We take the security of nvm very seriously. If you believe you’ve found a security vulnerability, please inform us responsibly through coordinated disclosure.
Do not report security vulnerabilities through public GitHub issues, discussions, or social media.
Instead, please use one of these secure channels:
-
GitHub Security Advisories Use the Report a vulnerability button in the Security tab of the nvm-sh/nvm repository.
-
Email Follow the posted Security Policy.
Required Information:
- Brief description of the vulnerability type
- Affected version(s) and components
- Steps to reproduce the issue
- Impact assessment (what an attacker could achieve)
Helpful Additional Details:
- Full paths of affected scripts or files
- Specific commit or branch where the issue exists
- Required configuration to reproduce
- Proof-of-concept code (if available)
- Suggested mitigation or fix
Timeline Commitments:
- Initial acknowledgment: Within 24 hours
- Detailed response: Within 3 business days
- Status updates: Every 7 days until resolved
- Resolution target: 90 days for most issues
What We’ll Do:
- Acknowledge your report and assign a tracking ID
- Assess the vulnerability and determine severity
- Develop and test a fix
- Coordinate disclosure timeline with you
- Release a security update and publish an advisory and CVE
- Credit you in our security advisory (if desired)
- Coordinated disclosure: We’ll work with you on timing
- Typical timeline: 90 days from report to public disclosure
- Early disclosure: If actively exploited
- Delayed disclosure: For complex issues
In Scope:
- nvm project (all supported versions)
- Installation and update scripts (
install.sh,nvm.sh) - Official documentation and CI/CD integrations
- Dependencies with direct security implications
Out of Scope:
- Third-party forks or mirrors
- Platform-specific installs outside core scripts
- Social engineering or physical attacks
- Theoretical vulnerabilities without practical exploitation
Our Commitments:
- Regular vulnerability scanning via GitHub Actions
- Automated security checks in CI/CD pipelines
- Secure scripting practices and mandatory code review
- Prompt patch releases for critical issues
User Responsibilities:
- Keep nvm updated
- Verify script downloads via PGP signatures
- Follow secure configuration guidelines for shell environments
We will NOT:
- Initiate legal action
- Contact law enforcement
- Suspend or terminate your access
You must:
- Only test against your own installations
- Not access, modify, or delete user data
- Not degrade service availability
- Not publicly disclose before coordinated disclosure
- Act in good faith
- Advisory Credits: Credit in GitHub Security Advisories (unless anonymous)
Stay Informed:
- Subscribe to GitHub releases for nvm
- Enable GitHub Security Advisory notifications
Update Process:
- Patch releases (e.g., v0.40.3 → v0.40.4)
- Out-of-band releases for critical issues
- Advisories via GitHub Security Advisories
- Security reports: Security tab of nvm-sh/nvm
- General inquiries: GitHub Discussions or Issues