Skip to main content

nvm 0.40.5

Release Date: June 4, 2026

nvm 0.40.5 has been released — the Node Version Manager project ships a security-focused update addressing a newly disclosed vulnerability along with several reliability improvements and a new offline installation feature.

Security Fix: CVE-2026-10796

This release patches CVE-2026-10796, a vulnerability affecting the download and checksum verification pipeline. Users running any previous version of nvm are strongly advised to upgrade immediately. The vulnerability could potentially allow a malicious mirror to inject arbitrary commands during the download phase. Details are available in the official CVE advisory.

What's New

  • Offline installation — The new nvm install --offline flag allows installation of Node.js versions from the local cache without any network access. This is a boon for air-gapped environments, CI runners with restricted egress, and developers working on unreliable connections.

Bug Fixes

Several bugs have been squashed in this release:

  • Security hardening: nvm_download now avoids eval entirely, preventing mirror-supplied version strings from injecting commands. The nvm_get_checksum function passes the tarball name to awk as data rather than program text. The nvm_download_artifact function rejects version strings with disallowed characters.
  • POSIX compliance: install.sh now checks mkdir return codes and fixes printf format strings and profile detection for better cross-shell compatibility.
  • Better error handling: Error propagation from subshells in nvm_download_artifact and failure detection in nvm_install_binary with the -b flag have both been improved.
  • Architecture detection: The musl suffix is now only applied on x64 Alpine, preventing incorrect binary selection on other platforms.
  • Alias cleanup: nvm uninstall now properly handles glob expansion during alias cleanup, and nvm_resolve_local_alias avoids using a variable as a printf format string.
  • Infinite loop fix: nvm which now shows the alias name in infinite loop error messages for easier debugging.

How to Upgrade

Existing nvm users can upgrade by running the install script again:

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.5/install.sh | bash

Or by sourcing the latest version directly. After upgrading, verify with nvm --version which should return v0.40.5.

What is New?

By continuing to use the site, you agree to the use of cookies.