asdf VS nvm

asdf or compatible .tool-versions file

In this article, we will use a version manager called asdf‑vm, or simply asdf.

This, but here are some things I've learned to do:

* Use a .local directory under my home directory instead of ~/bin. That's a great prefix when installing from source or tarball at the user level, keeps the top-level of the home directory from getting cluttered with /share /lib /include /etc /lib etc. etc.

* Reach for the package manager first when installing new software, unless there is a good reason not to. It makes keeping things up-to-date easy, and since I use Arch, which uses a rolling release, you pretty much get the latest stuff.

* If I can't get what I want from the package manager, I'll look at what is available using asdf-vm (https://asdf-vm.com/), and failing that, build from source or install from tarball.

* I don't use snap or the like.

I gave up on Windows over 20 years ago, and I can't say enough how liberating it has been. One of the nicest things is that there is a distro for almost every need (see https://distrowatch.com/). I use Arch; but your use case may point to a beginner-friendly distro, such as Mint, Ubuntu, etc., or a repeatable install type of distro, such as NixOS or Guix, or many others.

# Download asdf git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch v0.15.0 # Add the following to ~/.zshrc . "$HOME/.asdf/asdf.sh" # Optional: Completions are configured by either a ZSH Framework asdf plugin # or by adding the following to your .zshrc: fpath=(${ASDF_DIR}/completions $fpath) autoload -Uz compinit && compinit

asdf is a popular version manager that uses a technique called "shimming" to switch between different versions of tools like Python, Node.js, and Ruby. It creates temporary paths to specific versions, modifying the environment to ensure that the correct version of a tool is used in different projects. However, this method can introduce performance overhead due to how these shims work.

I'm glad to see that I'm not the only person worried about this. It's a pretty glaring bit of attack surface if you ask me. I chuckled when I saw you used nvm as an example in your readme. I've pestered nvm about this sort of thing in the past (https://github.com/nvm-sh/nvm/issues/3349).

I'm a little uncertain about your threat model though. If you've got an SSL-tampering adversary that can serve you a malicious script when you expected the original, don't you think they'd also be sophisticated enough to instead cause the authentic script to subsequently download a malicious payload?

I know that nobody wants to deal with the headaches associated with keeping track of cryptographic hashes for everything you receive over a network (nix is, among other things, a tool for doing this). But I'm afraid it's the only way to actually solve this problem:

1. get remote inputs, check against hashes that were committed to source control

2. make a sandbox that doesn't have internet access

3. do the compute in that sandbox (to ensure it doesn't phone home for a payload which you haven't verified the hash of)

Remember the day you've installed nvm for node and npm?

NVM GitHub Repository

nvm (Node Version Manager): The most popular choice, especially on Linux and macOS. It installs Node.js within your user directory, completely avoiding the need for sudo when installing global packages. It makes switching between different Node.js versions effortless. (GitHub - nvm-sh/nvm). I have used this for years.I used pnpm, you can use npm

Let’s get it running locally first. You should have Node installed (you may also use nvm or docker).

Make sure you have node installed. If not, I recommend installing via nvm(Node Version Manager)

I was welcomed with an error that it couldn’t find npx command, which makes sense - I’m using NVM to manage node.