chore(deps): update dependency nvm-sh/nvm to v0.40.5

[renovate]

This PR contains the following updates:

Package	Update	Change
nvm-sh/nvm	patch	v0.40.4 → v0.40.5

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

nvm-sh/nvm (nvm-sh/nvm)

v0.40.5

Compare Source

Security fix

Note this release addresses CVE-2026-10796.

New Stuff

• nvm install --offline: install from cache without network access

Bug Fixes

• nvm_download_artifact: reject version strings with disallowed characters
• nvm_get_checksum: pass the tarball name to awk as data, not program text
• nvm_download: avoid eval so mirror-supplied version strings can't inject commands
• nvm_download: send a well-formed Authorization header on the wget path
• avoid an unbound variable
• Add local for sanitized_header (#​3837)
• fix same owner for root when install from binary (#​3834)
• nvm_normalize_lts: only reject uppercase for LTS names, not regular aliases
• install.sh: check mkdir return codes
• install.sh: fix POSIX compliance, printf format strings, and profile detection
• nvm which: show alias name in infinite loop error message
• nvm uninstall: fix alias cleanup glob expansion
• nvm debug: use default empty values for potentially unset variables
• nvm_iojs_version_has_solaris_binary: fix comparison to detect non-iojs versions
• nvm_download_artifact: fix error propagation from subshells
• nvm_install_binary: return failure when binary download fails with -b
• nvm_get_arch: only apply musl suffix on x64 Alpine
• nvm_get_arch: add command prefix to uname call
• nvm_resolve_local_alias: avoid using variable as printf format string
• nvm_get_mirror: fix awk URL validation to actually reject invalid URLs
• nvm_ls_remote_combined: propagate iojs remote listing failures
• nvm install: fix nvm err typo to nvm_err for -s/-b conflict
• nvm alias: fix colors not showing by default

Refactors

• nvm_rc_version: use fd 3 instead of exported env var for multiple return

Docs

• fix --offline help line alignment
• Clean up wording in docs and shell comments (#​3806)
• fix CONTRIBUTING grammar (#​3804)
• do not use tilde expansion in ENV of Dockerfile (#​3821)
• [readme] use tilde expansion instead of "$HOME" for consistency (#​3799)
• [readme] use "$HOME" instead of hardcoded "/home/user"
• [readme] Revise Node.js version usage examples (#​3802)

Misc

• [meta] Update .gitmodules with relative submodule path (#​3839)
• [meta] Submodule nvmrc update protocol from git to https (#​3839)
• [meta] Align and enhance AGENTS.md instructions (#​3774)

Tests

• install_nvm_from_git: stop git background gc/maintenance racing with cleanup
• install_nvm_from_git: fix malformed test command (missing space before ])
• reduce CI flakiness from transient Docker registry failures
• remove double-substitution in assert_ok and assert_not_ok (#​3826)
• fix 4 test failures
• add try/try_err helpers; convert tests to use them
• [actions] add workflow to update nodejs.org nvm version
• [actions] set per-job permissions in the nvm install workflow
• [actions] allow DockerHub's CloudFront CDN so image pulls aren't blocked
• [actions] upgrade vampire/setup-wsl (#​3775)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign dillon-zheng for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment