Bug Description
When using nvm install with a configured node mirror (nvm node_mirror <url>), two related issues cause installation failures:
1. Stale mirror blocks valid installs
When the mirror's latest/SHASUMS256.txt is stale (cached behind the real Node.js distribution), checkVersionExceedsLatest() incorrectly blocks installation of versions that exist in the mirror's index.json but are newer than the stale latest/. Users receive a misleading error:
Node.js v22.16.0 is not yet released or is not available for download yet.
2. Full semver installs unnecessarily check latest/SHASUMS256.txt
When a user specifies a full semver version (e.g., nvm install 22.16.0), the install flow still calls checkVersionExceedsLatest(), which fetches latest/SHASUMS256.txt. For full semver versions, this check is unnecessary because index.json (already consulted via node.IsVersionAvailable()) is the authoritative source.
3. Silent stale latest
When running nvm install latest behind a stale mirror, getLatest() silently returns the stale version from latest/SHASUMS256.txt without any warning that the mirror may be out of date.
Steps to Reproduce
- Configure a mirror:
nvm node_mirror https://my-mirror.example.com/dist/
- Ensure the mirror's
latest/SHASUMS256.txt is behind the official distribution (e.g., reports v22.14.0 while v22.16.0 is available)
- Run
nvm install 22.16.0
- Observe: installation is blocked with "not yet released" error
Expected Behavior
- Full semver installs (
nvm install 22.16.0) should skip the latest/SHASUMS256.txt check and validate against index.json directly
- When a mirror is stale and blocks a valid version, a warning should be shown instead of a hard block
nvm install latest behind a stale mirror should warn that the mirror's latest version differs from index.json
Environment
- nvm-windows (latest)
- Any mirror configuration where
latest/ folder is cached/stale
Bug Description
When using
nvm installwith a configured node mirror (nvm node_mirror <url>), two related issues cause installation failures:1. Stale mirror blocks valid installs
When the mirror's
latest/SHASUMS256.txtis stale (cached behind the real Node.js distribution),checkVersionExceedsLatest()incorrectly blocks installation of versions that exist in the mirror'sindex.jsonbut are newer than the stalelatest/. Users receive a misleading error:2. Full semver installs unnecessarily check latest/SHASUMS256.txt
When a user specifies a full semver version (e.g.,
nvm install 22.16.0), the install flow still callscheckVersionExceedsLatest(), which fetcheslatest/SHASUMS256.txt. For full semver versions, this check is unnecessary becauseindex.json(already consulted vianode.IsVersionAvailable()) is the authoritative source.3. Silent stale latest
When running
nvm install latestbehind a stale mirror,getLatest()silently returns the stale version fromlatest/SHASUMS256.txtwithout any warning that the mirror may be out of date.Steps to Reproduce
nvm node_mirror https://my-mirror.example.com/dist/latest/SHASUMS256.txtis behind the official distribution (e.g., reports v22.14.0 while v22.16.0 is available)nvm install 22.16.0Expected Behavior
nvm install 22.16.0) should skip thelatest/SHASUMS256.txtcheck and validate againstindex.jsondirectlynvm install latestbehind a stale mirror should warn that the mirror's latest version differs fromindex.jsonEnvironment
latest/folder is cached/stale