Skip to content

nvm install behind mirror: stale SHASUMS256.txt blocks valid installs and no warning for stale latest/ #1336

@abaschen

Description

@abaschen

Bug Description

When using nvm install with a configured node mirror (nvm node_mirror <url>), two related issues cause installation failures:

1. Stale mirror blocks valid installs

When the mirror's latest/SHASUMS256.txt is stale (cached behind the real Node.js distribution), checkVersionExceedsLatest() incorrectly blocks installation of versions that exist in the mirror's index.json but are newer than the stale latest/. Users receive a misleading error:

Node.js v22.16.0 is not yet released or is not available for download yet.

2. Full semver installs unnecessarily check latest/SHASUMS256.txt

When a user specifies a full semver version (e.g., nvm install 22.16.0), the install flow still calls checkVersionExceedsLatest(), which fetches latest/SHASUMS256.txt. For full semver versions, this check is unnecessary because index.json (already consulted via node.IsVersionAvailable()) is the authoritative source.

3. Silent stale latest

When running nvm install latest behind a stale mirror, getLatest() silently returns the stale version from latest/SHASUMS256.txt without any warning that the mirror may be out of date.

Steps to Reproduce

  1. Configure a mirror: nvm node_mirror https://my-mirror.example.com/dist/
  2. Ensure the mirror's latest/SHASUMS256.txt is behind the official distribution (e.g., reports v22.14.0 while v22.16.0 is available)
  3. Run nvm install 22.16.0
  4. Observe: installation is blocked with "not yet released" error

Expected Behavior

  • Full semver installs (nvm install 22.16.0) should skip the latest/SHASUMS256.txt check and validate against index.json directly
  • When a mirror is stale and blocks a valid version, a warning should be shown instead of a hard block
  • nvm install latest behind a stale mirror should warn that the mirror's latest version differs from index.json

Environment

  • nvm-windows (latest)
  • Any mirror configuration where latest/ folder is cached/stale

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions