Modern apps are a patchwork of npm, nvm, Turborepo, ngrok, mkcert, dotenv-vault, and shadcn-cli. LPM-cli brings install, task cache, runtime, env, HTTPS, tunnels, and source delivery into one Rust binary.
Cold installs land in 880ms — npm takes 6.8 seconds. Warm installs in 23ms. Content-addressable store, clonefile on macOS, zero-parse mmap'd lockfile.
Every package checked end-to-end on install — DSSE attestations, Rekor inclusion proofs, SCTs, and the full X.509 chain. Includes attestations served by npmjs, not just lpm.dev.
Lifecycle scripts blocked by default and, when they run, execute inside seatbelt (macOS), landlock + seccomp (Linux), or AppContainer (Windows).
Per-project secrets in your OS keychain, end-to-end encrypted sync across teammates, platform pushes that never route plaintext through our servers.
One command brings up your whole stack: pinned Node, fresh deps, loaded env, HTTPS, claimable public tunnels with webhook capture, multi-service ready-checks.
OIDC trusted publishers replace long-lived API tokens. Auto-OIDC token exchange in GitHub Actions and GitLab CI; provenance signed on every release.
shadcn-style: extracts package source into your repo from any registry — npm, lpm.dev, private. Files land in your repo; you own and edit them.
OSV vulns, behavioral flags (eval, child_process, network), and CSS-like selectors as CI gates across every installed package.
lpm fmt in 13ms vs npx biome at 264ms — 20× faster. Lint, fmt, test, runner all native and lazy-downloaded.
One root CA trusted once. Every project gets browser-accepted HTTPS, public tunnels with webhook replay, multi-service ready-checks.
Interactive HTML graph, Mermaid output, terminal tree — built offline from your lockfile. --why <pkg> traces any path.
Filter DSL (web..., [origin/main]), workspace:* protocol, catalogs for shared versions, lpm deploy to ship one member.