volta
volta copied to clipboard
volta-cli
Volta: JS Toolchains as Code. ⚡
Bumps [attohttpc](https://github.com/sbstp/attohttpc) from 0.28.2 to 0.30.1. Release notes Sourced from attohttpc's releases. v0.30.1 What's Changed fix: remove deprecated rustls feature flag by @metent in sbstp/attohttpc#194 Full Changelog: https://github.com/sbstp/attohttpc/compare/v0.30.0...v0.30.1 v0.30.0 What's...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
Bumps [clap](https://github.com/clap-rs/clap) from 4.5.24 to 4.5.51. Release notes Sourced from clap's releases. v4.5.51 [4.5.51] - 2025-10-29 Fixes (help) Correctly calculate padding for short flags that take a value (help) Don't...
## Problem The install script does not verify release integrity (#2075), leaving users vulnerable to: - Compromised or corrupted downloads - Man-in-the-middle attacks - Tampered release files ## Solution Implemented...
The [install script](https://github.com/volta-cli/volta/blob/main/dev/unix/volta-install.sh) calls `download_release_from_repo` then `install_from_file`, but it extracts the release without verifying integrity or authenticity. An attacker who can replace a release artifact (or a compromised intermediary/CA) could...
Volta should be able to upgrade the locally downloaded toolkit with one click
Generally speaking, only tools that matter to the current process should be injected to the PATH. For example, running `node ...` should only add `.volta/tools/image/node/22.13.1/bin` to the PATH, not `.volta/tools/image/yarn/1.22.19/bin`....
I'm on volta 2.0.2 on macOS 15.7.1 With this `package.json`: ```json { "name": "my-website", "scripts": { "start": "node --version" }, "volta": { "node": "24.9.0" } } ``` pnpm run start...
running `npm install -g @vue/[email protected]` fails with the following message: ``` ❯ export VOLTA_LOGLEVEL=debug ❯ npm install -g @vue/[email protected] [verbose] Found default configuration at '/home/manuel/.volta/tools/user/platform.json' [verbose] Acquiring lock on Volta...
I'm implementing a version manager for Yarn, and Volta gets in the way: every call to `node` corrupts the PATH by shadowing the existing `yarn` binary. In theory Volta should...
