Skip to content

Feature Request: User-provided hash #3349

Open
@MatrixManAtYrService

Description

@MatrixManAtYrService

I see that nvm checks nodejs versions against a copy of SHASUMS256.txt which it downloads from the same mirror that it downloads nodejs.

This verification is not without value as-is, but I've got my tin-foil-hat on and it doesn't quite scratch the itch. I'd like to hard-code a hash so that my automation will break if there's a MITM between myself in the mirror (otherwise the MITM can just tamper with SHASUMS256.txt to make the verification pass and hide whatever skulduggery they've amended node with).

I'm imagining something like:

nvm install 16.19.1 --sha256 ca63da538e02de15b7e974f7a17ce4732cc0d63023942301d30044c472ed9ddd

Please consider it. Thank you.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions