Update dependency nvm-sh/nvm to v0.40.5

[renovate]

This PR contains the following updates:

Package	Update	Change
nvm-sh/nvm	patch	v0.40.1 → v0.40.5

---

Release Notes

nvm-sh/nvm (nvm-sh/nvm)

v0.40.5

Compare Source

Security fix

Note this release addresses CVE-2026-10796.

New Stuff

• nvm install --offline: install from cache without network access

Bug Fixes

• nvm_download_artifact: reject version strings with disallowed characters
• nvm_get_checksum: pass the tarball name to awk as data, not program text
• nvm_download: avoid eval so mirror-supplied version strings can't inject commands
• nvm_download: send a well-formed Authorization header on the wget path
• avoid an unbound variable
• Add local for sanitized_header (#​3837)
• fix same owner for root when install from binary (#​3834)
• nvm_normalize_lts: only reject uppercase for LTS names, not regular aliases
• install.sh: check mkdir return codes
• install.sh: fix POSIX compliance, printf format strings, and profile detection
• nvm which: show alias name in infinite loop error message
• nvm uninstall: fix alias cleanup glob expansion
• nvm debug: use default empty values for potentially unset variables
• nvm_iojs_version_has_solaris_binary: fix comparison to detect non-iojs versions
• nvm_download_artifact: fix error propagation from subshells
• nvm_install_binary: return failure when binary download fails with -b
• nvm_get_arch: only apply musl suffix on x64 Alpine
• nvm_get_arch: add command prefix to uname call
• nvm_resolve_local_alias: avoid using variable as printf format string
• nvm_get_mirror: fix awk URL validation to actually reject invalid URLs
• nvm_ls_remote_combined: propagate iojs remote listing failures
• nvm install: fix nvm err typo to nvm_err for -s/-b conflict
• nvm alias: fix colors not showing by default

Refactors

• nvm_rc_version: use fd 3 instead of exported env var for multiple return

Docs

• fix --offline help line alignment
• Clean up wording in docs and shell comments (#​3806)
• fix CONTRIBUTING grammar (#​3804)
• do not use tilde expansion in ENV of Dockerfile (#​3821)
• [readme] use tilde expansion instead of "$HOME" for consistency (#​3799)
• [readme] use "$HOME" instead of hardcoded "/home/user"
• [readme] Revise Node.js version usage examples (#​3802)

Misc

• [meta] Update .gitmodules with relative submodule path (#​3839)
• [meta] Submodule nvmrc update protocol from git to https (#​3839)
• [meta] Align and enhance AGENTS.md instructions (#​3774)

Tests

• install_nvm_from_git: stop git background gc/maintenance racing with cleanup
• install_nvm_from_git: fix malformed test command (missing space before ])
• reduce CI flakiness from transient Docker registry failures
• remove double-substitution in assert_ok and assert_not_ok (#​3826)
• fix 4 test failures
• add try/try_err helpers; convert tests to use them
• [actions] add workflow to update nodejs.org nvm version
• [actions] set per-job permissions in the nvm install workflow
• [actions] allow DockerHub's CloudFront CDN so image pulls aren't blocked
• [actions] upgrade vampire/setup-wsl (#​3775)

v0.40.4

Compare Source

Bug Fixes

• sanitize NVM_AUTH_HEADER in wget path
• nvm_has_colors: also check if stdout is a terminal
• nvm_strip_path: avoid gawk-specific RT variable for mawk compatibility
• nvm_get_default_packages: use portable awk patterns
• nvm_install_source: explicitly set SHELL=/bin/sh for make
• install.sh: do not log when user has requested no profile modifications (#​2131)
• nvm exec: Do a version check on nvm-exec (#​3308)
• Reject bare LTS codenames in nvm install (#​3718)
• prevent sed errors when pattern contains #
• install.sh: Force remote name of cloned repo to be 'origin' (#​3654)
• sh lacks -O; thanks shellcheck
• show system Node.js version in nvm ls (#​1287)

Docs

• [readme] add missing colon (#​3516)
• [readme] add background on io.js (#​3641)
• [readme] fix typo (#​3687)
• [readme] update installation by docker to v0.40.3 (#​3590)

Tests

• [actions] add permissions to GHA workflow
• Improve uninstall error message for missing versions (#​3768)
• [Tests] add retry logic (#​2232)
• [Tests] add a timeout
• [actions] add a finisher to lint
• [actions] migrate Travis CI tests to GitHub Actions
• [Tests] mock node in nvm_die_on_prefix test
• [Tests] clean up .nvmrc after nvm-exec test
• [Tests] set $_ before sourcing nvm.sh in fast tests
• [actions] update outdated GitHub Actions versions (#​3762)
• [actions] fix WSL tests: properly handle Debian apt sources issue
• [actions] fix workflow permissions; add codeQL
• [actions] temporary fix for WSL issue
• [actions] add new github asset domain to harden-runner
• [actions] Fix Cygwin workflow HOME variable and add debug output (#​3611)

Misc

• Migrate GitHub Copilot instructions to AGENTS.md and CLAUDE.md (#​3655)
• [security] add security escalation policy (#​3658)
• [meta] Add comprehensive .github/copilot-instructions.md for better AI code assistance (#​3609)
• [meta] update security policy; add IRP
• [Dev Deps] update markdown-link-check, semver

v0.40.3

Compare Source

Fixes

• nvm_install_latest_npm: fix node version detection (#​3564)

v0.40.2

Compare Source

New Stuff

• install.sh: add $ZDOTDIR to zsh search (#​3458)

Fixes

• reinstall-packages: do not reinstall corepack (#​3544)
• avoid bash-specific syntax (#​3499)
• install-latest-npm: npm v11 is out
• nvm_install_latest_npm: avoid unbound variable (#​3447)
• give a more helpful message when lts alias is mistakenly used (#​3441)
• nvm ls, nvm alias, nvm install: error when an LTS name is invalid
• nvm_normalize_lts: error when an LTS name is not lowercase (#​3417)

Documentation

• [readme] update link
• [readme] fix --no-use example (#​3479)
• [readme] update copyright notice (#​3507)
• [readme] note zsh-nvm's AUTO_USE option (#​2670)
• [readme] add note about reloading zshrc after editing (#​3052)
• [readme] Update shell profile file install notes (#​2241)
• [readme] add docker tips (#​2318)
• [readme] remove avn from readme (#​3469)
• [readme] fnm -> nvm.fish (#​2541)

Refactors

• prefer case over if/else chains
• combine sed -e invocations/arguments

Tests

• nvm exec/nvm run: add --silent tests (#​1259)
• [actions] release test needs git tags
• migrate installation_iojs test suite to GitHub Actions (#​3476)
• Migrate slow test suite from Travis CI (#​3470)
• temporarily skip this failing travis test to unblock progress
• [actions] TOC: use latest LTS node
• install.sh: clean up nvm_detect_profile tests
• nvm_detect_profile: refactor (#​3467)
• run urchin tests on pull requests (#​3466)
• update mocks
• ensure that unit tests use only mocked LTS names
• [actions] use node/install instead of node/run

Meta

• disable blank issues
• update issue template
• add DCO (#​3456)
• Rename .github/ISSUE_TEMPLATE.md to .github/ISSUE_TEMPLATE/ISSUE_TEMPLATE.md (#​3454)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.