node_modules — fast on warm caches and safe on cold ones.
The core commands
add and remove edit the relevant section of your package.json and then run a
normal install, so your manifest and lockfile never drift apart.
What a resolve looks like
copy-on-write instead of bytes written, and node_modules/ may be skipped
entirely if it’s already up to date.
Fast by engineering, not by cheating
meow is fast because of how it does the work, not because it skips steps:Integrity is never skipped
Every package is verified against its SHA-512 Subresource-Integrity hash —
the same integrity npm publishes. meow constructs tarball URLs mathematically
from name + version (it doesn’t trust registry-supplied URLs), preventing cache
poisoning.
CPU work leaves the network thread
SHA-512 verification and tarball decompression run on background OS threads, so
downloads never stall waiting on a hash. The network stays saturated.
Bounded concurrency
Up to 40 concurrent tarball downloads and a high metadata fan-out, with
exponential-backoff retries on transient registry failures (
429, 5xx).EMFILE shield
Filesystem writes pass through an internal semaphore, so heavily parallel
installs never crash the OS with “too many open files.”
Content-addressed cache
Packages download once into a global, content-addressed store at~/.meow/cache/<algo>/<hash>. Every project on your machine shares it, so a
dependency used by ten projects occupies disk a single time.
- Self-verifying. A cache read recomputes the blob’s hash and refuses to return bytes that don’t match — corrupt or tampered content is an error, never served.
- Self-healing. A corrupt blob is repaired by re-writing the known-good bytes.
- Crash-safe. Stores are atomic (write to a temp file, then rename), so an interrupted install never leaves a half-written blob.
Registry metadata caching
Package metadata is cached under~/.meow/cache/metadata with a freshness window
(default 5 minutes, matching the registry’s own Cache-Control). Within the
window, resolves are served from disk; past it, meow revalidates so a freshly
published version isn’t invisible. If the network is down, meow falls back to any
cached copy rather than failing the install.
Version specifiers
meow uses npm semantics, not Cargo’s:| You write | Means |
|---|---|
1.2.3 | exactly 1.2.3 |
1.2 | >=1.2.0 <1.3.0 |
1 | >=1.0.0 <2.0.0 |
^1.2.3 | >=1.2.3 <2.0.0 |
~1.2.3 | >=1.2.3 <1.3.0 |
1.2.x, * | wildcard ranges |
^4 || ^5 | disjunction |
1.2.3 - 2.3.4 | hyphen range |
latest | a dist-tag |
npm:other-pkg@^1 | an alias to another package |
overrides in your package.json force a specific resolution for a transitive
dependency, and are respected during resolve.
Where things land
The lockfile
Inside meow.lock.jsonl and why it survives merges.
node_modules & materialization
Copy-on-write, hardlinks, edge links, and vendoring.