LPM-cli
Packages

lpm download

Download and extract a package tarball — no install side-effects.

lpm download <package[@version]> [--version <V>] [--output <DIR>]

Fetches a package tarball and extracts it into a directory you choose. No lockfile, no node_modules, no script execution, no package.json mutation. Just the bytes.

Useful for inspecting a package's contents before you trust it, archiving a snapshot for offline reference, generating a fixture, or reading the source of a package you don't want to install.

Routing matches lpm install:

  • @lpm.dev/* fetches from lpm.dev.
  • @scope/pkg follows the current project's .npmrc @scope:registry=... mapping when one exists.
  • Unscoped names (react, zod, lodash.merge) use the current project's default .npmrc registry, or npmjs.org when no override is present.

If you specifically mean an lpm.dev package, prefer the fully scoped @lpm.dev/owner.pkg form.

Examples

lpm download react                                   # npmjs.org (or project .npmrc default registry)
lpm download react@0.14.3                            # npm-style inline version
lpm download @my-co/internal                         # project .npmrc scoped registry
lpm download @lpm.dev/owner.pkg                      # force lpm.dev
lpm download @lpm.dev/owner.pkg --version 2.1.0      # a specific version
lpm download react --version next                    # dist-tag or semver range
lpm download @lpm.dev/owner.pkg --json               # structured output (URL, integrity, paths)

How it works

  1. Fetches the package metadata from the routed registry to find the tarball URL and SRI integrity hash for the requested (or latest) version.
  2. Downloads the tarball.
  3. Verifies the SRI hash when the registry ships one. If the registry does not ship integrity, lpm download refuses to extract by default; re-run with --allow-unverified only when you intentionally accept an unverified tarball.
  4. Extracts into the output directory.

The output directory defaults to the current working directory. The tarball's top-level package/ is unwrapped during extraction (equivalent to tar x --strip-components=1), so you get the package contents directly.

What lpm download does NOT do

  • Install dependencies — none of the package's dependencies are fetched
  • Touch package.json or any lockfile
  • Run lifecycle scripts (preinstall, postinstall, etc.)
  • Place the result in node_modules/
  • Update the global content-addressable store

For a real install, use lpm install. For source delivery into your project, use lpm add.

Flags

FlagEffect
--version <V>Version spec to download: exact version, dist-tag (latest, next), or semver range. Defaults to latest. Alternative to inline package@version; do not pass both.
--output <DIR>, -oOutput directory (default: current working directory). The output_dir field in --json mode is canonicalized to an absolute path regardless of how the flag was passed.
--allow-unverifiedWaive the default integrity gate when the registry returns no SRI hash. Intended for legacy sources that genuinely do not ship integrity; you take on verification yourself.

Plus the global flags.

--json envelope

{
  "success": true,
  "package": "@lpm.dev/owner.pkg",
  "version": "2.1.0",
  "tarball_url": "https://lpm.dev/api/registry/@lpm.dev/owner.pkg/-/owner.pkg-2.1.0.tgz",
  "integrity": "sha512-...",
  "integrity_verified": true,
  "size_bytes": 87654,
  "output_dir": "/abs/path/to/output",
  "files_extracted": 42,
  "elapsed_secs": 0.412
}

Fields:

FieldMeaning
tarball_urlResolved tarball URL the bytes came from. Useful for mirroring or audit logs.
integritySRI string the registry advertised for this version (e.g. sha512-…), or null if the registry didn't ship one. A null value only reaches a success envelope when you explicitly passed --allow-unverified.
integrity_verifiedtrue when the SRI was present and verified, false only on the explicit --allow-unverified path where extraction proceeds without a registry-provided hash. A verification failure still aborts the run.
output_dirAbsolute path where files were extracted (canonicalized).
files_extractedCount of files written from the tarball, after the package/ prefix is stripped.

See also

  • lpm install — full install, with node_modules and lockfile
  • lpm add — source delivery into your project
  • lpm info — package metadata without downloading
  • lpm resolve — print the resolved dep tree without downloading

lpm migrate

Convert a project from npm, pnpm, yarn, or bun to LPM.

lpm resolve

Print the resolved dependency tree for one or more package specs — without installing.

On this page

ExamplesHow it worksWhat lpm download does NOT doFlags--json envelopeSee also