Path lists in environmental variables often give special meaning to
empty entries (e.g. in PATH or MANPATH). These are represented by
leading or trailing colons, or by doubled colons in the middle of the
list.
Adjust the awk invocation to correctly deal with trailing colons by
printing the separator before every field except the first, and then
printing the final separator that is read from the input - this will
either be a colon or the null string. This preserves leading and
trailing colons in all cases while not adding extra colons in the wrong
place.
Add test to confirm the correct behaviour.
Fixes#3144
I had to dig into #2410 to learn about the `PROFILE=/dev/null` technique to install without appending to my shell config. Figured this note would be good to add in the main installation docs.
Also added a note on how to do this as a one-liner which was not obvious for me.
the `nvm.sh` file assigns and exports an `NVM_CD_FLAGS` variable if it
was sourced from a zsh shell. the fact that it's exported means that
it'll be assigned in all child processes, including the `nvm-exec`
script, which uses bash as the interpreter.
Bash's `cd` command doesn't have a `-q` flag, so if the `NVM_CD_FLAGS`
is assigned `-q`, the script will error out and incorrectly claim that
the node version isn't installed.
this also manifests itself in the `nvm exec` command.
Example:
```console
$ nvm exec 16.14.0 npm --version
Running node v16.14.0 (npm v8.3.1)
/Users/<ME>/.nvm/nvm.sh: line 28: cd: -q: invalid option
cd: usage: cd [-L|[-P [-e]] [-@]] [dir]
both the tree and the node path are required
N/A: version "v16.14.0 -> N/A" is not yet installed.
You need to run "nvm install v16.14.0" to install it before using it.
```
To address this, we unset the `NVM_CD_FLAGS` at the start of the
`nvm-exec` script, before loading `nvm.sh`.
Remove the call to `ls` that was used to determine the symlink
destination
Reasoning :
* `od` resolves symlink itself due to the use of `fopen`
* Prevent the behaviour of `od` which will hang if the filename is
empty (i.e. `/sbin/init` missing) as it will be waiting for `stdin`
compared to quitting with error if the file just doesn't exist
Fixes#3006
Incorporates old Contributing.md with more thorough details on how to contribute, create bug reports, set up the dev environment, and creating PR's itself.
No need to escape the `/` char in a grep pattern.
This is to fix the below error when using newer grep with `nvm_command_info`
> $ nvm_command_info curl
> grep: warning: stray \ before /
> /usr/bin/curl
This happens with at least GNU grep 3.8 version.
Fixes#2860.
This fixes these two linting errors:
- fqcn-builtins: Use FQCN for builtin actions.
- name: All names should start with an uppercase letter. (name[casing])
`nvm install` fails with "Binary download failed, trying source" when
- running on Bash;
- errtrace (`set -E`) is enabled;
- an ERR trap uses `exit` to return a non-zero status; and
- /sbin/init doesn't exist.
Resolved by moving `ls -dl /sbin/init` to the following `if` statement.
In this context, returning non-zero isn't an error and the ERR trap
isn't executed.
Nesting the `elif` at the same level as the `if` and `fi` makes it clear which code applies to which branch (no .nvmrc file / found .nvmrc file).
I wasted a while looking at it trying to work out how it did anything if there was a .nvmrc file, because obviously the `if` didn't match and I couldn't see the `elif` branch.
Since markdown-link-check hasn't support relative links, to make the
test passed, move this link to use absolute URL so that we can introduce
the new test. cc tcort/markdown-link-check#10
The instructions seemed to encourage the misconception that `arch -x86_64 zsh` somehow modifies the default architecture for `zsh`, an operation which would need to be "reverted".
In fact, `arch -x86_64 …` merely spawns a new process under the selected architecture.
Fixes#2420. When using `nvm install` with an already installed
version, Bash (and potentially other shells) may emit an unbound
variable error when `set -u` is set. The presence of the error depends
on specific shell versions, but appears to happen in MacOS 11.1 (Big
Sur) using a recent Bash version installed via Homebrew (as of this
writing).
The fix accesses `ALIAS` correctly for the case where it is not set by
an `alias` option to `nvm install`.
When the `nvm` function is called by a script which itself uses a variable
named `i`, `nvm` clobbers the caller's variable. This happens even if the
caller has declared its variable as local.
See note 1 on https://tldp.org/LDP/abs/html/localvar.html#FTN.AEN18568
This command allows users to replace default colors with their own custom colors.
- top-level commands modified: alias, ls, ls-remote
- helper functions added: nvm_echo_with_colors, nvm_err_with_colors,
nvm_set_colors, nvm_get_colors, nvm_print_color_code
- functions modified: nvm_print_formatted_alias, nvm_print_versions, nvm_print_alias_path (implicitly), nvm_print_default_alias (implicitly), nvm_list_aliases (implicitly)
We added tests and info on using this command to the README!
Co-authored-by: Dena Burd <29719099+gitburd@users.noreply.github.com>
Co-authored-by: Naomi Quinones <52065567+naomiquinones@users.noreply.github.com>
locale-gen command seems missing since uncertain point for a while:
```
Step 15/33 : RUN locale-gen en_US.UTF-8
---> Running in fae073c89c01
/bin/bash: locale-gen: command not found
The command '/bin/bash -o pipefail -c locale-gen en_US.UTF-8' returned
a non-zero code: 127
```
This patch should fix the Docker image build
The workaround came from this GitHub issue comment:
https://github.com/koalaman/shellcheck/issues/1053#issuecomment-357816927
Looks like the problem doesn't exist any more:
```
.
.
.
Step 14/33 : RUN shellcheck -V
---> Running in 4b7a718c1cbf
ShellCheck - shell script analysis tool
version: 0.7.0
license: GNU General Public License, version 3
website: https://www.shellcheck.net
.
.
.
```
The workaround should be removed so that the Dockerfile will be easier
to be understand and read.
Fixed a bug where --silent mode was failing for nvm use I ran a test
that just ran ```nvm use node --silent``` that I wrote by myself.
Unfortunately I noticed a bug where it still prints out some messages in
different cases. This pull request is to fix that bug. * Added in an argument
called ***quiet*** to the nvm_rc_version() function at *line 339* * Printed
anything inside the nvm_rc_version() only in the scenario where quiet mode is
off * Ran the nvm_rc_version() function in quiet mode only if silent mode is
on in the "use" command of nvm at *line 2990* * Ran *nvm_echo* and *nvm_err*
inside the "use" command of nvm only in the scenario where silent mode is off
(There were 4 scenarios where this was forgotten) * Edited the ```nvm
deactivate``` command to include a silent mode * Changed the help page to
include the --silent option for ```nvm deactivate``` * Added in aliases for
the --silent flag in ```nvm deactivate``` and ```nvm use``` * Used silent
mode inside the ```nvm use``` when running ```nvm deactivate``` inside it and
silent mode is on A test was attached in the 'test/slow/nvm use' directory.
It is named *Running "nvm use node --silent" doesn't print anything*. It runs
```nvm use node --silent and checks``` and succeeds if the OUTPUT matches the
EXPECTED_OUTPUT which is *null* or *''*. When the test was run locally, it
still ouputed results if someone deleted some contents of the *.nvm/* folder.
This output was given from the ```nvm deactivate command```. This was the
reason that the ```nvm deactivate``` was edited to include silent mode.
For: `nvm install 8.12.0` after install:
--alias=8 is equivalent to `nvm alias 8 8.12.0`
--default is equivalent to `nvm alias default 8.12.0`
Co-authored-by: Kayla Altepeter <kayla@kaylaaltepeter.com>
Co-authored-by: Dena Burd <me@Denas-MacBook-Air.local>
Co-authored-by: Jordan Harband <ljharb@gmail.com>
Added an example for LTS updates that also reinstall the existing packages.
This is useful for individuals who run the latest LTS version along with global packages and need to update when the LTS version gets bumped
macOS only supports extracting xz tarballs with `tar` in 10.9 and up.
GNU tar needs an `xz` executable on the `PATH` to extract xz tarballs.
(These are the most common variants of tar, so until further testing
is done, conservatively assume all variants of tar (other than the one
shipped with macOS) need an xz executable on the PATH in order to
decompress xz tarballs.)
Fixes#2155.
Renames node_version_has_solaris_binary and nvm_iojs_version_has_solaris_binary
to be prefixed with nvm_ so they do not show up in tab completion following the
word "node".
Clean up readme structure a bit to help with readability. fix
instructions which could lead to a sourcing loop if misinterpreted.
guidance should direct macos users to simply copy the source snippet
manually into their desired profile file.
Resolve#2123
Adds the following information to the "Migrating global packages while installing" section:
- notification that the npm package is explicitly not updated when using the --reinstall-packages-from flag
- information about the --latest-npm flag
- recovery instructions if a user has already updated node with an incompatible npm version
- Operating system and version: Mac OS X Mojave
- What happened? $NVM_DIR was set to nvm
- What did you expect to happen? $NVM_DIR should be set to .nvm
I added the following line from the README to my .zshrc:
```
export NVM_DIR="${XDG_CONFIG_HOME/:-$HOME/.}nvm"
[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" # This loads nvm
```
I couldn't figure out why nvm wasn't loading, until I realized that
`echo NVM_DIR="${XDG_CONFIG_HOME/:-$HOME/.}nvm"` outputs `NVM_DIR=nvm`.
Changing the line to `export NVM_DIR="${XDG_CONFIG_HOME/:-$HOME/}.nvm"` fixed the problem. This outputs `NVM_DIR=.nvm` as expected. I tested this and the same behavior holds true in Bash as well.
It was trying to read ./.nvmrc if you cd'ed into a subdirectory of the directory that has .nvmrc, which would give print `-bash: ./.nvmrc: No such file or directory` to stderr and potentially not doing the `nvm install`.
With the environment variable XDG_CONFIG_HOME set, the installation
script uses the directory $XDG_CONFIG_HOME/nvm now. Before the change
the variable's value with "/nvm" cut off was used, which usually results
in an installation without any subdirectory.
- fix test 'Running "nvm ls" should display all installed versions.': only expect versions created by this test, but no versions created by other tests
Add Ansible task example to show how to install nvm and update it.
Ansible is a systems administration tool.
See https://github.com/ansible/ansible
My personal experience of `nvm` is that installing via Ansible is good, and that a good example can help. This example took me about an hour to learn, so I'm hoping to save other people some time. This example is somewhat different than any others that I found on the web. There may be a better way to write it, and if so, please improve it.
- Lists should be surrounded by blank lines
- Use only `1.` for ordered list item prefix
- Starting bulleted lists at the beginning of the line
- Fenced code blocks should be surrounded by blank lines
this is done by checking if the user supplies `PROFILE=/dev/null` when running `install.sh`, the `nvm_detect_profile` function will not output any strings, causing `nvm_do_install` to skip adding `SOURCE_STR`.
curl output is turned off by `-s` in the same place, we should unify the
behavior on wget, also, this help removes those wget outputs that can't
fit our coding style tests. cc #1739
Use pre-built static release binary instead of building ShellCheck from
the source code, this change would save disk space, time, and much
computing resources.
Fixes
- fix unassigned variable (#1665, #1664)
- Fix for $path used by zsh (#1669)
- `set -u`: ensure `NVM_USE_OUTPUT` is always set (#1671)
- `install.sh`: Fix a bug that block that installation of node in install.sh (#1676)
- `nvm install-latest-npm`: fix node 4-4.6
Documentation
- Make `nvm cache clear` message less ambiguous (#1644)
- Added missing piece (#1658)
curl < 7.21.0 will output redirection reponse body to the output when compressed, which will cause tarball is prepended with redirection reponse body and leads to checksum mismatch.
- add `nvm_curl_use_compression` and `nvm_curl_version`
If installation is prompted to be successful, yet `which nvm` command returns `not found` then you might need to restart your terminal instance. Try opening a new tab/window in your terminal and retry.
- added git as the last method before full manual install.
- added the directory on `git clone` command
- added the `git checkout v0.33.1` as the -v gets updated automatically
Enable `--compressed` parameter on curl to automatically enable
compression on request content by sending coressponding header, if the
server side supports compression format like deflate or gzip, curl will
also decompress the content automatically, so there is no additional
works need to done manually on client side, but just enjoy the benifits
of bandwidth and time saving!
Take https://nodejs.org/dist/index.tab as an example which is last
modified on Tue, 14 Mar 2017 22:41:05 GMT, the compressed transmission
only take 4829 bytes howevet the not compressed on taks 48000 bytes,
which is about 10 times larger!
This feature can be traced back to Sep 3 2002, in curl commit:
- 64bbe9dfaf
So should be supported on various versions widely.
1. If we are not going to install nodejs or io.js from source, we may
not need to have c++ compiler or libssl-dev package
2. the `build-essential` and `libssl-dev` packages should work on all
the Debian and Ubuntu based GNU/Linux distros
3. Remove useless blank lines
By manpath's man page in Ubuntu 16.04:
> If $MANPATH is set, manpath will simply display its contents and issue
> a warning.
By fa22d712ff for #1413, `nvm` now will
declare the "MANPATH" variable, no matter if it's set or not, so in the
situation that $MANPATH is set, you'll get the warning:
> manpath: warning: $MANPATH set, ignoring /etc/manpath.config
Note: I believe this does not fix the underlying issue in zsh, which is
that it does not split up `$ADDITIONAL_PARAMETERS` and instead passes
the contents as one single argument.
This was an "oops" on my part when I was testing changes for my work
that was later adapted & merged in f1bca106a8.
LibreSSL is never installed as a `libressl` as it is intended to be a
replacement for `openssl` as much as possible, and consequently the
executable is called `openssl`.
1. This can help speed up the apt process since we decrease the
complexity of apt sources and package dependencies resolving by dropping
an additional ppa source.
2. Stack doesn't update ShellCheck to v0.4.5 after it has been released
more than one month, Cabal can provide ShellCheck v0.4.5
- Use Travis CI apt addon source whitelist to load apt source
- Use Travis CI apt addon to install additional packages
This can prevent duplicating apt package list update and dependencies
calculation which means it can speed up the CI build.
This will help speed up the installation time for the non-first time
installation, especially can speed up the build time and test time on
Travis-CI as we'll cache .cache dir.
Currently AIX isn't supported in nvm so I have made a few small changes
to make this work:
change tar to gtar for AIX
change make to gmake for AIX
Set ARCH as ppc64 for AIX
If you go to the [fin repo](https://github.com/fisherman/fin) you'll see that it isn't a node version manager, but simply a plugin manager for Fish. Seems out of scope for the readme, and there are other plugin solutions for fish as well. I suggest removing the reference.
Line 302/301 `printf "$SOURCE_STR"` is missing a trailing newline char,
while line 281/282 and 285/286 have their own new line char, so I just
remove the manually added newline char, and add it to the end of the
variable "$SOURCE_STR", so no more manually newline char needed there.
On SmartOS setups using 64 bits pkgsrc repositories, `nvm_get_arch`
would not handle pkg_info's output properly.
This would result in nvm not being to install any node binary when
running on SmartOS setups using a 64 bits pkgsrc repository.
This change fixes this problem, and fixes the tests suite on similar
setups.
git-describe was taught `--abbrev=0` in 1.5.0:
https://github.com/git/git/blob/master/Documentation/RelNotes/1.5.0.txt
git-describe was taught `--match` in 1.5.5:
https://github.com/git/git/blob/master/Documentation/RelNotes/1.5.5.txt
I don't see anything else potentially weird in here, so I think it is
safe to proclaim that the minimum git version required to run these
commands is 1.5.5.
Documenting this minimum version required here should help people debug
possible issues and help maintainers of this project understand the
impacts of modifying these commands in the future.
As suggested by @ljharb, this might be a little cleaner. I'm not
entirely sure, but in any case, it is consistent with the upgrade
instructions, so that is nice.
I recently upgraded my copy of nvm and I was disappointed to be dropped
in the .nvm directory at the end of it. I also didn't like having to
copy and paste two separate blocks of code into my terminal, because I
missed the second one the first time around and was left in a slightly
confusing state. So, I decided to make this easier by utilizing
subshells and moving all of the instructions into one code block in this
document. I think this will improve people's experience maintaining this
tool.
`git describe` will match the latest tags, regardless of what it looks
like. We can make this a little safer by adding a `--match` flag to
match tags that look like version tags. This allows the maintainers of
this repo to more safely add other types of tags if they so wish,
without causing people to install or upgrade to those versions.
I recently ran the upgrade instructions and I ended up with the version
I was already on. This happened because `git describe` describes a
commit using the most recent tag reachable from it. Since I already had
a tag checked out, it was describing the tag I had already checked out.
Thankfully, `git describe` accepts an optional commit-ish, which it will
use instead of what we have currently checked out. Testing this in my
terminal now gives me the latest tag on origin, which is what I am
interested in when updating to the latest version.
~/.nvm ❯❯❯ git describe --abbrev=0 --tags
v0.30.1
~/.nvm ❯❯❯ git describe --abbrev=0 --tags origin
v0.31.3
I also added it to the manual install instructions for consistency and
extra safety.
Fixes#1146 by grouping the commands that handle the error.
I also removed a subshell wrapper from a similar set of lines right
above. It looks to me like that is no longer necessary.
`nvm use`, `nvm run` and others check if the version is installed before executing Node, but the error message could be clearer on what steps the user has to take to achieve what they want, this makes that clearer.
When sourcing a script without parameters in zsh the sourced scripts
gets the same parameters as the sourcing file and is able to modify
these parameters. Prevent nvm from removing all parameters of sourcing
script by processing a copy of the parameters in a function.
This commit adds (optional) support for additional sha256 checksum utilities
for newer versions of node.js and io.js that use sha256 checksums rather than
sha1.
If nothing is found to do a sha256 checksum on the client machine, a warning is
printed and things continue on as normal.
Following comments from @ljharb on incorporating some of @DomT4's PR
creationix/nvm#664, and making this checksum optional. If I could I would
gladly include this as an addon to the now closed PR creationix/nvm#664. I am
choosing not to file it onto that PR because it's closed and (currently)
significantly behind the master branch.
@DomT4 did the hard work of actually finding all the different ways in which
one could verify a sha256 checksum, I've just included those here in an effort
to move forward with sha256 checksum support.
Add prompt when there is no binary for node version greater than v1.0.0
Currently, on FreeBSD, if we try `nvm install 4.2`, we will only get:
> Installing node v1.0 and greater from source is not currently supported
In fact I had no idea what's wrong because I didn't use `-s` parameter for it,
and then I found that there are two reasons:
1. There was no pre-built nodejs binary from official for FreeBSD, which means we need to build from source.
2. nvm doesn't support build for v1.0 and greater version from source yet.
So I think there should be a prompt message to tell the user about the reason why nvm will go to build from source,
no matter it will succeed or fail.
Includes references to `nvm` plugin for Oh My Fish framework,
which implements not only a fish wrapper to official `nvm` script,
but also provides completions.
Saves us ~25% bandwidth while downloading the payload. This only applies
to hosts that has the `xz` binary and attempts to use iojs 2.3.2 or newer
(this includes nodejs 4.0+ as well). Older targets are unaffected.
<!-- Thank you for being interested in nvm! Please help us by filling out the following form if you‘re having trouble. If you have a feature request, or some other question, please feel free to clear out the form. Thanks! -->
#### Operating system and version:
#### `nvm debug` output:
<details>
<!-- do not delete the following blank line -->
```sh
```
</details>
#### `nvm ls` output:
<details>
<!-- do not delete the following blank line -->
```sh
```
</details>
#### How did you install `nvm`?
<!-- (e.g. install script in readme, Homebrew) -->
#### What steps did you perform?
#### What happened?
#### What did you expect to happen?
#### Is there anything in any of your profile files that modifies the `PATH`?
Please email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.
## OpenSSF CII Best Practices
[](https://bestpractices.coreinfrastructure.org/projects/684)
There are three “tiers”: passing, silver, and gold.
### Passing
We meet 100% of the “passing” criteria.
### Silver
We meet 95% of the “silver” criteria. The gaps are as follows:
- we do not have a DCO or a CLA process for contributions.
- because we only have one maintainer, the project has no way to continue if that maintainer stops being active.
- we do not currently document “what the user can and cannot expect in terms of security” for our project. This is planned to be completed in 2023.
### Gold
We meet 65% of the “gold” criteria. The gaps are as follows:
- we do not yet have the “silver” badge; see all the gaps above.
- We do not include a copyright or license statement in each source file. Efforts are underway to change this archaic practice into a suggestion instead of a hard requirement.
Threat model analysis assists organizations to proactively identify potential security threats and vulnerabilities, enabling them to develop effective strategies to mitigate these risks before they are exploited by attackers.
Furthermore, this often helps to improve the overall security and resilience of a system or application.
The aim of this section is to facilitate the identification of potential security threats and vulnerabilities that may be exploited by adversaries, along with possible outcomes and appropriate mitigations.
## Relevant assets and threat actors
The following assets are considered important for the `nvm` project:
-`nvm` source code and project documentation
- Underlying `nvm`` dependencies
-`nvm` development infrastructure
-`nvm` installed devices including servers
The following threat actors are considered relevant to the `nvm` application:
- External malicious attackers
- Internal malicious attackers
- Services
- Malicious insider actors
- Third-party libraries
## Attack surface for external/internal attackers and services
In threat modeling, an attack surface refers to any possible point of entry that an attacker might use to exploit a system or application.
This includes all the paths and interfaces that an attacker may use to access, manipulate or extract sensitive data from a system.
By understanding the attack surface, organizations are typically able to identify potential attack vectors and implement appropriate countermeasures to mitigate risks.
In the following diagrams, _External Malicious Attacker_ applies to threat actors who do not yet have direct access to the `nvm` application and the underlying operating system, while the _Internal Malicious Attacker_ applies to an attacker with access to the device (computer, server), potentially after successfully exploiting a threat from the _External Malicious Attacker_ scenario.
**Please note that some of the external threats may be also exploitable from internal threats and vice versa.**
<imgsrc="./external-threat-actor.png"alt="Fig.: Possible attacks from internal and external threat actors and services"/>
Fig.: Possible attacks from internal and external threat actors and services
## Identified threats
The identified threats against the `nvm` application are as follows:
### Threat ID 1: `nvm` commands
Overview: The `nvm` commands and subcommands take user input for handling and executing appropriate functions from the project directory (or any parent directory).
When user-controlled inputs are not adequately validated and later passed to the `nvm` functions as a part of a command, an attacker might be able to execute operating system commands triggered by any parsing functionality.
Possible Outcome: Attacks against `nvm` commands could lead to unauthorized access to user data or unauthorized access to the device (i.e. laptop or server, depending on where `nvm` is installed), resulting in loss of user private data stored on the device, among other possibilities.
Recommendation: Input validation should be implemented to prevent attackers from requesting operating system commands.
Similarly, secure coding practices ought to be in place to minimize the risk of buffer overflow vulnerabilities.
### Threat ID 2: URI scheme
Overview: `nvm` commands heavily use the [Secure HyperText Transfer](https://datatracker.ietf.org/doc/html/rfc2660) protocol for `nvm` related actions.
Missing [scheme](https://datatracker.ietf.org/doc/html/rfc3986#section-3.1) validation for any `nvm` command might result in file retrieval, enumeration, file overwrite, or [path traversal](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include) attacks.
An example of this could be path validation for [`nvm_download`](https://github.com/nvm-sh/nvm/blob/ef7fc2f2c06ad75fe7fbabf28d427561ae7b007d/nvm.sh#L118), among many other possibilities.
Possible Outcome: Security misconfiguration flaws for URI scheme may lead to unauthorized access to user data, as well as data integrity compromises.
Recommendation: Adequate input validation should be implemented to prevent attackers from enumerating, retrieving and writing to application files and paths.
### Threat ID 3: Communication channel
Overview: The `nvm` commands and its subcommands use network protocol to communicate with external services.
Insecure communication may allow malicious attackers to perform [_Man-in-the-Middle_](https://owasp.org/www-community/attacks/Manipulator-in-the-middle_attack) attacks in order to manipulate the data sent during the users’ active connection.
Possible Outcome: Usage of plaintext communication protocols, like HTTP could lead to data sniffing and modification through insecure communications channels.
Recommendation: Mitigation countermeasures such as data encryption should be in place to prevent data manipulation via insecure communication channels.
### Threat ID 4: Environment variables
Overview: Each `nvm` installation defines its environment variables, which should be secured from internal malicious attackers, preventing access control attack vectors.
Missing stringent restrictions on setting variables, might allow attackers to prepare various targeted attacks against other local users, who use `nvm` in their user space.
For example, [_Privilege Escalation_](https://owasp.org/Top10/A01_2021-Broken_Access_Control/), [_Command Injection_](https://cwe.mitre.org/data/definitions/77.html), as well as many other parser-related attacks.
Possible Outcome: Attacks against environment variables could lead to unauthorized access to the user space, resulting in the loss of user private data and disruptions in service availability.
Recommendation: Adequate hardening of configuration file permissions should be in place for all relevant configuration files, as this provides protection against attackers able to manipulate variables and inject malicious code.
## Attack surface for malicious insider actors and third-party libraries
The following diagram summarizes the main possible threats against the `nvm` project from malicious insider actors and third-party libraries:
<imgsrc="./insider-threat-actor-and-libs.png"alt="Fig.: Possible attacks from insider threat actors and third-party libraries"/>
Fig.: Possible attacks from insider threat actors and third-party libraries
The identified threats against the `nvm` project are as follows:
### Threat ID 1: Insider threat actor
**Overview**: An insider threat actor, such as an `nvm` project contributor or employee with access to the code base, might abuse their role in the organization to modify the `nvm` application source code.
For example, intentionally adding malicious code snippets, clearing logs after being written and/or modifying specific sections of the documentation.
**Recommendation**: Secure coding practices, code reviews, automated code scanning and separation of duties (i.e. requiring at least two developers to approve any code change) are potentially useful security controls to identify and mitigate vulnerabilities that may be introduced by an insider threat actor.
### Threat ID 2: Third-party libraries
**Overview**: Please note that while `nvm` does not currently make use of any third-party libraries, this might become an attack vector if that changes in the future.
Third-party libraries may introduce potential risks related to maintaining security requirements by third-party vendors.
As a result, third-party libraries used by the `nvm` project, might contain vulnerabilities, such as [_Buffer Overflows_](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow), [_Format String Vulnerabilities_](https://owasp.org/www-community/attacks/Format_string_attack), as well as many other types of weaknesses that, in a worst-case scenario may lead to _Remote Code Execution_ (_RCE_).
Additionally, the maintainer of a third-party dependency might introduce a vulnerability on purpose, or be compromised by an attacker that subsequently introduces vulnerable code.
**Possible Outcome**: Code vulnerabilities may lead to unauthorized access to user data, loss of user private data, service disruptions and reputation damage.
**Recommendation**: Third-party libraries should be kept up-to-date, applying patches to address publicly known vulnerabilities in a timely fashion.
Monitoring and logging capabilities should also be in place to detect and respond to potential attacks.
SLSA compliance may also be considered for further supply chain security hardening.
`nvm`, as a member project of the OpenJS Foundation, uses [Contributor Covenant v2.1](https://www.contributor-covenant.org/version/2/1/code_of_conduct/) as their code of conduct. The full text is included [below](#contributor-covenant-code-of-conduct) in English, and translations are available from the Contributor Covenant organisation:
Refer to the sections on reporting and escalation in this document for the specific emails that can be used to report and escalate issues.
## Reporting
### Project Spaces
For reporting issues in spaces related to `nvm` please use the email `ljharb@gmail.com`. `nvm` handles CoC issues related to the spaces that it maintains. Projects maintainers commit to:
- maintain the confidentiality with regard to the reporter of an incident
- to participate in the path for escalation as outlined in the section on Escalation when required.
### Foundation Spaces
For reporting issues in spaces managed by the OpenJS Foundation, for example, repositories within the OpenJS organization, use the email `report@lists.openjsf.org`.
The Cross Project Council (CPC) is responsible for managing these reports and commits to:
- maintain the confidentiality with regard to the reporter of an incident
- to participate in the path for escalation as outlined in the section on Escalation when required.
## Escalation
The OpenJS Foundation maintains a Code of Conduct Panel (CoCP).
This is a foundation-wide team established to manage escalation when a reporter believes that a report to a member project or the CPC has not been properly handled.
In order to escalate to the CoCP send an email to `coc-escalation@lists.openjsf.org`.
For more information, refer to the full [Code of Conduct governance document](https://github.com/openjs-foundation/cross-project-council/blob/HEAD/CODE_OF_CONDUCT.md).
---
# Contributor Covenant Code of Conduct
## Our Pledge
We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
## Our Standards
Examples of behavior that contributes to a positive environment for our community include:
* Demonstrating empathy and kindness toward other people
* Being respectful of differing opinions, viewpoints, and experiences
* Giving and gracefully accepting constructive feedback
* Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
* Focusing on what is best not just for us as individuals, but for the overall community
Examples of unacceptable behavior include:
* The use of sexualized language or imagery, and sexual attention or advances of any kind
* Trolling, insulting or derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or email address, without their explicit permission
* Other conduct which could reasonably be considered inappropriate in a professional setting
## Enforcement Responsibilities
Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.
Community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.
## Scope
This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces.
Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at [@ljharb](ljharb@gmail.com).
All complaints will be reviewed and investigated promptly and fairly.
All community leaders are obligated to respect the privacy and security of the reporter of any incident.
## Enforcement Guidelines
Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct:
### 1. Correction
**Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.
**Consequence**: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested.
### 2. Warning
**Community Impact**: A violation through a single incident or series of actions.
**Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban.
### 3. Temporary Ban
**Community Impact**: A serious violation of community standards, including sustained inappropriate behavior.
**Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
### 4. Permanent Ban
**Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals.
**Consequence**: A permanent ban from any sort of public interaction within the community.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.1, available at
:+1::tada: First off, thanks for taking the time to contribute to `nvm`! :tada::+1:
We love pull requests and issues, they're our favorite.
The following is a set of guidelines for contributing to `nvm` managed by [@LJHarb](https://github.com/ljharb), which is hosted on GitHub. These are mostly guidelines, not rules. Use your best judgment, and feel free to propose changes to this document in a pull request.
However, before submitting, please review the following:
- Please include tests. Changes with tests will be merged very quickly.
- Please manually confirm that your changes work in `bash`, `sh`/`dash`, `ksh`, and `zsh`. Fast tests do run in these shells, but it's nice to manually verify also.
- Please maintain consistent whitespace - 2-space indentation, trailing newlines in all files, etc.
- Any time you make a change to your PR, please rebase freshly on top of master. Nobody likes merge commits.
# How Can I Contribute?
Even if you don't have all of these items covered, please still feel free to submit a PR! Someone else may be inspired and volunteer to complete it for you.
There are lots of ways to get involved. Here are some suggestions of things we'd love some help with.
Thanks again!
## Resolving existing issues
You can consider helping out with issues already requiring attention - look for a "help wanted" label.
### How Do I Submit a (Good) Bug Report? :bug:
Explain the problem and include additional details to help maintainers reproduce the problem:
* **Use a clear and descriptive title** for the issue to identify the problem.
* **Describe the exact steps which reproduce the problem** in as many details as possible. For example, start by explaining which command exactly you used in the terminal. When listing steps, **don't just say what you did, but explain how you did it**. For example, if you moved the cursor to the end of a line, explain if you used the mouse, or a keyboard shortcut or a command, and if so which one?
* **Provide specific examples to demonstrate the steps**. Include links to files or Github projects, or copy/pasteable snippets, which you use in those examples. If you're providing snippets in the issue, use [Markdown code blocks](https://help.github.com/articles/markdown-basics/#multiple-lines).
* **Describe the behavior you observed after following the steps** and point out what exactly is the problem with that behavior.
* **Explain which behavior you expected to see instead and why.**
* **Provide as much context as possible** in order to help others verify and ultimately fix the issue. This includes giving us as much details as possible about your environment, so we can more easily confirm the problem.
## Documentation
We are happy to welcome contributions from anyone willing to improve documentation by adding missing information or making it more consistent and coherent.
# Dev Environment
Please refer to the [README](README.md) for complete instructions how to install, update, as well as troubleshoot `nvm` in your environment depending on your Operating System.
# Style Guide / Coding conventions
### Pull requests
#### Before creating a pull request
- Please include tests. Changes with tests will be merged very quickly.
- Please manually confirm that your changes work in `bash`, `sh`/`dash`, `ksh`, and `zsh`. Fast tests do run in these shells, but it's nice to manually verify also.
- Please maintain consistent whitespace - 2-space indentation, trailing newlines in all files, etc.
- Any time you make a change to your PR, please rebase freshly on top of the default branch. Nobody likes merge commits.
Even if you don't have all of these items covered, please still feel free to submit a PR/issue! Someone else may be inspired and volunteer to complete it for you.
#### How to create a pull request
Create a new branch
```
git checkout -b issue1234
```
Commit the changes to your branch, including a coherent commit message that follows our [standards](#commit-messages)
```
git commit -a
```
Before sending the pull request, make sure your code is running on the latest available code by rebasing onto the upstream source
```
git fetch upstream
git rebase upstream/main
```
Verify your changes
```
npm test
```
Push your changes
```
git push origin issue1234
```
Send the [pull request](https://docs.github.com/en/pull-requests), make requested changes, and get merged.
### Commit Messages
* Limit the first line of the commit message (message summary) to 72 characters or less.
* Use the present tense ("Add feature" not "Added feature") and imperative mood ("Move cursor to..." not "Moves cursor to...") when providing a description of what you did.
* If your PR addresses an issue, reference it in the body of the commit message.
* See the rest of the conventions [here](https://gist.github.com/ljharb/772b0334387a4bee89af24183114b3c7)
#### Commit message example
```
[Tag]: Short description of what you did
Longer description here if necessary
Fixes #1234
```
> **Note:** Add co-authors to your commit message for commits with multiple authors
```
Co-authored-by: Name Here <email@here>
```
# Code of Conduct
[Code of Conduct](https://github.com/nvm-sh/nvm/blob/HEAD/CODE_OF_CONDUCT.md)
# Where can I ask for help?
If you have any questions, please contact [@LJHarb](mailto:ljharb@gmail.com).
Maintainers are responsible for issue/PR triage, feature additions, maintenance, bugfixes, security fixes, releases, promoting existing contributors to maintainers, managing repo and CI configuration, etc.
## Contributors
Anyone who contributes code or content or time, via issues or pull requests or otherwise. Contributors do not have any additional permissions on the project.
@@ -15,7 +15,7 @@ ifeq ($(findstring /,$(URCHIN)),) # urchin path was NOT passed in.
UTIL_CHECK :=$(or $(shell PATH="$(PATH)" which $(UTILS) >/dev/null &&echo'ok'),$(error Did you forget to run `npm install` after cloning the repo? At least one of the required supporting utilities not found: $(UTILS)))
endif
# The files that need updating when incrementing the version number.
# Define all shells to test with. Can be overridden with `make SHELLS=... <target>`.
SHELLS:= sh bash dash zsh # ksh (#574)
# Generate 'test-<shell>' target names from specified shells.
@@ -41,9 +41,9 @@ list:
.PHONY:$(SHELL_TARGETS)
$(SHELL_TARGETS):
@shell='$@';shell=$${shell##*-}; which "$$shell" >/dev/null ||{printf'\033[0;31m%s\033[0m\n'"WARNING: Cannot test with shell '$$shell': not found." >&2;exit 0;}&&\
printf'\n\033[0;34m%s\033[0m\n'"Running tests in $$shell";\
[ -z "$$TRAVIS_BUILD_DIR"]&&for v in $$(set| awk -F'=''$$1 ~ "^NVM_" { print $$1 }');dounset$$v;done&&unset v;\
for suite in $(TEST_SUITE);do$(URCHIN) -f -s $$shell test/$$suite || exit;done
printf'\n\033[0;34m%s\033[0m\n'"Running tests in $$shell";\
[ -z "$$TRAVIS_BUILD_DIR"]&&for v in $$(set| awk -F'=''$$1 ~ "^NVM_" { print $$1 }');dounset$$v;done&&unset v;\
for suite in $(TEST_SUITE);do$(URCHIN) -f -s $$shell test/$$suite || exit;done
# All-tests target: invokes the specified test suites for ALL shells defined in $(SHELLS).
printf"=== Bumping version **$$old_ver** to **$$new_ver** before committing and tagging:\n=== TYPE 'proceed' TO PROCEED, anything else to abort: "&&read response &&["$$response"='proceed']||{echo'Aborted.' >&2;exit 2;};\
printf"=== Bumping version **$$old_ver** to **$$new_ver** before committing and tagging:\n=== TYPE 'proceed' TO PROCEED, anything else to abort: "&&read response &&["$$response"='proceed']||{echo'Aborted.' >&2;exit 2;};\
nvm is a version manager for Node.js, designed to be installed per-user, and invoked per-shell. nvm works on any POSIX-compliant shell (sh, dash, ksh, zsh, bash), in particular on these platforms: unix, macOS, and Windows WSL.
## Section 0: Guiding Principles
The `nvm` project is part of the [OpenJS Foundation][openjs foundation], which operates transparently, openly, collaboratively, and ethically. Project proposals, timelines, and status must not merely be open, but also easily visible to outsiders.
## Section 1: Scope
`nvm` is a node version manager, focused on making it easy to install and manage multiple Node.js versions. Any features related to managing the installation and removal of Node.js on any node-supported platform are potentially in scope.
## Section 2: Relationship with OpenJS Foundation CPC.
Technical leadership for the projects within the [OpenJS Foundation][openjs foundation] is delegated to the projects through their project charters by the [OpenJS Foundation Cross-Project Council](https://openjsf.org/about/governance/) (CPC). In the case of the `nvm` project, it is delegated to the [`nvm` Maintainers](README.md#maintainers) (the “Maintainers”). The OpenJS Foundation's business leadership is the Board of Directors (the “Board”).
This `nvm` Charter reflects a carefully constructed balanced role for the Maintainers and the CPC in the governance of the OpenJS Foundation. The charter amendment process is for the Maintainers to propose changes using simple majority of the full Maintainers, the proposed changes being subject to review and approval by the CPC. The CPC may additionally make amendments to the project charter at any time, though the CPC will not interfere with day-to-day discussions, votes or meetings of the Maintainers.
### 2.1 Other Formal Project Relationships
Section Intentionally Left Blank
## Section 3: `nvm`'s Maintainers Governing Body
`nvm` is governed by its [maintainers](README.md#maintainers).
## Section 4: Roles & Responsibilities
The roles and responsibilities of `nvm`'s Maintainers are described in [GOVERNANCE.md](./GOVERNANCE.md).
- *Contributors*: contribute code or other artifacts, but do not have the right to commit to the codebase. Contributors work with the project’s maintainers to have code committed to the code base. A Contributor may be promoted to a Maintainer by the Maintainers. Contributors should rarely be encumbered by the Maintainers and never by the CPC or OpenJS Foundation Board.
- *Maintainers*: Contributors with any kind of decision-making authority in the project.
# Node Version Manager [][3]
## Installation
First you'll need to make sure your system has a c++ compiler. For OSX, XCode will work, for Ubuntu, the build-essential and libssl-dev packages work.
Note: `nvm` does not support Windows (see [#284](https://github.com/creationix/nvm/issues/284)). Two alternatives exist, which are neither supported nor developed by us:
Note: `nvm` does not support [Fish] either (see [#303](https://github.com/creationix/nvm/issues/303)). An alternative exists, which is neither supported nor developed by us:
- [bass](https://github.com/edc/bass) allows to use utilities written for Bash in fish shell
### Install script
To install you could use the [install script][2] using cURL:
To activate nvm, you need to source it from your shell:
. ~/.nvm/nvm.sh
I always add this line to my `~/.bashrc`, `~/.profile`, or `~/.zshrc` file to have it automatically sourced upon login.
Often I also put in a line to use a specific version of node.
## Usage
You can create an `.nvmrc` file containing version number in the project root directory (or any parent directory).
`nvm use`, `nvm install`, `nvm exec`, `nvm run`, and `nvm which` will all respect an `.nvmrc` file when a version is not supplied.
To download, compile, and install the latest v0.10.x release of node, do this:
nvm install 0.10
And then in any new shell just use the installed version:
nvm use 0.10
Or you can just run it:
nvm run 0.10 --version
Or, you can run any arbitrary command in a subshell with the desired version of node:
nvm exec 0.10 node --version
You can also get the path to the executable to where it was installed:
nvm which 0.10
In place of a version pointer like "0.10", you can use the special default aliases "stable" and "unstable":
nvm install stable
nvm install unstable
nvm use stable
nvm run unstable --version
If you want to install a new version of Node.js and migrate npm packages from a previous version:
nvm install node --reinstall-packages-from=node
This will first use "nvm version node" to identify the current version you're migrating packages from. Then it resolves the new version to install from the remote server and installs it. Lastly, it runs "nvm reinstall-packages" to reinstall the npm packages from your prior version of Node to the new one.
You can also install and migrate npm packages from specific versions of Node like this:
`nvm use` will not, by default, create a "current" symlink. Set `$NVM_SYMLINK_CURRENT` to "true" to enable this behavior, which is sometimes useful for IDEs.
## License
nvm is released under the MIT license.
Copyright (C) 2010-2014 Tim Caswell
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
## Running tests
Tests are written in [Urchin]. Install Urchin (and other dependencies) like so:
npm install
There are slow tests and fast tests. The slow tests do things like install node
and check that the right versions are used. The fast tests fake this to test
things like aliases and uninstalling. From the root of the nvm git repository,
run the fast tests like this.
npm run test/fast
Run the slow tests like this.
npm run test/slow
Run all of the tests like this
npm test
Nota bene: Avoid running nvm while the tests are running.
## Bash completion
To activate, you need to source `bash_completion`:
Put the above sourcing line just below the sourcing line for NVM in your profile (`.bashrc`, `.bash_profile`).
### Usage
nvm
$ nvm [tab][tab]
alias deactivate install ls run unload
clear-cache exec list ls-remote unalias use
current help list-remote reinstall-packages uninstall version
nvm alias
$ nvm alias [tab][tab]
default
$ nvm alias my_alias [tab][tab]
v0.6.21 v0.8.26 v0.10.28
nvm use
$ nvm use [tab][tab]
my_alias default v0.6.21 v0.8.26 v0.10.28
nvm uninstall
$ nvm uninstall [tab][tab]
my_alias default v0.6.21 v0.8.26 v0.10.28
## Compatibility Issues
`nvm` will encounter some issues if you have some non-default settings set. (see [#606](/../../issues/606))
The following are known to cause issues:
Inside `~/.npmrc`
```
prefix='some/path'
```
Environment Variables:
```
$NPM_CONFIG_PREFIX
$PREFIX
```
## Problems
If you try to install a node version and the installation fails, be sure to delete the node downloads from src (~/.nvm/src/) or you might get an error when trying to reinstall them again or you might get an error like the following:
curl: (33) HTTP server doesn't seem to support byte ranges. Cannot resume.
Where's my 'sudo node'? Check out this link:
https://github.com/creationix/nvm/issues/43
On Arch Linux and other systems using python3 by default, before running *install* you need to
export PYTHON=python2
After the v0.8.6 release of node, nvm tries to install from binary packages. But in some systems, the official binary packages don't work due to incompatibility of shared libs. In such cases, use `-s` option to force install from source:
This is a list of the primary features planned for `nvm`:
- [x] Rewriting installation code paths to support installing `io.js` and `node``v4+` [from source](https://github.com/nvm-sh/nvm/issues/1188).
- This will include [reusing previously downloaded tarballs](https://github.com/nvm-sh/nvm/issues/1193) that match checksums, which is a nice performance and bandwidth bonus.
- [ ] Adding opt-in environment variable support to list, download, and install `node` [release candidates](https://github.com/nvm-sh/nvm/issues/779), and [nightly builds](https://github.com/nvm-sh/nvm/issues/1053).
- [ ] [`nvm update`](https://github.com/nvm-sh/nvm/issues/400): the ability to autoupdate `nvm` itself
- [ ] [v1.0.0](https://github.com/nvm-sh/nvm/milestone/1), including updating the [nvm on npm](https://github.com/nvm-sh/nvm/issues/304) to auto-install nvm properly
|| die ""nvm install --reinstall-packages-from" should fail when given an uninstalled version: expected '$EXPECTED_ERROR_MSG', got '$INSTALL_ERROR_MSG'"
[ "$(nvm install invalid.invalid 2>&1)" = "Version 'invalid.invalid' not found - try \`nvm ls-remote\` to browse available versions." ] || die "nvm installing an invalid version did not print a nice error message"
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.