1.1.8 - Corepack

[coreybutler]

NVM for Windows v1.1.8 Notes

Truth be told, I did not want to release this version right now. I am working on the successor project rt. v1.1.7 was supposed to be the last version before the rt release. However, notable changes in the Node ecosystem warrant a new version now.

Node Corepack

In September 2021, Node.js v16.9.0 introduced corepack. This experimental new feature allows transparent use of npm, pnpm, or yarn. To support this feature, NVM4W must download and process a different distribution file than it has used previously.

As a result, NVM for Windows 1.1.8 is being released to support corepack.

How to Upgrade

All files can be found on the release page.

If you do not have NVM for Windows installed
Use the instructions in the README.

If you already have an older version of NVM for Windows installed
Download nvm-update.zip and extract it. You will find a file called nvm-update.exe. Double click to run it. This will prompt for the version you wish to upgrade to (pre-populated w/ 1.1.8).

nvm-update.exe can also be run from the command line using the /S flag to suppress the prompt. To do this, run nvm-update.exe 1.1.8 /S.

What's New

Several long-requested features/fixes have been merged since v1.1.7. I did not get to test all of them as extensively as I wanted to, but I believe they are stable. These features include:

1. corepack support (see above)
2. Support for spaces in filepaths #355.
3. nvm install latest - installs the latest patch version of Node (instead of latest minor).
4. nvm install lts - installs the latest LTS patch version (new).
5. nvm use latest, nvm use lts, and nvm use newest (new) now supported.
6. Elevated permissions applied only when necessary #511.
7. nvm current (new) displays the active version.

Numerous edge case fixes have been applied as well.

What didn't make it in?

1. Aliases - these were originally scheduled for 1.1.8, but I never got to work on them.

WARNING

------- UPDATE NOTICE -------
Thanks to a kind sponsor, an extended validation code signing certificate is was acquired. Version 1.1.9 is code signed and should be used instead of v1.1.8.  

Version 1.1.8 is not code signed. Code-signed applications are trusted by Windows and will install easily. Users are prompted with a screen like this one:

Non-code-signed applications can usually be installed, but they will throw a warning like this:

Why?

I paid for the last code signing certificates out of pocket, but they've expired. Sponsorships, to date, haven't even come close to covering the cost of a new code signing certificate (let alone the last one).

Who will this affect?

This won't affect most users, but enterprise users and those distributing NVM4W in corporate environments may run into problems.

If your organization is impacted by this, I will accept sponsorship money to expedite the delivery of a code-signed version. The required EV certificate is about $1000. Please direct message me on Twitter @goldglovecb if you'd like to help cover this cost.

---

This discussion was created from the release 1.1.8 - Corepack.

[ceciliabarudi]

Hey, a heads-up/question. I get this after downloading the nvm-update.zip , is it normal? (sorry if this isn't the adequate place for this comment)

[loriswit]

I'm getting the same alert. My only antivirus is the default Windows Defender, running on Windows 10 21H1.

[coreybutler]

I cannot recreate the issue in Windows Defender, but the Microsoft support suggests that the !ml identifier in the virus definition relies on machine learning... in other words, Windows Defender is incorrectly guessing there is an issue.

[ceciliabarudi]

Yes, I got the warning with Windows Defender as well. Thank you for the explanation, I've given it a ⬆️ so people who stumble with this see it first. I will try installing again today.

[zipzit]

Hmm. Not only did I get an immediate virus warning, but my Windows OS blocked the download. False positive or not, the nvm-update.zip version simply wouldn’t download.

[coreybutler]

I have added a note in the wiki with basic help for Windows Defender users.

[kccarter76]

our endpoint security actually quarantined the nvm.exe file. you really need to scan for virus. the maintenance release before this one passes the scan

[coreybutler]

There is no virus, and I do run a quick check... but there are over 100 antivirus vendors. Furthermore, this happens for new unsigned apps. If someone wants to donate the $1000+ for the required code signing certificate, then I'd be happy to make a signed release.

[kccarter76]

[coreybutler]

Folks - yes, the antivirus tools may mark unrecognized executables as a virus. This happened with the initial 1.1.7 release as well.

Notice how most of the threats are labeled with "ML" or "!ml" - that stands for machine learning with most antivirus providers. In other words, the antivirus suites are guessing... these are not signature threats. A signature threat is one which has been confirmed (i.e. the signature of the executable has been explicitly identified as containing a virus).

The antivirus suites often use ML patterns on "untrusted" executables. An untrusted executable is one which is not code-signed. Apps signed with basic code signing certificates are trusted by Windows after enough people install the app. Apps signed with an extended validation certificate are immediately trusted by Windows. This version of NVM4W is not code-signed at all, because my last certificate expired in 2020. The extended validation certificates cost around $1000, which is more than the lifetime earnings of this project. So, unless someone wants to cover that cost, I have no plans to code sign this release (as noted in the release notes).

The best way to help is to register a "false threat" with your antivirus provider. I cannot test all the different antivirus software. Most antivirus software will let you make an exception for apps, so I recommend doing that if you run into quarantines/deletions.

[kccarter76]

does anyone know what has happened to all the node releases, trying to install 14.15.5 but the release tag is no longer available on github.

[kccarter76]

after undoing the quarantine and installing the updated software the above issue with not find the node to download is resolved.

[davidgeary]

Can anyone confirm the checksum for nvm-update.zip? The accompanying text file states that it should be 8c5739317a14230aa1f8ca8070d98a36 but I get the following results using 7-Zip's CRC-SHA utility:

Name: nvm-update.zip
Size: 3420632 bytes (3340 KiB)
CRC32: FBC0BCF6
CRC64: 078BFD3D4C73E774
SHA256: 749AF837AD391858D39FA5FD0DFCF40D7F347CA2D233C70ED8871A6EBA081283
SHA1: BBC90F60EEE0D87AD580B622C210F68541447B1C
BLAKE2sp: 231AB60EACFEE0F3B1FFE378B092EC5D5B1889785B39C530AE1EDC9AC4E0E032

Or has it been calculated using some other algorithm perhaps?

[coreybutler]

The checksums use the MD5 hash as generated by certutil. See https://github.com/coreybutler/nvm-windows/blob/master/build.bat#L59

[davidgeary]

@coreybutler Ah, of course - duh! So used to MD5 being considered obsolete in crypto that I completely forgot about it for checksums. Thanks for the quick response.

[ConPac]

Maybe not the place to tell this, but please consider using in build.bat a non-obsolete hash algorithm supported by certutil, like SHA256, and include its identifier in the checksum filename, like nvm-update.zip.SHA256-checksum.txt.
And many thanks for your nice work.

[sandbrock-byui]

The Linux Foundation has announced a project for producing free code-signing certificates. It is still in beta, but will be available in the near future. https://www.sigstore.dev/

[coreybutler]

The bigger challenge at this point is whether the CA is trusted by the operating system. Microsoft SmartScreen maintains a strict trust list, which usually requires a partnership with Microsoft. Microsoft was the one company I didn't see in the Sigstore list. As of right now, it looks like this service will help confirm libraries are trustworthy (similar to checksums), but it doesn't mean apps signed with these certs will be trusted by operating systems just yet. It would be great if it evolved to this point though. I'll be keeping an eye on this effort, but it looks like an EV certificate is still required for immediate trust with Microsoft (for now).

[ghost]

This has been exactly our challenge with Microsoft. Costs thousands of dollars so that we can be shipped a physical USB key we have to use when code signing. Ridiculous.

[coreybutler]

I will make a more formal announcement later, but someone stepped up to sponsor the code signing certificate. I am currently going through the validation process with the certificate authority. I've done what I can to expedite, but it may still be a couple of weeks before the certificate is issued/arrives. When it does, I will release code signed v1.1.8 executables.

[ghost]

That's great news! Thanks for your hard work. If we developed more consistently on Windows I would definitely be reaching out.

[coreybutler]

@jchambliss keep an eye on things towards the end of the year. The new rt project (NVM4W successor) is cross-platform and cross-runtime.

[longsoft-dev]

I've got a work-around. Just download and install the previous release - 1.1.7. Then download the 1.1.8 zip version. Unzip and copy the nvm.exe to <nvm 1.1.7 home dir> and overwrite the old one ;-)

[coreybutler]

This is exactly what the updater does, except it copies over all of the files you need, not just nvm.exe.