follow secure configuration guidelines for shell environments
 ## Legal Safe Harbor
 **We will NOT:**
 - Initiate legal action
 - Contact law enforcement
 - Suspend or terminate your access
 **You must:**
 - Only test against your own installations
 - Not access, modify, or delete user data
 - Not degrade service availability
 - Not publicly disclose before coordinated disclosure
 - Act in good faith
 ## Recognition
 - **Advisory Credits**: Credit in GitHub Security Advisories (unless anonymous)
 ## Security Updates
 **Stay Informed:**
 - Subscribe to GitHub releases for **nvm**
 - Enable GitHub Security Advisory notifications
 **Update Process:**
 - Patch releases (e.g., v0.40.3 → v0.40.4)
 - Out-of-band releases for critical issues
 - Advisories via GitHub Security Advisories
 ## Contact Information
 - **Security reports**: Security tab of [nvm-sh/nvm](https://github.com/nvm-sh/nvm/security)
 - **General inquiries**: GitHub Discussions or Issues
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -1,6 +1,6 @@
 # Security
-Please file a private vulnerability report via GitHub, email [@ljharb](https://github.com/ljharb), or see https://tidelift.com/security if you have a potential security vulnerability to report.
+Please email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.
 ## OpenSSF CII Best Practices
@@ -12,17 +12,16 @@ There are three “tiers”: passing, silver, and gold.
 We meet 100% of the “passing” criteria.
 ### Silver
-We meet 100% of the “silver” criteria.
+We meet 95% of the “silver” criteria. The gaps are as follows:
  - we do not have a DCO or a CLA process for contributions.
  - because we only have one maintainer, the project has no way to continue if that maintainer stops being active.
  - we do not currently document “what the user can and cannot expect in terms of security” for our project. This is planned to be completed in 2023.
 ### Gold
-We meet 78% of the “gold” criteria. The gaps are as follows:
+We meet 65% of the “gold” criteria. The gaps are as follows:
-  - because we only have one maintainer, the project has no way to continue if that maintainer stops being active.
+  - we do not yet have the “silver” badge; see all the gaps above.
  - We do not include a copyright or license statement in each source file. Efforts are underway to change this archaic practice into a suggestion instead of a hard requirement.
 ## Threat Model
-See [THREAT_MODEL.md](.github/THREAT_MODEL.md).
+See [THREAT_MODEL.md](./THREAT_MODEL.md).
 ## Incident Response Plan
 Please see our [Incident Response Plan](.github/INCIDENT_RESPONSE_PLAN.md).
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -1,427 +0,0 @@
 # nvm Copilot Instructions
 This document provides guidance for GitHub Copilot when working with the Node Version Manager (nvm) codebase.
 ## Overview
 nvm is a version manager for Node.js, implemented as a POSIX-compliant function that works across multiple shells (sh, dash, bash, ksh, zsh). The codebase is primarily written in shell script and emphasizes portability and compatibility.
 ### Core Architecture
 - **Main script**: `nvm.sh` - Contains all core functionality and the main `nvm()` function
 - **Installation script**: `install.sh` - Handles downloading and installing nvm itself
 - **Execution wrapper**: `nvm-exec` - Allows running commands with specific Node.js versions
 - **Bash completion**: `bash_completion` - Provides tab completion for bash users
 - **Tests**: Comprehensive test suite in `test/` directory using the [urchin](https://www.npmjs.com/package/urchin) test framework
 ## Key Files and Their Purposes
 ### `nvm.sh`
 The core functionality file containing:
 - Main `nvm()` function (starts around line 3000)
 - All internal helper functions (prefixed with `nvm_`)
 - Command implementations for install, use, ls, etc.
 - Shell compatibility logic
 - POSIX compliance utilities
 ### `install.sh`
 Handles nvm installation via curl/wget/git:
 - Downloads nvm from GitHub
 - Sets up directory structure
 - Configures shell integration
 - Supports both git clone and script download methods
 ### `nvm-exec`
 Simple wrapper script that:
 - Sources nvm.sh with `--no-use` flag
 - Switches to specified Node version via `NODE_VERSION` env var or `.nvmrc`
 - Executes the provided command with that Node version
 ## Top-Level nvm Commands and Internal Functions
 ### Core Commands
 #### `nvm install [version]`
 - **Internal functions**: `nvm_install_binary()`, `nvm_install_source()`, `nvm_download_artifact()`
 - Downloads and installs specified Node.js version
 - Automatically `nvm use`s that version after installation
 - Supports LTS versions, version ranges, and built-in aliases (like `node`, `stable`) and user-defined aliases
 - Can install from binary or compile from source
 - When compiling from source, accepts additional arguments that are passed to the compilation task
 #### `nvm use [version]`
 - **Internal functions**: `nvm_resolve_alias()`, `nvm_version_path()`, `nvm_change_path()`
 - Switches current shell to use specified Node.js version
 - Updates PATH environment variable
 - Supports `.nvmrc` file integration
 #### `nvm ls [pattern]`
 - **Internal functions**: `nvm_ls()`, `nvm_tree_contains_path()`
 - Lists installed Node.js versions
 - Supports pattern matching and filtering
 - Shows current version and aliases
 #### `nvm ls-remote [pattern]`
 - **Internal functions**: `nvm_ls_remote()`, `nvm_download()`, `nvm_ls_remote_index_tab()`
 - Lists available Node.js versions from nodejs.org and iojs.org, or the env-var-configured mirrors
 - Supports LTS filtering and pattern matching
 - Downloads version index on-demand
 #### `nvm alias [name] [version]`
 - **Internal functions**: `nvm_alias()`, `nvm_alias_path()`
 - Creates text files containing the mapped version, named as the alias name
 - Special aliases: `default`, `node`, `iojs`, `stable`, `unstable` (note: `stable` and `unstable` are deprecated, from node's pre-v1 release plan)
 - Stored in `$NVM_DIR/alias/` directory
 #### `nvm current`
 - **Internal functions**: `nvm_ls_current()`
 - Shows currently active Node.js version
 - Returns "system" if using system Node.js
 #### `nvm which [version]`
 - **Internal functions**: `nvm_version_path()`, `nvm_resolve_alias()`
 - Shows path to specified Node.js version
 - Resolves aliases and version strings
 ### Utility Commands
 #### `nvm cache clear|dir`
 - Cache management for downloaded binaries and source code
 - Clears or shows cache directory path
 #### `nvm debug`
 - Diagnostic information for troubleshooting
 - Shows environment, tool versions, and paths
 #### `nvm deactivate`
 - Removes nvm modifications from current shell
 - Restores original PATH
 #### `nvm unload`
 - Completely removes nvm from shell environment
 - Unsets all nvm functions and variables
 ### Internal Function Categories
 #### Version Resolution
 - `nvm_resolve_alias()` - Resolves aliases to version numbers
 - `nvm_version()` - Finds best matching local version
 - `nvm_remote_version()` - Finds best matching remote version
 - `nvm_normalize_version()` - Standardizes version strings
 - `nvm_version_greater()` - Compares version numbers
 - `nvm_version_greater_than_or_equal_to()` - Version comparison with equality
 - `nvm_get_latest()` - Gets latest version from a list
 #### Installation Helpers
 - `nvm_install_binary()` - Downloads and installs precompiled binaries
 - `nvm_install_source()` - Compiles Node.js from source
 - `nvm_download_artifact()` - Downloads tarballs or binaries
 - `nvm_compute_checksum()` - Verifies download integrity
 - `nvm_checksum()` - Checksum verification wrapper
 - `nvm_get_mirror()` - Gets appropriate download mirror
 - `nvm_get_arch()` - Determines system architecture
 #### Path Management
 - `nvm_change_path()` - Updates PATH for version switching
 - `nvm_strip_path()` - Removes nvm paths from PATH
 - `nvm_version_path()` - Gets installation path for version
 - `nvm_version_dir()` - Gets version directory name
 - `nvm_prepend_path()` - Safely prepends to PATH
 #### Shell Detection and Compatibility
 - `nvm_is_zsh()` - Shell detection for zsh
 - `nvm_is_iojs_version()` - Checks if version is io.js
 - `nvm_get_os()` - Operating system detection
 - `nvm_supports_source_options()` - Checks if shell supports source options
 #### Network and Remote Operations
 - `nvm_download()` - Generic download function
 - `nvm_ls_remote()` - Lists remote versions
 - `nvm_ls_remote_iojs()` - Lists remote io.js versions
 - `nvm_ls_remote_index_tab()` - Parses remote version index
 #### Utility Functions
 - `nvm_echo()`, `nvm_err()` - Output functions
 - `nvm_has()` - Checks if command exists
 - `nvm_sanitize_path()` - Cleans sensitive data from paths
 - `nvm_die_on_prefix()` - Validates npm prefix settings
 - `nvm_ensure_default_set()` - Ensures default alias is set
 - `nvm_auto()` - Automatic version switching from .nvmrc
 #### Alias Management
 - `nvm_alias()` - Creates or lists aliases
 - `nvm_alias_path()` - Gets path to alias file
 - `nvm_unalias()` - Removes aliases
 - `nvm_resolve_local_alias()` - Resolves local aliases
 #### Listing and Display
 - `nvm_ls()` - Lists local versions
 - `nvm_ls_current()` - Shows current version
 - `nvm_tree_contains_path()` - Checks if path is in nvm tree
 - `nvm_format_version()` - Formats version display
 ## Running Tests
 ### Test Framework
 nvm uses the [urchin](https://www.npmjs.com/package/urchin) test framework for shell script testing.
 ### Test Structure
 ```
 test/
 ├── fast/           # Quick unit tests
 ├── slow/           # Integration tests
 ├── sourcing/       # Shell sourcing tests
 ├── install_script/ # Installation script tests
 ├── installation_node/ # Node installation tests
 ├── installation_iojs/ # io.js installation tests
 └── common.sh       # Shared test utilities
 ```
 ### Running Tests
 #### Install Dependencies
 ```bash
 npm install  # Installs urchin, semver, and replace tools
 ```
 #### Run All Tests
 ```bash
 npm test               # Runs tests in current shell (sh, bash, dash, zsh, ksh)
 make test              # Runs tests in all supported shells (sh, bash, dash, zsh, ksh)
 make test-sh           # Runs tests only in sh
 make test-bash         # Runs tests only in bash
 make test-dash         # Runs tests only in dash
 make test-zsh          # Runs tests only in zsh
 make test-ksh          # Runs tests only in ksh
 ```
 #### Run Specific Test Suites
 ```bash
 make TEST_SUITE=fast test        # Only fast tests
 make TEST_SUITE=slow test        # Only slow tests
 make SHELLS=bash test            # Only bash shell
 ```
 #### Individual Test Execution
 ```bash
 ./test/fast/Unit\ tests/nvm_get_arch     # Run single test (WARNING: This will exit/terminate your current shell session)
 ./node_modules/.bin/urchin test/fast/                        # Run fast test suite
 ./node_modules/.bin/urchin 'test/fast/Unit tests/nvm_get_arch'  # Run single test safely without shell termination
 ./node_modules/.bin/urchin test/slow/                        # Run slow test suite
 ./node_modules/.bin/urchin test/sourcing/                    # Run sourcing test suite
 ```
 ### Test Writing Guidelines
 - Tests should work across all supported shells (sh, bash, dash, zsh, ksh)
 - Define and use a `die()` function for test failures
 - Clean up after tests in cleanup functions
 - Mock external dependencies when needed
 - Place mocks in `test/mocks/` directory
 - Mock files should only be updated by the existing `update_test_mocks.sh` script, and any new mocks must be added to this script
 ## Shell Environment Setup
 ### Supported Shells
 - **bash** - Full feature support
 - **zsh** - Full feature support
 - **dash** - Basic POSIX support
 - **sh** - Basic POSIX support
 - **ksh** - Limited support (experimental)
 ### Installing Shell Environments
 #### Ubuntu/Debian
 ```bash
 sudo apt-get update
 sudo apt-get install bash zsh dash ksh
 # sh is typically provided by dash or bash and is available by default
 ```
 #### macOS
 ```bash
 # bash and zsh are available by default, bash is not the default shell for new user accounts
 # Install other shells via Homebrew
 brew install dash ksh
 # For actual POSIX sh (not bash), install mksh which provides a true POSIX sh
 brew install mksh
 ```
 #### Manual Shell Testing
 ```bash
 # Test in specific shell
 bash -c "source nvm.sh && nvm --version"
 zsh -c "source nvm.sh && nvm --version"
 dash -c ". nvm.sh && nvm --version"
 sh -c ". nvm.sh && nvm --version"          # On macOS: mksh -c ". nvm.sh && nvm --version"
 ksh -c ". nvm.sh && nvm --version"
 ```
 ### Shell-Specific Considerations
 - **zsh**: Requires basically any non-default zsh option to be temporarily unset to restore POSIX compliance
 - **dash**: Limited feature set, avoid bash-specific syntax
 - **ksh**: Some features may not work, primarily for compatibility testing
 ## CI Environment Details
 ### GitHub Actions Workflows
 #### `.github/workflows/tests.yml`
 - Runs test suite across multiple shells and test suites
 - Uses `script` command for proper TTY simulation
 - Matrix strategy covers shell × test suite combinations
 - Excludes install_script tests from non-bash shells
 #### `.github/workflows/shellcheck.yml`
 - Lints all shell scripts using shellcheck
 - Tests against multiple shell targets (bash, sh, dash, ksh)
  - Note: zsh is not included due to [shellcheck limitations](https://github.com/koalaman/shellcheck/issues/809)
 - Uses Homebrew to install latest shellcheck version
 #### `.github/workflows/lint.yml`
 - Runs additional linting and formatting checks
 - Validates documentation and code style
 ### Travis CI (Legacy)
 - Configured in `.travis.yml`
 - Tests on multiple Ubuntu versions
 - Installs shell environments via apt packages
 ### CI Test Execution
 ```bash
 # Simulate CI environment locally
 unset TRAVIS_BUILD_DIR  # Disable Travis-specific logic
 unset GITHUB_ACTIONS    # Disable GitHub Actions logic
 make test
 ```
 ## Setting Up shellcheck Locally
 ### Installation
 #### macOS (Homebrew)
 ```bash
 brew install shellcheck
 ```
 #### Ubuntu/Debian
 ```bash
 sudo apt-get install shellcheck
 ```
 #### From Source
 ```bash
 # Download from https://github.com/koalaman/shellcheck/releases
 wget https://github.com/koalaman/shellcheck/releases/download/latest/shellcheck-latest.linux.x86_64.tar.xz
 tar -xf shellcheck-latest.linux.x86_64.tar.xz
 sudo cp shellcheck-latest/shellcheck /usr/local/bin/
 ```
 ### Usage
 #### Lint Main Files
 ```bash
 shellcheck -s bash nvm.sh
 shellcheck -s bash install.sh
 shellcheck -s bash nvm-exec
 shellcheck -s bash bash_completion
 ```
 #### Lint Across Shell Types
 ```bash
 shellcheck -s sh nvm.sh      # POSIX sh
 shellcheck -s bash nvm.sh    # Bash extensions
 shellcheck -s dash nvm.sh    # Dash compatibility
 shellcheck -s ksh nvm.sh     # Ksh compatibility
 ```
 #### Common shellcheck Directives in nvm
 - `# shellcheck disable=SC2039` - Allow bash extensions in POSIX mode
 - `# shellcheck disable=SC2016` - Allow literal `$` in single quotes
 - `# shellcheck disable=SC2001` - Allow sed usage instead of parameter expansion
 - `# shellcheck disable=SC3043` - Allow `local` keyword (bash extension)
 ### Fixing shellcheck Issues
 1. **Quoting**: Always quote variables: `"${VAR}"` instead of `$VAR`
 2. **POSIX compliance**: Avoid bash-specific features in portable sections
 3. **Array usage**: Use `set --` for positional parameters instead of arrays, which are not supported in POSIX
 4. **Local variables**: Declared with `local FOO` and then initialized on the next line (the latter is for ksh support)
 ## Development Best Practices
 ### Code Style
 - Use 2-space indentation
 - Follow POSIX shell guidelines for portability
 - Prefix internal functions with `nvm_`
 - Use `nvm_echo` instead of `echo` for output
 - Use `nvm_err` for error messages
 ### Compatibility
 - Test changes across all supported shells
 - Avoid bash-specific features in core functionality
 - Use `nvm_is_zsh` to check when zsh-specific behavior is needed
 - Mock external dependencies in tests
 ### Performance
 - Cache expensive operations (like remote version lists)
 - Use local variables to avoid scope pollution
 - Minimize subprocess calls where possible
 - Implement lazy loading for optional features
 ### Debugging
 - Use `nvm debug` command for environment information
 - Enable verbose output with `set -x` during development
 - Test with `NVM_DEBUG=1` environment variable
 - Check `$NVM_DIR/.cache` for cached data issues
 ## Common Gotchas
 1. **PATH modification**: nvm modifies PATH extensively; be careful with restoration
 2. **Shell sourcing**: nvm must be sourced, not executed as a script
 3. **Version resolution**: Aliases, partial versions, and special keywords interact complexly
 4. **Platform differences**: Handle differences between Linux, macOS, and other Unix systems
 5. **Network dependencies**: Many operations require internet access for version lists
 6. **Concurrent access**: Multiple shells can conflict when installing versions simultaneously
 ## Windows Support
 nvm works on Windows via several compatibility layers:
 ### WSL2 (Windows Subsystem for Linux)
 - Full nvm functionality available
 - **Important**: Ensure you're using WSL2, not WSL1 - see [Microsoft's WSL2 installation guide](https://docs.microsoft.com/en-us/windows/wsl/install) for up-to-date instructions
 - Install Ubuntu or other Linux distribution from Microsoft Store
 - Follow Linux installation instructions within WSL2
 ### Cygwin
 - POSIX-compatible environment for Windows
 - Download Cygwin from [cygwin.com](https://www.cygwin.com/install.html) and run the installer
 - During installation, include these packages: bash, curl, git, tar, and wget
 - May require additional PATH configuration
 ### Git Bash (MSYS2)
 - Comes with Git for Windows
 - Limited functionality compared to full Linux environment
 - Some features may not work due to path translation issues, including:
  - Binary extraction paths may be incorrectly translated
  - Symlink creation may fail
  - Some shell-specific features may behave differently
  - File permissions handling differs from Unix systems
 ### Setup Instructions for Windows
 #### WSL2 (recommended)
 1. Install WSL2 using the official Microsoft guide: https://docs.microsoft.com/en-us/windows/wsl/install
 2. Install Ubuntu or preferred Linux distribution from Microsoft Store
 3. Follow standard Linux installation within WSL2
 #### Git Bash
 1. Install Git for Windows (includes Git Bash) from https://git-scm.com/download/win
 2. Open Git Bash terminal
 3. Run nvm installation script
 #### Cygwin
 1. Download and install Cygwin from https://www.cygwin.com/install.html
 2. Include bash, curl, git, tar, and wget packages during installation
 3. Run nvm installation in Cygwin terminal
 This guide should help GitHub Copilot understand the nvm codebase structure, testing procedures, and development environment setup requirements.
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,52 +0,0 @@
 name: "Code scanning - action"
 on:
  push:
  pull_request:
  schedule:
    - cron: '0 17 * * 4'
 permissions:
  contents: read
 jobs:
  CodeQL-Build:
    # CodeQL runs on ubuntu-latest and windows-latest
    permissions:
      actions: read  # for github/codeql-action/init to get workflow details
      contents: read  # for actions/checkout to fetch code
      security-events: write  # for github/codeql-action/autobuild to send a status report
    runs-on: ubuntu-latest
    steps:
    - name: Checkout repository
      uses: actions/checkout@v6
      with:
        persist-credentials: false
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v4
      # Override language selection by uncommenting this and choosing your languages
      # with:
      #   languages: go, javascript, csharp, python, cpp, java
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
      uses: github/codeql-action/autobuild@v4
    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
    #    and modify them (or add more) to build your code if your project
    #    uses a compiled language
    #- run: |
    #   make bootstrap
    #   make release
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v4
--- a/.github/workflows/rebase.yml
+++ b/.github/workflows/rebase.yml
@@ -2,16 +2,25 @@ name: Automatic Rebase
 on: [pull_request_target]
-permissions: read-all
+permissions:
  contents: read
 jobs:
  _:
    permissions:
      contents: write
    name: "Automatic Rebase"
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+    - name: Harden Runner
-      - uses: ljharb/rebase@master
+      uses: step-security/harden-runner@v2
-        env:
+      with:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        allowed-endpoints:
          api.github.com:443
          github.com:443
    - uses: actions/checkout@v4
    - uses: ljharb/rebase@master
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,7 +17,6 @@ jobs:
            api.github.com:443
            objects.githubusercontent.com:443
            raw.githubusercontent.com:443
            release-assets.githubusercontent.com:443
            registry.npmjs.org:443
      - uses: actions/checkout@v4
        with:
--- a/.github/workflows/require-allow-edits.yml
+++ b/.github/workflows/require-allow-edits.yml
@@ -2,13 +2,23 @@ name: Require “Allow Edits”
 on: [pull_request_target]
-permissions: read-all
+permissions:
  contents: read
 jobs:
  _:
    permissions:
      pull-requests: read
    name: "Require “Allow Edits”"
    runs-on: ubuntu-latest
    steps:
-      - uses: ljharb/require-allow-edits@main
+    - name: Harden Runner
      uses: step-security/harden-runner@v2
      with:
        allowed-endpoints:
          api.github.com:443
    - uses: ljharb/require-allow-edits@main
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/windows-npm.yml
+++ b/.github/workflows/windows-npm.yml
@@ -72,11 +72,8 @@ jobs:
            unset npm_config_prefix
            export NVM_INSTALL_GITHUB_REPO="$NVM_INSTALL_GITHUB_REPO"
            export NVM_INSTALL_VERSION="$NVM_INSTALL_VERSION"
            export HOME="$(cygpath -u "$USERPROFILE")"
            echo "HOME is $HOME"
            curl -fsSLo- "https://raw.githubusercontent.com/${NVM_INSTALL_GITHUB_REPO}/${NVM_INSTALL_VERSION}/install.sh" | bash
            ls -l $HOME/.nvm
            . "$HOME/.nvm/nvm.sh"
            nvm install --lts
@@ -133,16 +130,6 @@ jobs:
        with:
          distribution: ${{ matrix.wsl-distrib }}
          additional-packages: bash git curl ca-certificates wget
      # see https://github.com/Vampire/setup-wsl/issues/76#issuecomment-3258201135
      - shell: 'wsl-bash {0}'
        run: 'sed -i s/ftp.debian.org/archive.debian.org/ /etc/apt/sources.list'
      - uses: Vampire/setup-wsl@v3
        with:
          distribution: ${{ matrix.wsl-distrib }}
          additional-packages: bash git curl ca-certificates wget
          update: 'true'
      - name: Retrieve nvm on WSL
        run: |
          if [ -z "${{ matrix.method }}" ]; then
@@ -186,16 +173,6 @@ jobs:
        with:
          distribution: ${{ matrix.wsl-distrib }}
          additional-packages: bash git curl ca-certificates wget
      # see https://github.com/Vampire/setup-wsl/issues/76#issuecomment-3258201135
      - shell: 'wsl-bash {0}'
        run: 'sed -i s/ftp.debian.org/archive.debian.org/ /etc/apt/sources.list'
      - uses: Vampire/setup-wsl@v3
        with:
          distribution: ${{ matrix.wsl-distrib }}
          additional-packages: bash git curl ca-certificates wget
          update: 'true'
      - name: Retrieve nvm on WSL
        run: |
          if [ -z "${{ matrix.method }}" ]; then
--- a/README.md
+++ b/README.md
@@ -150,7 +150,7 @@ RUN touch "${BASH_ENV}"
 RUN echo '. "${BASH_ENV}"' >> ~/.bashrc
 # Download and install nvm
-RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | PROFILE="${BASH_ENV}" bash
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.2/install.sh | PROFILE="${BASH_ENV}" bash
 RUN echo node > .nvmrc
 RUN nvm install
 ```
--- a/install.sh
+++ b/install.sh
@@ -163,7 +163,8 @@ install_nvm_from_git() {
      }
    else
      # Cloning repo
-      command git clone -o origin "$(nvm_source)" --depth=1 "${INSTALL_DIR}" || {
+      command git clone "$(nvm_source)" --depth=1 -o origin "${INSTALL_DIR}" 2> /dev/null \
        || command git clone "$(nvm_source)" --depth=1 "${INSTALL_DIR}" || {
        nvm_echo >&2 'Failed to clone nvm repo. Please report this!'
        exit 2
      }
--- a/nvm.sh
+++ b/nvm.sh
@@ -2985,8 +2985,7 @@ nvm_check_file_permissions() {
      if [ ! -L "${FILE}" ] && ! nvm_check_file_permissions "${FILE}"; then
        return 2
      fi
-    elif [ -e "$FILE" ] && [ ! -w "$FILE" ] && [ -z "$(command find "${FILE}" -prune -user "$(command id -u)")" ]; then
+    elif [ -e "$FILE" ] && [ ! -w "$FILE" ] && [ ! -O "$FILE" ]; then
      # ^ file ownership check from https://www.shellcheck.net/wiki/SC3067
      nvm_err "file is not writable or self-owned: $(nvm_sanitize_path "$FILE")"
      return 1
    fi
--- a/package.json
+++ b/package.json
@@ -45,9 +45,9 @@
    "dockerfile_lint": "^0.3.4",
    "doctoc": "^2.2.1",
    "eclint": "^2.8.1",
-    "markdown-link-check": "^3.14.2",
+    "markdown-link-check": "^3.13.7",
    "replace": "^1.2.2",
-    "semver": "^7.7.3",
+    "semver": "^7.7.1",
    "urchin": "^0.0.5"
  }
 }
Author	SHA1	Message	Date
Roy Ivy III	f0c80d5249	Merge `cae2eb71a2` into `977563e97d`	2025-04-27 14:18:14 +00:00
Roy Ivy III	cae2eb71a2	[Fix] specify 'origin' remote name with `git clone ...` installs `git` may be configured locally to use a non-'origin' default remote name. So, specify 'origin' as the remote name when cloning to get the expected setup.	2024-05-03 00:36:04 -05:00