Skip to content

lpm-dev/rust-client

Repository files navigation

LPM logo

LPM

What is LPM?

LPM is a fast, secure package manager and developer platform for modern JavaScript and TypeScript projects. It ships as a single Rust binary called lpm, works with the npm ecosystem, and adds secure-by-default installs, built-in developer tooling, hosted registry features, and an npm package firewall.

lpm install
lpm add lpm-source-package
lpm run dev

LPM has three connected parts:

  • LPM CLI - an npm-compatible package manager and dev toolkit written in Rust. It installs from npm, lpm.dev, JSR, and private registries; blocks dependency lifecycle scripts by default; and includes a task runner, dev server, test/bench runner, linter, formatter, Node version pinning, local HTTPS, tunnels, secrets, and project health checks.
  • LPM.dev Registry - the hosted registry and platform behind the @lpm.dev/* scope. Use it for private packages, Pool distribution, Marketplace sales, Swift packages, package quality analysis, generated metadata, access control, and Pro/team platform features.
  • LPM Firewall - a hosted verdict service for public npm package versions. It can run in monitor mode or enforcement mode before LPM materializes package bytes, helping teams catch malicious packages, critical vulnerabilities, suspicious lifecycle behavior, and policy violations during install.

Install

LPM supports macOS, Linux glibc, Linux x64 musl (including Alpine), and Windows x64 through npm. Homebrew and the standalone installer support macOS and Linux; the standalone installer selects the matching glibc or musl binary automatically on Linux x64.

# npm
npm install -g @lpm-registry/cli --allow-scripts=@lpm-registry/cli

# Homebrew
brew tap lpm-dev/lpm && brew install lpm

# Standalone
curl -fsSL https://cli.lpm.dev/install | sh

The npm package is a dependency-free launcher for the native Rust binary. npm installs the matching platform package through optionalDependencies; the approved postinstall verifier checks the native binary and wires the global command where the platform allows it.

If your npm version or policy does not require explicit script approval, this also works:

npm install -g @lpm-registry/cli

Update LPM with:

lpm self-update

Quick Links

Benchmarks

Install benchmarks use the tracked VitePress docs fixture, a real-world workspace graph with 535 packages.

Benchmark npm pnpm bun lpm lpm + Firewall monitor
Cold install, equal footing ¹ 17,354ms 6,125ms 2,455ms 2,945ms 3,043ms
Warm install ¹ 3,819ms 3,301ms 451ms 387ms 324ms
Up-to-date install ¹ 282ms 522ms 77ms 14ms 14ms

Dev command benchmarks measure already-installed local scripts, local bins, and built-in tools.

Benchmark npm / npx / tsx pnpm bun / bunx lpm
Package script: no-op ² 74ms 161ms 15ms 10ms
Package script: empty Node ² 101ms 185ms 33ms 27ms
Local bin: esbuild --version ² 144ms 174ms 27ms 21ms
Run TSX app, warm cache ³ 112ms 19ms 41ms
lpm lint vs npx oxlint 273ms 3ms
lpm fmt vs npx biome 340ms 3ms
Benchmark methodology

¹ Install benchmarks — Generated by run-install-readiness.mjs with --samples 10 --fixtures vitepress --managers lpm,bun,pnpm,npm --modes cold,warm,up-to-date --lpm-firewall-modes off,report. Each run uses an isolated temporary project, HOME, package-manager cache, and LPM_HOME; samples are round-robin interleaved to reduce live-network bias. Dependency lifecycle scripts are disabled for all package managers. Raw artifact: readme-install-vitepress-20260710T140139.md.

Firewall monitor mode — The Firewall monitor column runs the same LPM install with LPM_NPM_FIREWALL=report. In the cold install row, LPM checked 535 package versions before materializing package bytes.

² Script and local-bin benchmarks — Generated by run-bin-benchmark.mjs with 10 measured iterations after 2 warmups. Dependency installation is setup-only and not timed; rows execute package scripts or already-installed local node_modules/.bin entries. Tool versions: lpm 0.67.0, npm 10.9.4, npx 10.9.4, pnpm 11.3.0, bun 1.3.14, bunx 1.3.14. Raw artifact: readme-run-bin-20260710T214708Z.md.

³ TSX benchmark — Generated by exec-runtime-benchmark.mjs against a generated 10-module TSX ESM app with 10 measured iterations after 2 warmups. The npm / npx / tsx column is tsx; the bun / bunx column is bun. Raw artifact: readme-exec-runtime-20260710T141510.md.

⁴ Built-in tool benchmarks — Generated with RUNS=10 LPM_BIN=target/release/lpm-rs BENCH_WORK_DIR=/tmp/lpm-readme-builtin-tools-work-20260711T205110Z ./bench/run.sh builtin-tools on bench/project. The npm / npx / tsx column is npx oxlint or npx @biomejs/biome. Raw artifact: readme-builtin-tools-20260711T205110Z.md.

License

Dual-licensed under MIT OR Apache-2.0.

See LICENSE-MIT and LICENSE-APACHE.

About

Fast Rust package manager — npm + lpm.dev + SE-0292 Swift compatible, sandboxed lifecycle scripts, security audits

Topics

Resources

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE
MIT
LICENSE-MIT

Stars

3 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors