nvm 0.40.5
nvm 0.40.5 has been released — the Node Version Manager project ships a security-focused update addressing a newly disclosed vulnerability along with several reliability improvements and a new offline installation feature.
Security Fix: CVE-2026-10796
This release patches CVE-2026-10796, a vulnerability affecting the download and checksum verification pipeline. Users running any previous version of nvm are strongly advised to upgrade immediately. The vulnerability could potentially allow a malicious mirror to inject arbitrary commands during the download phase. Details are available in the official CVE advisory.
What's New
- Offline installation — The new
nvm install --offlineflag allows installation of Node.js versions from the local cache without any network access. This is a boon for air-gapped environments, CI runners with restricted egress, and developers working on unreliable connections.
Bug Fixes
Several bugs have been squashed in this release:
- Security hardening:
nvm_downloadnow avoidsevalentirely, preventing mirror-supplied version strings from injecting commands. Thenvm_get_checksumfunction passes the tarball name to awk as data rather than program text. Thenvm_download_artifactfunction rejects version strings with disallowed characters. - POSIX compliance:
install.shnow checksmkdirreturn codes and fixes printf format strings and profile detection for better cross-shell compatibility. - Better error handling: Error propagation from subshells in
nvm_download_artifactand failure detection innvm_install_binarywith the-bflag have both been improved. - Architecture detection: The musl suffix is now only applied on x64 Alpine, preventing incorrect binary selection on other platforms.
- Alias cleanup:
nvm uninstallnow properly handles glob expansion during alias cleanup, andnvm_resolve_local_aliasavoids using a variable as a printf format string. - Infinite loop fix:
nvm whichnow shows the alias name in infinite loop error messages for easier debugging.
How to Upgrade
Existing nvm users can upgrade by running the install script again:
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.5/install.sh | bash
Or by sourcing the latest version directly. After upgrading, verify with nvm --version which should return v0.40.5.