Fast, secure, all-in-one. Written in Rust.
npm install -g @lpm-registry/cliOther install methods
brew tap lpm-dev/lpm && brew install lpm # Homebrew
curl -fsSL https://lpm.dev/install.sh | sh # Standalone
cargo install --git https://github.com/lpm-dev/rust-client lpm-cli # Source# Package management
lpm install # Install deps (aliases: i)
lpm add <package> # Source delivery (any registry: lpm.dev, npm, .npmrc-private)
lpm remove <package> # Remove added package (aliases: rm)
lpm uninstall <packages> # Remove from deps (aliases: un, unlink)
lpm publish # Publish to lpm.dev (aliases: p)
lpm upgrade # Upgrade deps to latest
lpm outdated # Check for newer versions
lpm audit # Security + quality audit (OSV.dev)
lpm search <query> # Search packages
lpm info <package> # Package details
lpm quality <package> # Quality report
lpm migrate # Migrate from npm/yarn/pnpm/bun
# Scripts & execution
lpm run <scripts...> # Run scripts (parallel: -p, cached, watch)
lpm dev # Zero-config dev server + HTTPS + tunnel
lpm exec <file> # Run JS/TS files directly
lpm dlx <package> # Run without installing
lpm test # Auto-detect test runner
lpm bench # Auto-detect benchmark runner
# Built-in tools (lazy-downloaded)
lpm lint # Oxlint
lpm fmt # Biome
lpm check # TypeScript (tsc --noEmit)
lpm plugin list # Show installed tools
lpm plugin update # Update tools
# Runtime & environment
lpm use node@22 # Install + pin Node.js version
lpm vault # Secrets manager (Keychain-backed)
# Dev infrastructure
lpm tunnel <port> # Expose localhost to the internet
lpm tunnel claim <domain> # Claim a stable domain
lpm tunnel inspect # View captured webhooks
lpm tunnel replay <n> # Replay a webhook
lpm cert status # Local HTTPS certificate info
lpm cert trust # Install CA to trust store
lpm graph # Dependency tree (--dot, --mermaid, --html)
lpm ports # Dev service port management
# Project health
lpm doctor # 11-check health report (--fix to auto-repair)
lpm store verify # Verify package store integrity
lpm store gc # Clean unused packages
# Auth & config
lpm login # Authenticate (aliases: l)
lpm logout # Clear token (aliases: lo)
lpm whoami # Current user
lpm setup # Generate .npmrc for CI/CD
lpm init # Create a new package
lpm config # CLI configuration
lpm skills install # Install AI agent skills
lpm swift-registry # Configure SPM integration
lpm mcp setup # Configure MCP server for AI editorslpm add <pkg> is a source delivery command — distinct from lpm install. It downloads a tarball, copies the source files into your project (NOT node_modules), rewrites imports, and (if the package opts in) drives an interactive config + dependency install.
It works for any package on any registry the rust client can reach:
lpm add @lpm.dev/owner.name— lpm.dev-hosted (the only form that resolves to lpm.dev).lpm add @lpm-registry/ex-source— public npm scoped.lpm add react/lpm add lodash.merge— bare npm names. Dotted bare names (lodash.merge,lodash.debounce) are real npm packages, not lpm.dev shorthand.lpm add @private/internal-pkg— private/corp registry declared in.npmrc(@private:registry=...+_authToken=...).
Two paths inside the command, decided after extraction:
- Rich path (
lpm.config.jsonpresent at the tarball root) — schema prompts, conditional file filtering, conditional dependency installation, importAlias-aware rewrite. - Simple path (
lpm.config.jsonabsent) — "download manager": prompt for target dir (or pass--path), copy source files verbatim, rewrite imports, NO automatic dep install. The user-facing summary lists external/bare imports the user needs to add to theirpackage.json.
--yes / --json / non-TTY without --path errors explicitly: there's no human in the loop to confirm where 3rd-party source landed, so refusing is safer than heuristic-defaulting components/. Pass --path <dir> to opt in.
One command. Zero config. Everything auto-detected.
$ lpm dev
● Node 22.12.0 (from .nvmrc)
● Deps up to date (2ms)
● Env .env loaded
● HTTPS certificate valid
● Tunnel https://acme-api.lpm.llc
[db] ✔ ready (0.8s)
[web] ✔ ready (1.2s)
[api] ✔ ready (3.4s)
⌘ Opening https://localhost:3000Auto-installs deps if stale. Copies .env.example if no .env. Starts multi-service orchestrator from lpm.json. Opens browser after readiness checks. Tunnel domain from config. HTTPS with local CA.
| npm | pnpm | bun | lpm | |
|---|---|---|---|---|
| Cold install, equal footing ¹ | 7,912ms | 1,546ms | 1,005ms | 962ms |
| Cold install, full wipe loop ² | 8,538ms | 2,376ms | 1,469ms | 1,867ms |
| Warm install ³ | 1,324ms | 1,099ms | 478ms | 732ms |
| Up-to-date install ³ | 522ms | 175ms | 11ms | 5ms |
| Script overhead ⁴ | 66ms | 103ms | 6ms | 10ms |
lpm lint vs npx oxlint ⁴ |
257ms | — | — | 77ms (3.3×) |
lpm fmt vs npx biome ⁴ |
271ms | — | — | 14ms (19×) |
¹ Equal-footing cold install —
bench/fixture-large— 21 direct deps, 266 transitive packages. Apple M4 Pro, macOS 15.4.RUNS=11median, 2026-04-29 (post-Phase-60.1 default-flip —lpm installreaches greedy-fusion without env vars). Tool-specific cache + lockfile wipes happen OUTSIDE the timed region so the comparison measures install work only, not asymmetricrm -rfcost across tools (LPM wipes two paths, bun wipes one, npm/pnpm wipe their own equivalents). lpm and bun are measured in a 2-arm round-robin (alternating order per outer iter) so both arms see the same warm/cold network mix across the run — without that, the arm that runs second per iter gets a ~200-300ms CDN-warmth advantage that biases the comparison. npm and pnpm run sequentially (their multi-second installs make any 200ms warmth bias negligible). Reproduce:./bench/scripts/run-readme.sh 11.² Full wipe loop — same fixture as ¹, but cache wipes are INSIDE the timer. Representative of a CI cold-clone loop where setup and install are billed together. LPM's wipe covers two paths (
~/.lpm/cache+~/.lpm/store), bun's covers one, npm/pnpm wipe their own; this column includes the asymmetricrm -rfterm. The equal-footing row (¹) is the install-work-only comparison.³ Warm / Up-to-date —
bench/project— 17 direct deps / 51 packages. Warm install: lockfile + global cache present,node_moduleswiped before each timed iteration. Up-to-date install: lockfile + cache +node_modulesall present; the PM detects "nothing to do" and exits — Phase 45's mtime fast-path (lpm installwithout--allow-new) takes the top-of-mainshortcut. Same hardware and date as ¹.⁴ Tool-overhead benches —
bench/project. Script overhead, lint, and fmt measure runner / built-in-tool execution time, not install pipeline cost — the dependency tree size is irrelevant. Same hardware and date as ¹.lpm lint/lpm fmtuse lazy-downloaded binaries (oxlint, biome) — nonpxresolution overhead per invocation.Script-policy footing.
lpm installruns inscript-policy=denyby default — lifecycle scripts (preinstall/postinstall/ etc.) do not execute during install (Phase 46 two-phase model; scripts run vialpm rebuildorlpm install --auto-build).npm/pnpm/bunrun scripts during install by default. To measure like-for-like cold install on a fixture with install scripts, comparelpm install↔bun install --ignore-scripts(both skip) ORlpm install --yolo --auto-build↔bun install(both run). Onbench/fixture-largethe measured intra-tool deny→allow delta is ~50-67 ms median in either direction (Phase 57 measurement-sprint, n=10).Reproduce locally.
cargo build --release -p lpm-cli, then./bench/scripts/run-readme.sh 11for rows ¹ and ². For warm / up-to-date / script-overhead / lint / fmt, use./bench/run.sh warm-installetc.
Plus: dev tunnels, HTTPS certs, secrets vault, task caching, AI agent skills, Swift packages, dependency graph visualization — built in, not bolted on.
Dual-licensed under MIT OR Apache-2.0.
See LICENSE-MIT and LICENSE-APACHE.