Merge f28584cecf into 1aab8b2d5a

due the use of --min or NVM_MIN, which would show only the versions
higher than the specified min version, and/or the available minor/patch
updates for the installed versions.

.github/INCIDENT_RESPONSE_PLAN.md

@@ -0,0 +1,117 @@
+# Incident Response Process for **nvm**
+
+## Reporting a Vulnerability
+
+We take the security of **nvm** very seriously. If you believe you’ve found a security vulnerability, please inform us responsibly through coordinated disclosure.
+
+### How to Report
+
+> **Do not** report security vulnerabilities through public GitHub issues, discussions, or social media.
+
+Instead, please use one of these secure channels:
+
+1. **GitHub Security Advisories**
+    Use the **Report a vulnerability** button in the Security tab of the [nvm-sh/nvm repository](https://github.com/nvm-sh/nvm).
+
+2. **Email**
+    Follow the posted [Security Policy](https://github.com/nvm-sh/nvm/security/policy).
+
+### What to Include
+
+**Required Information:**
+- Brief description of the vulnerability type
+- Affected version(s) and components
+- Steps to reproduce the issue
+- Impact assessment (what an attacker could achieve)
+
+**Helpful Additional Details:**
+- Full paths of affected scripts or files
+- Specific commit or branch where the issue exists
+- Required configuration to reproduce
+- Proof-of-concept code (if available)
+- Suggested mitigation or fix
+
+## Our Response Process
+
+**Timeline Commitments:**
+- **Initial acknowledgment**: Within 24 hours
+- **Detailed response**: Within 3 business days
+- **Status updates**: Every 7 days until resolved
+- **Resolution target**: 90 days for most issues
+
+**What We’ll Do:**
+1. Acknowledge your report and assign a tracking ID
+2. Assess the vulnerability and determine severity
+3. Develop and test a fix
+4. Coordinate disclosure timeline with you
+5. Release a security update and publish an advisory and CVE
+6. Credit you in our security advisory (if desired)
+
+## Disclosure Policy
+
+- **Coordinated disclosure**: We’ll work with you on timing
+- **Typical timeline**: 90 days from report to public disclosure
+- **Early disclosure**: If actively exploited
+- **Delayed disclosure**: For complex issues
+
+## Scope
+
+**In Scope:**
+- **nvm** project (all supported versions)
+- Installation and update scripts (`install.sh`, `nvm.sh`)
+- Official documentation and CI/CD integrations
+- Dependencies with direct security implications
+
+**Out of Scope:**
+- Third-party forks or mirrors
+- Platform-specific installs outside core scripts
+- Social engineering or physical attacks
+- Theoretical vulnerabilities without practical exploitation
+
+## Security Measures
+
+**Our Commitments:**
+- Regular vulnerability scanning via GitHub Actions
+- Automated security checks in CI/CD pipelines
+- Secure scripting practices and mandatory code review
+- Prompt patch releases for critical issues
+
+**User Responsibilities:**
+- Keep **nvm** updated
+- Verify script downloads via PGP signatures
+- Follow secure configuration guidelines for shell environments
+
+## Legal Safe Harbor
+
+**We will NOT:**
+- Initiate legal action
+- Contact law enforcement
+- Suspend or terminate your access
+
+**You must:**
+- Only test against your own installations
+- Not access, modify, or delete user data
+- Not degrade service availability
+- Not publicly disclose before coordinated disclosure
+- Act in good faith
+
+## Recognition
+
+- **Advisory Credits**: Credit in GitHub Security Advisories (unless anonymous)
+
+## Security Updates
+
+**Stay Informed:**
+- Subscribe to GitHub releases for **nvm**
+- Enable GitHub Security Advisory notifications
+
+**Update Process:**
+- Patch releases (e.g., v0.40.3 → v0.40.4)
+- Out-of-band releases for critical issues
+- Advisories via GitHub Security Advisories
+
+## Contact Information
+
+- **Security reports**: Security tab of [nvm-sh/nvm](https://github.com/nvm-sh/nvm/security)
+- **General inquiries**: GitHub Discussions or Issues
+

.github/SECURITY.md

@@ -1,6 +1,6 @@
 # Security
 
-Please email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.
+Please file a private vulnerability report via GitHub, email [@ljharb](https://github.com/ljharb), or see https://tidelift.com/security if you have a potential security vulnerability to report.
 
 ## OpenSSF CII Best Practices
 
@@ -12,16 +12,17 @@ There are three “tiers”: passing, silver, and gold.
 We meet 100% of the “passing” criteria.
 
 ### Silver
-We meet 95% of the “silver” criteria. The gaps are as follows:
-  - we do not have a DCO or a CLA process for contributions.
-  - because we only have one maintainer, the project has no way to continue if that maintainer stops being active.
-  - we do not currently document “what the user can and cannot expect in terms of security” for our project. This is planned to be completed in 2023.
+We meet 100% of the “silver” criteria.
 
 ### Gold
-We meet 65% of the “gold” criteria. The gaps are as follows:
-  - we do not yet have the “silver” badge; see all the gaps above.
+We meet 78% of the “gold” criteria. The gaps are as follows:
+  - because we only have one maintainer, the project has no way to continue if that maintainer stops being active.
   - We do not include a copyright or license statement in each source file. Efforts are underway to change this archaic practice into a suggestion instead of a hard requirement.
 
 ## Threat Model
 
-See [THREAT_MODEL.md](./THREAT_MODEL.md).
+See [THREAT_MODEL.md](.github/THREAT_MODEL.md).
+
+## Incident Response Plan
+
+Please see our [Incident Response Plan](.github/INCIDENT_RESPONSE_PLAN.md).

nvm.sh

@@ -1883,68 +1883,84 @@ nvm_print_versions() {
   fi
 
   command awk \
-    -v remote_versions="$(printf '%s' "${1-}" | tr '\n' '|')" \
+    -v remote_versions="$(printf '%s' "${1-}" | tr '\n' '|')" -v min="${NVM_MIN:-v0}" \
     -v installed_versions="$(nvm_ls | tr '\n' '|')" -v current="$NVM_CURRENT" \
     -v installed_color="$INSTALLED_COLOR" -v system_color="$SYSTEM_COLOR" \
     -v current_color="$CURRENT_COLOR" -v default_color="$DEFAULT_COLOR" \
     -v old_lts_color="$DEFAULT_COLOR" -v has_colors="$NVM_HAS_COLORS" '
-function alen(arr, i, len) { len=0; for(i in arr) len++; return len; }
-BEGIN {
-  fmt_installed = has_colors ? (installed_color ? "\033[" installed_color "%15s\033[0m" : "%15s") : "%15s *";
-  fmt_system = has_colors ? (system_color ? "\033[" system_color "%15s\033[0m" : "%15s") : "%15s *";
-  fmt_current = has_colors ? (current_color ? "\033[" current_color "->%13s\033[0m" : "%15s") : "->%13s *";
+  function alen(arr, i, len) { len=0; for(i in arr) len++; return len; }
+  function v2a(v, a) { sub(/^(iojs-)?v/, "", v); split(v, a, "."); }
+  function v2m(v, a) { sub(/^(iojs-)?v/, "", v); split(v, a, "."); return a[1]; }
+  function vcmp(v1,v2,a1,a2,i,d) { v2a(v1,a1); v2a(v2,a2); for(i=1;i<4;i++) { d = a1[i] - a2[i]; if(d!=0) return d; } return 0; }
+  BEGIN {
+    fmt_installed = has_colors ? (installed_color ? "\033[" installed_color "%15s\033[0m" : "%15s") : "%15s *";
+    fmt_system = has_colors ? (system_color ? "\033[" system_color "%15s\033[0m" : "%15s") : "%15s *";
+    fmt_current = has_colors ? (current_color ? "\033[" current_color "->%13s\033[0m" : "%15s") : "->%13s *";
 
-  latest_lts_color = current_color;
-  sub(/0;/, "1;", latest_lts_color);
+    latest_lts_color = current_color;
+    sub(/0;/, "1;", latest_lts_color);
 
-  fmt_latest_lts = has_colors && latest_lts_color ? ("\033[" latest_lts_color " (Latest LTS: %s)\033[0m") : " (Latest LTS: %s)";
-  fmt_old_lts = has_colors && old_lts_color ? ("\033[" old_lts_color " (LTS: %s)\033[0m") : " (LTS: %s)";
+    fmt_latest_lts = has_colors && latest_lts_color ? ("\033[" latest_lts_color " (Latest LTS: %s)\033[0m") : " (Latest LTS: %s)";
+    fmt_old_lts = has_colors && old_lts_color ? ("\033[" old_lts_color " (LTS: %s)\033[0m") : " (LTS: %s)";
 
-  split(remote_versions, lines, "|");
-  split(installed_versions, installed, "|");
-  rows = alen(lines);
-
-  for (n = 1; n <= rows; n++) {
-    split(lines[n], fields, "[[:blank:]]+");
-    cols = alen(fields);
-    version = fields[1];
-    is_installed = 0;
-
-    for (i in installed) {
-      if (version == installed[i]) {
-        is_installed = 1;
-        break;
+    split(remote_versions, lines, "|");
+    split(installed_versions, installed, "|");
+    rows = alen(lines);
+    filter_on = (vcmp("v0.0.0", min) != 0);
+    current_major = -1;
+    for (m = n = 1; n <= rows; n++) {
+      split(lines[n], fields, "[[:blank:]]+");
+      cols = alen(fields);
+      version = fields[1];
+      is_installed = 0;
+      for (i in installed) {
+        if (version == installed[i]) {
+          is_installed = 1;
+          break;
+        }
       }
+
+      if (filter_on != 0) {
+        if (is_installed) {
+          current_major = v2m(version);
+        } else if (vcmp(version, min) >= 0) {
+          filter_on = 0;
+        } else if (v2m(version) != current_major) {
+          continue;
+        }
+      }
+
+      fmt_version = "%15s";
+      if (version == current) {
+        fmt_version = fmt_current;
+      } else if (version == "system") {
+        fmt_version = fmt_system;
+      } else if (is_installed) {
+        fmt_version = fmt_installed;
+      }
+
+      padding = (is_installed && !has_colors) ? "" : "  ";
+      if (cols == 1) {
+        formatted = sprintf(fmt_version, version);
+      } else if (cols == 2) {
+        formatted = sprintf((fmt_version padding fmt_old_lts), version, fields[2]);
+      } else if (cols == 3 && fields[3] == "*") {
+        formatted = sprintf((fmt_version padding fmt_latest_lts), version, fields[2]);
+      }
+
+      output[m++] = formatted;
     }
 
-    fmt_version = "%15s";
-    if (version == current) {
-      fmt_version = fmt_current;
-    } else if (version == "system") {
-      fmt_version = fmt_system;
-    } else if (is_installed) {
-      fmt_version = fmt_installed;
+    for (n = 1; n < m; n++) {
+      print output[n]
     }
 
-    padding = (!has_colors && is_installed) ? "" : "  ";
-
-    if (cols == 1) {
-      formatted = sprintf(fmt_version, version);
-    } else if (cols == 2) {
-      formatted = sprintf((fmt_version padding fmt_old_lts), version, fields[2]);
-    } else if (cols == 3 && fields[3] == "*") {
-      formatted = sprintf((fmt_version padding fmt_latest_lts), version, fields[2]);
+    if (rows > --m) {
+      printf("[INFO] showing %d (of %d) versions.\n", m, rows) > "/dev/stderr"
     }
 
-    output[n] = formatted;
-  }
-
-  for (n = 1; n <= rows; n++) {
-    print output[n]
-  }
-
-  exit
-}'
+    exit
+  }'
 }
 
 nvm_validate_implicit_alias() {
@@ -3106,6 +3122,7 @@ nvm() {
         nvm_echo '  nvm ls-remote [<version>]                   List remote versions available for install, matching a given <version> if provided'
         nvm_echo '    --lts                                     When listing, only show LTS (long-term support) versions'
         nvm_echo '    --lts=<LTS name>                          When listing, only show versions for a specific LTS line'
+        nvm_echo '    --min=<version>                           When listing, only show versions greater than or equal to <version>, including minor/patch updates for installed versions'
         nvm_echo '    --no-colors                               Suppress colored output'
         nvm_echo '  nvm version <version>                       Resolve the given description to a single local version'
         nvm_echo '  nvm version-remote <version>                Resolve the given description to a single remote version'
@@ -4124,6 +4141,10 @@ nvm() {
       local NVM_LTS
       local PATTERN
       local NVM_NO_COLORS
+      local NVM_MIN_ENV
+      NVM_MIN_ENV="${NVM_MIN-}"
+      local NVM_MIN
+      NVM_MIN="${NVM_MIN_ENV-}"
 
       while [ $# -gt 0 ]; do
         case "${1-}" in
@@ -4134,6 +4155,9 @@ nvm() {
           --lts=*)
             NVM_LTS="${1##--lts=}"
           ;;
+          --min=*)
+            NVM_MIN="${1##--min=}"
+          ;;
           --no-colors) NVM_NO_COLORS="${1}" ;;
           --*)
             nvm_err "Unsupported option \"${1}\"."

test/fast/Unit tests/nvm_print_versions

@@ -0,0 +1,146 @@
+#!/bin/sh
+
+# shellcheck disable=SC2317
+
+die () { echo "$@" ; cleanup ; exit 1; }
+
+cleanup() {
+  unset -f nvm_remote_versions nvm_ls nvm_ls_current
+  if [ -n "$TEMP_NVM_MIN" ]; then
+    export NVM_MIN="$TEMP_NVM_MIN"
+    unset TEMP_NVM_MIN
+  fi
+}
+
+\. ../../../nvm.sh
+
+
+if [ -n "$NVM_MIN" ]; then
+  TEMP_NVM_MIN="$NVM_MIN"
+  unset NVM_MIN
+fi
+
+# mock currently installed versions
+nvm_ls() {
+  echo "v16.20.2
+v18.20.3
+system"
+}
+
+# mock currently active version
+nvm_ls_current() {
+  echo "v18.20.3"
+}
+
+nvm_remote_versions() {
+  echo "v16.0.0
+v16.20.2 Gallium
+v16.20.3 Gallium *
+v17.0.0
+v17.9.1
+v18.0.0
+v18.1.0
+v18.20.2 Hydrogen
+v18.20.3 Hydrogen *
+v19.0.0
+v19.9.0
+v20.0.0
+v20.8.1
+v20.9.0 Iron *
+v21.0.0
+v21.1.0"
+}
+
+
+# nvm_print_versions should print all versions from nvm_remote_versions
+OUTPUT="$(NVM_NO_COLORS='--no-colors' nvm_print_versions "$(nvm_remote_versions)" | sed -r 's/^[ \t]+//')"
+EXPECTED_OUTPUT="v16.0.0
+v16.20.2 * (LTS: Gallium)
+v16.20.3   (Latest LTS: Gallium)
+v17.0.0
+v17.9.1
+v18.0.0
+v18.1.0
+v18.20.2   (LTS: Hydrogen)
+->     v18.20.3 * (Latest LTS: Hydrogen)
+v19.0.0
+v19.9.0
+v20.0.0
+v20.8.1
+v20.9.0   (Latest LTS: Iron)
+v21.0.0
+v21.1.0"
+
+[ "_$OUTPUT" = "_$EXPECTED_OUTPUT" ] || die "(1) nvm_print_versions did not output all expected versions; got $OUTPUT"
+
+
+# versions lower than 18 should be filtered out, but v16.20.2 should be kept since it's installed
+OUTPUT="$(NVM_NO_COLORS='--no-colors' NVM_MIN=v18 nvm_print_versions "$(nvm_remote_versions)" | sed -r 's/^[ \t]+//')"
+EXPECTED_OUTPUT="v16.20.2 * (LTS: Gallium)
+v16.20.3   (Latest LTS: Gallium)
+v18.0.0
+v18.1.0
+v18.20.2   (LTS: Hydrogen)
+->     v18.20.3 * (Latest LTS: Hydrogen)
+v19.0.0
+v19.9.0
+v20.0.0
+v20.8.1
+v20.9.0   (Latest LTS: Iron)
+v21.0.0
+v21.1.0"
+
+[ "_$OUTPUT" = "_$EXPECTED_OUTPUT" ] || die "(2) NVM_MIN=18 nvm_print_versions did not output all expected versions; got $OUTPUT"
+
+
+# versions lower than 19 should be filtered out
+OUTPUT="$(NVM_NO_COLORS='--no-colors' NVM_MIN=19 nvm_print_versions "$(nvm_remote_versions)" | sed -r 's/^[ \t]+//')"
+EXPECTED_OUTPUT="v16.20.2 * (LTS: Gallium)
+v16.20.3   (Latest LTS: Gallium)
+->     v18.20.3 * (Latest LTS: Hydrogen)
+v19.0.0
+v19.9.0
+v20.0.0
+v20.8.1
+v20.9.0   (Latest LTS: Iron)
+v21.0.0
+v21.1.0"
+
+[ "_$OUTPUT" = "_$EXPECTED_OUTPUT" ] || die "(3) NVM_MIN=19 nvm_print_versions did not output all expected versions; got $OUTPUT"
+
+
+# versions lower than 20.1 should be filtered out, so v20.0.0 is out
+OUTPUT="$(NVM_NO_COLORS='--no-colors' NVM_MIN=v20.1 nvm_print_versions "$(nvm_remote_versions)" | sed -r 's/^[ \t]+//')"
+EXPECTED_OUTPUT="v16.20.2 * (LTS: Gallium)
+v16.20.3   (Latest LTS: Gallium)
+->     v18.20.3 * (Latest LTS: Hydrogen)
+v20.8.1
+v20.9.0   (Latest LTS: Iron)
+v21.0.0
+v21.1.0"
+
+[ "_$OUTPUT" = "_$EXPECTED_OUTPUT" ] || die "(4) NVM_MIN=20.1 nvm_print_versions did not output all expected versions; got $OUTPUT"
+
+
+# assume v18.20.3 is NOT installed, so now it should be filtered out
+nvm_ls() {
+  echo "v16.20.2
+system"
+}
+
+nvm_ls_current() {
+  echo "v16.20.2"
+}
+
+OUTPUT="$(NVM_NO_COLORS='--no-colors' NVM_MIN=20.1 nvm_print_versions "$(nvm_remote_versions)" | sed -r 's/^[ \t]+//')"
+EXPECTED_OUTPUT="->     v16.20.2 * (LTS: Gallium)
+v16.20.3   (Latest LTS: Gallium)
+v20.8.1
+v20.9.0   (Latest LTS: Iron)
+v21.0.0
+v21.1.0"
+
+[ "_$OUTPUT" = "_$EXPECTED_OUTPUT" ] || die "(5) NVM_MIN=20.1 nvm_print_versions did not output all expected versions; got $OUTPUT"
+
+
+cleanup