lpm global
Manage globally-installed CLI packages under ~/.lpm/global/.
lpm global <subcommand>CLI surface for the global package store at ~/.lpm/global/. Globally installed packages — lpm install -g <pkg> — get their bins shimmed into ~/.lpm/bin/ and tracked in a manifest LPM owns.
A package is committed as globally installed only after LPM has created at least one safe, executable bin shim for it. Packages with no usable bins, unsafe bin names, or incomplete install roots fail closed and are rolled back before they reach the global manifest.
The same install / uninstall surface is reachable via the regular commands with -g:
| Equivalent | |
|---|---|
lpm install -g eslint | lpm install --global eslint |
lpm uninstall -g eslint | lpm global remove eslint |
This page documents the lpm global subcommands directly. For installing a global package, prefer lpm install -g.
Examples
lpm global list # what's installed globally
lpm global list --outdated # which globals have updates available
lpm global list --verbose # add install date, size, root path
lpm global bin # print ~/.lpm/bin/ (add this to PATH)
lpm global path eslint # print eslint's install root
lpm global link # expose the current package's bins globally
lpm global link ../my-cli # expose a local checkout globally
lpm global unlink my-cli # remove a local global link
lpm global remove eslint # uninstall a global package
lpm global update # update every globally-installed package
lpm global update eslint # update one
lpm global update eslint@^9 # change the saved spec, then update
lpm global update --dry-run # show the upgrade plan, change nothingSubcommands
list
lpm global list [--outdated] [--verbose]Lists every globally-installed package with its active version and exposed bin commands.
| Flag | Effect |
|---|---|
--outdated | Resolve each install's saved spec against its registry; flag packages with newer matching versions. @lpm.dev/* globals use LPM batch metadata, while npm globals use the same npm metadata path as global install/update. |
--verbose | Add install date, on-disk size, and the absolute install root for each row |
With --outdated, the human table shows Package, Current, Wanted, Latest, and Bins. Wanted is the newest version that still satisfies the global install's saved spec; Latest is the registry's absolute latest version, so major-version jumps are visible even when the saved range would not select them. Local links are skipped because their source of truth is your checkout, not the registry.
If registry metadata is missing or the saved spec no longer resolves, lpm global list --outdated exits non-zero instead of reporting a clean result. In --json mode, inspect success, unresolved, and count_unresolved to distinguish "everything checked" from "some globals could not be compared."
bin
lpm global binPrints ~/.lpm/bin/ — the directory where global-install shims live. Add this to your PATH so installed CLIs resolve.
export PATH="$(lpm global bin):$PATH" # in your shell rcpath <package>
lpm global path eslintPrints the install root for one specific globally-installed package. Useful for tooling that needs to find the package's node_modules/, package.json, or files.
For local links, this prints the linked source checkout.
link [path]
lpm global link
lpm global link ../my-cliLinks a local package into the global manifest and exposes its bin commands through ~/.lpm/bin/. Omit path to link the current working directory.
The linked package must have name, version, and at least one valid bin entry in package.json; each bin target must exist inside the package directory. LPM refuses command-name collisions with existing global packages so a local checkout cannot silently take over a command you already installed.
unlink <package>
lpm global unlink my-cliRemoves a local global link, its shims, and its global manifest entry. Registry-backed global packages are removed with lpm global remove or lpm uninstall -g.
remove <package>
lpm global remove eslintUninstalls a globally-installed package. Drops the entry from the global manifest, removes the install root, and unshims any bins it owned. Equivalent to lpm uninstall -g eslint — both invocations route through the same uninstall pipeline.
update [package[@spec]] [--dry-run]
lpm global update # update every global
lpm global update eslint # update one, preserving its saved spec
lpm global update eslint@^9 # rewrite the saved spec, then update
lpm global update --dry-run # plan only, no workThree behaviors based on the argument:
| Argument | Behavior |
|---|---|
| (none) | Iterate every registry-backed global package. Re-resolve each one against its persisted saved_spec. Upgrade any that have a newer matching version. Local links are skipped. |
<pkg> | Same flow scoped to one registry-backed package. Local global links are not updated by this command; edit the linked checkout directly, or unlink and link it again after its metadata changes. |
<pkg>@<spec> | Rewrite the saved spec using the save policy decision logic, then upgrade. Same precedence as lpm install <pkg>@<spec> in a project context. |
| Flag | Effect |
|---|---|
--dry-run | Print the upgrade plan without changing any state |
If registry metadata is missing, the selected version is no longer present, or the saved spec cannot resolve, lpm global update exits non-zero instead of reporting a clean skip. In --json mode, success is false and the affected row appears as failed in results or plan_error in plans for --dry-run. Bulk updates remain best-effort: successful package rows may still be applied before the final non-zero exit.
Bin collisions
When two global installs declare a bin with the same name, the second install's shim takes ownership. To resolve a collision deliberately, use the install command's --replace-bin flag:
lpm install -g foo --replace-bin serveThe previous owner keeps its install but loses serve from PATH; the new shim points at foo's serve binary. See lpm install -g for the full collision surface (--replace-bin, --alias <ORIG=ALIAS>).
Security gates on -g
lpm install -g runs through the same install pipeline as project installs, with all four security gates applied to the synthesized global project:
| Flag | Behavior on -g |
|---|---|
--allow-new | Bypasses the minimum release age cooldown |
--min-release-age=<DUR> | Overrides the cooldown window (<N>h, <N>d, or seconds; 0 disables) |
--ignore-provenance-drift <PKG> | Waives the drift check for one package (repeatable) |
--ignore-provenance-drift-all | Waives the drift check for every resolved package |
--policy=deny|allow|triage | Script-policy for this invocation |
--yolo | Alias for --policy=allow |
--triage | Alias for --policy=triage |
--advisor=none|claude-cli|codex|ollama | Triage advisor override (only consulted under --policy=triage) |
--auto-build | Auto-runs lpm rebuild for trusted packages immediately after install. On -g under triage with mixed-trust trees, this is the only way to trigger the rebuild — package.json > lpm > scripts.autoBuild is not consulted. Also useful under deny with an established global trust set. |
--strict-sandbox / --paranoid / --no-sandbox | Sandbox mode for this invocation's lifecycle scripts |
Two -g-specific notes:
- No project-config tier. Globals use a synthesized package.json that doesn't carry
lpm > scriptPolicy,lpm > minimumReleaseAge, orlpm > scripts.autoBuild. The script-policy and cooldown precedence chains collapse to CLI flag >~/.lpm/config.toml> default. Triage on-grequires the explicit--auto-buildflag for mixed-trust trees — there's no per-project knob. - Reinstall to rerun blocked scripts. After
lpm approve-scripts --global, the trust file is updated but the install root isn't re-executed. Runlpm uninstall -g <pkg> && lpm install -g <pkg>for each affected top-level global to actually run the approved scripts.lpm rebuild --globalis a planned follow-up.
Approving scripts for globals
Globally-installed packages have their own blocked-set for lifecycle scripts. Manage it with:
lpm approve-scripts --global # review the global blocked set
lpm approve-scripts --global --group # group by top-level globally-installed packageApprovals write to ~/.lpm/global/trusted-dependencies.json (separate from any project's package.json). The success banner enumerates the top-level globals affected so you can run the matching lpm uninstall -g … && lpm install -g … for each.
See also
lpm install -g— install into the global root (with--replace-bin/--alias)lpm uninstall -g— equivalent tolpm global removelpm approve-scripts --global— script approval for globals- Save policy — determines what
update <pkg>@<spec>writes