Merge branch 'master' into master

amejia1 · web-flow · commit 1a14b76cfeb2 · 2026-01-23T17:23:40.000-05:00
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -2,6 +2,13 @@
 
 Please file a private vulnerability report via GitHub, email [@ljharb](https://github.com/ljharb), or see https://tidelift.com/security if you have a potential security vulnerability to report.
 
+## Escalation
+
+If you do not receive an acknowledgement of your report within 6 business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA at `security@lists.openjsf.org`.
+
+If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate.
+
+
 ## OpenSSF CII Best Practices
 
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/684/badge)](https://bestpractices.coreinfrastructure.org/projects/684)
diff --git a/.github/workflows/latest-npm.yml b/.github/workflows/latest-npm.yml
@@ -63,7 +63,7 @@ jobs:
             iojs.org:443
             nodejs.org:443
             registry.npmjs.org:443
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: ljharb/actions/node/install@main
         name: 'install node'
         with:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -16,7 +16,7 @@ jobs:
             raw.githubusercontent.com:443
             nodejs.org:443
             registry.npmjs.org:443
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: ljharb/actions/node/install@main
         name: 'nvm install ${{ matrix.node-version }} && npm install'
         with:
@@ -35,7 +35,7 @@ jobs:
             pkg-containers.githubusercontent.com:443
             nodejs.org:443
             registry.npmjs.org:443
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: ljharb/actions/node/install@main
         name: 'nvm install ${{ matrix.node-version }} && npm install'
         with:
@@ -52,7 +52,7 @@ jobs:
             raw.githubusercontent.com:443
             nodejs.org:443
             registry.npmjs.org:443
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: ljharb/actions/node/install@main
         name: 'nvm install ${{ matrix.node-version }} && npm install'
         with:
@@ -67,6 +67,6 @@ jobs:
           allowed-endpoints:
             github.com:443
             raw.githubusercontent.com:443
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: check tests filenames
         run: ./rename_test.sh --check
diff --git a/.github/workflows/nvm-install-test.yml b/.github/workflows/nvm-install-test.yml
@@ -16,7 +16,7 @@ jobs:
     outputs:
       matrix: ${{ steps.matrix.outputs.matrix }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - id: matrix
@@ -55,7 +55,7 @@ jobs:
           - 2 shlvls
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: resolve HEAD to sha
         run: |
           if [ '${{ matrix.ref }}' = 'HEAD' ]; then
diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v6
       - uses: ljharb/rebase@master
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -19,10 +19,10 @@ jobs:
             raw.githubusercontent.com:443
             release-assets.githubusercontent.com:443
             registry.npmjs.org:443
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-tags: true
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: "14"
       - run: npm install
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
@@ -35,7 +35,7 @@ jobs:
             github.com:443
             pkg-containers.githubusercontent.com:443
             formulae.brew.sh:443
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Set up Homebrew
         uses: Homebrew/actions/setup-homebrew@master
       - name: Install latest shellcheck
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -52,7 +52,7 @@ jobs:
             iojs.org:443
             azure.archive.ubuntu.com:80
             packages.microsoft.com:443
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - run: sudo apt-get update; sudo apt-get install ${{ matrix.shell }}
         if: matrix.shell == 'zsh' || matrix.shell == 'ksh'
         # zsh (https://github.com/actions/runner-images/issues/264) and ksh are not in the ubuntu image
diff --git a/.github/workflows/toc.yml b/.github/workflows/toc.yml
@@ -21,15 +21,15 @@ jobs:
           github.com:443
           registry.npmjs.org:443
           api.github.com:443
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         # https://github.com/actions/checkout/issues/217#issue-599945005
         # pulls all commits (needed for lerna / semantic release to correctly version)
         fetch-depth: "0"
 
     # pulls all tags (needed for lerna / semantic release to correctly version)
     - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
-    - uses: actions/setup-node@v4
+    - uses: actions/setup-node@v6
       with:
         node-version: 'lts/*'
     - run: npm install
diff --git a/.github/workflows/windows-npm.yml b/.github/workflows/windows-npm.yml
@@ -125,23 +125,55 @@ jobs:
             npm-node-version: '21'
           - wsl-distrib: Ubuntu-18.04
             npm-node-version: '18'
+          # node v24+ doesn't work on WSL1 (exec format error)
+          - wsl-distrib: Debian
+            npm-node-version: '--lts'
+          - wsl-distrib: Ubuntu-20.04
+            npm-node-version: '--lts'
         method:
           - ''
           - 'script'
     steps:
-      - uses: Vampire/setup-wsl@v3
+      # For Ubuntu: install with packages directly
+      - if: matrix.wsl-distrib != 'Debian'
+        uses: Vampire/setup-wsl@v3
         with:
           distribution: ${{ matrix.wsl-distrib }}
           additional-packages: bash git curl ca-certificates wget
 
-      # see https://github.com/Vampire/setup-wsl/issues/76#issuecomment-3258201135
-      - shell: 'wsl-bash {0}'
-        run: 'sed -i s/ftp.debian.org/archive.debian.org/ /etc/apt/sources.list'
-      - uses: Vampire/setup-wsl@v3
+      # For Debian: install without packages first (apt-get update fails due to stale sources.list)
+      # see https://github.com/Vampire/setup-wsl/issues/76
+      - if: matrix.wsl-distrib == 'Debian'
+        uses: Vampire/setup-wsl@v3
         with:
           distribution: ${{ matrix.wsl-distrib }}
-          additional-packages: bash git curl ca-certificates wget
-          update: 'true'
+      - if: matrix.wsl-distrib == 'Debian'
+        shell: 'wsl-bash {0}'
+        run: 'sed -i s/ftp.debian.org/archive.debian.org/ /etc/apt/sources.list'
+      - if: matrix.wsl-distrib == 'Debian'
+        name: 'Install packages with retries'
+        shell: 'wsl-bash {0}'
+        run: |
+          retry() {
+            local n=0
+            local max=3
+            local delay=5
+            while true; do
+              "$@" && break || {
+                n=$((n+1))
+                if [ $n -lt $max ]; then
+                  echo "Command failed. Attempt $n/$max. Retrying in $delay seconds..."
+                  sleep $delay
+                else
+                  echo "Command failed after $max attempts."
+                  return 1
+                fi
+              }
+            done
+          }
+          retry apt-get update
+          retry apt-get upgrade --yes
+          retry apt-get install --yes bash git curl ca-certificates wget
 
       - name: Retrieve nvm on WSL
         run: |
@@ -187,15 +219,6 @@ jobs:
           distribution: ${{ matrix.wsl-distrib }}
           additional-packages: bash git curl ca-certificates wget
 
-      # see https://github.com/Vampire/setup-wsl/issues/76#issuecomment-3258201135
-      - shell: 'wsl-bash {0}'
-        run: 'sed -i s/ftp.debian.org/archive.debian.org/ /etc/apt/sources.list'
-      - uses: Vampire/setup-wsl@v3
-        with:
-          distribution: ${{ matrix.wsl-distrib }}
-          additional-packages: bash git curl ca-certificates wget
-          update: 'true'
-
       - name: Retrieve nvm on WSL
         run: |
           if [ -z "${{ matrix.method }}" ]; then
diff --git a/README.md b/README.md
@@ -443,7 +443,7 @@ Node has a [schedule](https://github.com/nodejs/Release#release-schedule) for lo
 
 Any time your local copy of `nvm` connects to https://nodejs.org, it will re-create the appropriate local aliases for all available LTS lines. These aliases (stored under `$NVM_DIR/alias/lts`), are managed by `nvm`, and you should not modify, remove, or create these files - expect your changes to be undone, and expect meddling with these files to cause bugs that will likely not be supported.
 
-To get the latest LTS version of node and migrate your existing installed packages, use
+To get the latest LTS version of node and migrate your existing installed packages, use:
 
 ```sh
 nvm install --reinstall-packages-from=current 'lts/*'
@@ -496,7 +496,10 @@ stevemao/left-pad
 
 ### io.js
 
-If you want to install [io.js](https://github.com/iojs/io.js/):
+> [!WARNING]
+> io.js was a [fork of Node.js](https://en.wikipedia.org/wiki/Node.js#History), created in 2014 and merged back in 2015. io.js shipped v1, v2, and v3 release lines; post-merge, node.js began releasing with v4.
+
+If you want to install io.js:
 
 ```sh
 nvm install iojs
@@ -1040,7 +1043,7 @@ To change the user directory and/or account name follow the instructions [here](
 [Urchin]: https://git.sdf.org/tlevine/urchin
 [Fish]: https://fishshell.com
 
-**Homebrew makes zsh directories unsecure**
+**Homebrew makes zsh directories insecure**
 
 ```shell
 zsh compinit: insecure directories, run compaudit for list.
diff --git a/install.sh b/install.sh
@@ -428,7 +428,10 @@ nvm_do_install() {
   COMPLETION_STR='[ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion"  # This loads nvm bash_completion\n'
   BASH_OR_ZSH=false
 
-  if [ -z "${NVM_PROFILE-}" ] ; then
+  if [ "${PROFILE-}" = '/dev/null' ] ; then
+    # the user has specifically requested NOT to have nvm touch their profile
+    echo
+  elif [ -z "${NVM_PROFILE-}" ] ; then
     local TRIED_PROFILE
     if [ -n "${PROFILE}" ]; then
       TRIED_PROFILE="${NVM_PROFILE} (as defined in \$PROFILE), "
diff --git a/nvm-exec b/nvm-exec
@@ -9,9 +9,12 @@ unset NVM_CD_FLAGS
 
 if [ -n "$NODE_VERSION" ]; then
   nvm use "$NODE_VERSION" > /dev/null || exit 127
-elif ! nvm use >/dev/null 2>&1; then
-  echo "No NODE_VERSION provided; no .nvmrc file found" >&2
-  exit 127
+else
+  nvm_rc_version > /dev/null && nvm_ensure_version_installed "$NVM_RC_VERSION";
+  if ! nvm use >/dev/null 2>&1; then
+    echo "No NODE_VERSION provided; no .nvmrc file found" >&2
+    exit 127
+  fi
 fi
 
 exec "$@"
diff --git a/nvm.sh b/nvm.sh
@@ -781,6 +781,15 @@ nvm_remote_version() {
   else
     VERSION="$(NVM_LTS="${NVM_LTS-}" nvm_remote_versions "${PATTERN}" | command tail -1)"
   fi
+
+  if [ -n "${PATTERN}" ] && [ "_${VERSION}" != "_N/A" ] && ! nvm_validate_implicit_alias "${PATTERN}" 2>/dev/null; then
+    local VERSION_NUM
+    VERSION_NUM="$(nvm_echo "${VERSION}" | command awk '{print $1}')"
+    if ! nvm_echo "${VERSION_NUM}" | nvm_grep -q "${PATTERN}"; then
+      VERSION='N/A'
+    fi
+  fi
+
   if [ -n "${NVM_VERSION_ONLY-}" ]; then
     command awk 'BEGIN {
       n = split(ARGV[1], a);
@@ -1294,7 +1303,7 @@ nvm_alias() {
     return 2
   fi
 
-  command awk 'NF' "${NVM_ALIAS_PATH}"
+  command sed 's/#.*//; s/[[:space:]]*$//' "${NVM_ALIAS_PATH}" | command awk 'NF'
 }
 
 nvm_ls_current() {
@@ -1529,7 +1538,7 @@ nvm_ls() {
       PATTERN='v'
       SEARCH_PATTERN='.*'
     else
-      SEARCH_PATTERN="$(nvm_echo "${PATTERN}" | command sed 's#\.#\\\.#g;')"
+      SEARCH_PATTERN="$(nvm_echo "${PATTERN}" | command sed 's#\.#\\\.#g; s|#|\\#|g')"
     fi
     if [ -n "${NVM_DIRS_TO_SEARCH1}${NVM_DIRS_TO_SEARCH2}${NVM_DIRS_TO_SEARCH3}" ]; then
       VERSIONS="$(command find "${NVM_DIRS_TO_SEARCH1}"/* "${NVM_DIRS_TO_SEARCH2}"/* "${NVM_DIRS_TO_SEARCH3}"/* -name . -o -type d -prune -o -path "${PATTERN}*" \
diff --git a/test/fast/Running 'nvm-exec' should display required node version b/test/fast/Running 'nvm-exec' should display required node version
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -x
+\. ../../nvm.sh
+
+die () { echo "$@" ; rm .nvmrc ; exit 1; }
+
+NVM_TEST_VERSION=v0.42
+
+# Write it to nvmrc
+echo "$NVM_TEST_VERSION" > .nvmrc
+
+OUTPUT="$(../../nvm-exec 2>&1)";
+EXPECTED="N/A: version \"${NVM_TEST_VERSION}\" is not yet installed.
+
+You need to run \`nvm install ${NVM_TEST_VERSION}\` to install and use it.
+No NODE_VERSION provided; no .nvmrc file found";
+
+# Skip install, we want to test the error message
+[ "${EXPECTED}" = "${OUTPUT}" ] || die "expected >${EXPECTED}<, got >${OUTPUT}<"
diff --git a/test/fast/Set Colors/nvm_print_versions calls nvm_get_colors b/test/fast/Set Colors/nvm_print_versions calls nvm_get_colors
@@ -2,7 +2,7 @@
 
 \. ../../../nvm.sh
 
-set -e
+#set -e #nvm use system returns 127 and No system set message
 
 die () {
   # echo "$@" ;
@@ -24,7 +24,7 @@ fi
 # default system color
 nvm use system
 OUTPUT=$(nvm_print_versions system)
-FORMAT="\033[0;32m-> %12s\033[0m"
+FORMAT="\033[0;33m%15s\033[0m"
 VERSION='system'
 EXPECTED_OUTPUT=$(command printf -- "${FORMAT}\\n" "${VERSION}")
 
@@ -34,7 +34,7 @@ nvm_ls_current() { echo "current";}
 
 # default current color
 OUTPUT=$(nvm_print_versions current)
-FORMAT="\033[0;32m-> %12s\033[0m"
+FORMAT="\033[0;32m->%13s\033[0m"
 VERSION="current"
 EXPECTED_OUTPUT=$(command printf -- "${FORMAT}\\n" "${VERSION}")
 
@@ -43,7 +43,7 @@ EXPECTED_OUTPUT=$(command printf -- "${FORMAT}\\n" "${VERSION}")
 # custom current color
 nvm set-colors YCMGR
 OUTPUT=$(nvm_print_versions current)
-FORMAT="\033[1;35m-> %12s\033[0m"
+FORMAT="\033[1;35m->%13s\033[0m"
 VERSION="current"
 EXPECTED_OUTPUT=$(command printf -- "${FORMAT}\\n" "${VERSION}")
 
diff --git a/test/fast/Unit tests/nvm_alias handles comments b/test/fast/Unit tests/nvm_alias handles comments
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+die () { echo "$@" ; cleanup ; exit 1; }
+
+cleanup () {
+  rm -rf ../../../alias/test-comment
+  rm -rf ../../../alias/test-inline-comment
+  rm -rf ../../../alias/test-comment-first
+}
+
+\. ../../../nvm.sh
+
+# Test: alias file with comment on separate line
+echo "v0.10
+# this is a comment" > ../../../alias/test-comment
+OUTPUT="$(nvm_alias test-comment)"
+EXPECTED_OUTPUT="v0.10"
+[ "_$OUTPUT" = "_$EXPECTED_OUTPUT" ] || die "'nvm_alias test-comment' should ignore comment line; expected '$EXPECTED_OUTPUT', got '$OUTPUT'"
+
+# Test: alias file with inline comment
+echo "v0.11 # inline comment" > ../../../alias/test-inline-comment
+OUTPUT="$(nvm_alias test-inline-comment)"
+EXPECTED_OUTPUT="v0.11"
+[ "_$OUTPUT" = "_$EXPECTED_OUTPUT" ] || die "'nvm_alias test-inline-comment' should strip inline comment; expected '$EXPECTED_OUTPUT', got '$OUTPUT'"
+
+# Test: alias file with comment as first line
+echo "# comment first
+v0.12" > ../../../alias/test-comment-first
+OUTPUT="$(nvm_alias test-comment-first)"
+EXPECTED_OUTPUT="v0.12"
+[ "_$OUTPUT" = "_$EXPECTED_OUTPUT" ] || die "'nvm_alias test-comment-first' should skip comment-only first line; expected '$EXPECTED_OUTPUT', got '$OUTPUT'"
+
+cleanup
diff --git a/test/fast/Unit tests/nvm_is_version_installed b/test/fast/Unit tests/nvm_is_version_installed
diff --git a/test/fast/Unit tests/nvm_ls handles hash in pattern b/test/fast/Unit tests/nvm_ls handles hash in pattern
diff --git a/test/fast/Unit tests/nvm_remote_version b/test/fast/Unit tests/nvm_remote_version
diff --git a/test/install_script/nvm_install_profile_skip b/test/install_script/nvm_install_profile_skip
