Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: User-provided hash #3349

Open
MatrixManAtYrService opened this issue May 10, 2024 · 1 comment
Open

Feature Request: User-provided hash #3349

MatrixManAtYrService opened this issue May 10, 2024 · 1 comment
Labels
feature requests I want a new feature in nvm!

Comments

@MatrixManAtYrService
Copy link

MatrixManAtYrService commented May 10, 2024
edited

I see that nvm checks nodejs versions against a copy of SHASUMS256.txt which it downloads from the same mirror that it downloads nodejs.

This verification is not without value as-is, but I've got my tin-foil-hat on and it doesn't quite scratch the itch. I'd like to hard-code a hash so that my automation will break if there's a MITM between myself in the mirror (otherwise the MITM can just tamper with SHASUMS256.txt to make the verification pass and hide whatever skulduggery they've amended node with).

I'm imagining something like:

nvm install 16.19.1 --sha256 ca63da538e02de15b7e974f7a17ce4732cc0d63023942301d30044c472ed9ddd

Please consider it. Thank you.
@ljharb
Copy link
Member

ljharb commented May 10, 2024

Where are you getting the hash from in the first place if you can't trust nodejs.org?

@ljharb ljharb added the feature requests I want a new feature in nvm! label May 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature requests I want a new feature in nvm!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ljharb @MatrixManAtYrService