I see that nvm checks nodejs versions against a copy of SHASUMS256.txt which it downloads from the same mirror that it downloads nodejs.

This verification is not without value as-is, but I've got my tin-foil-hat on and it doesn't quite scratch the itch. I'd like to hard-code a hash so that my automation will break if there's a MITM between myself in the mirror (otherwise the MITM can just tamper with SHASUMS256.txt to make the verification pass and hide whatever skulduggery they've amended node with).

I'm imagining something like:

nvm install 16.19.1 --sha256 ca63da538e02de15b7e974f7a17ce4732cc0d63023942301d30044c472ed9ddd

Please consider it. Thank you.

Where are you getting the hash from in the first place if you can't trust nodejs.org?