Skip to main content
meow is a full npm-compatible package manager. It resolves from the public npm registry, verifies every tarball, writes a strict lockfile, and materializes node_modules — fast on warm caches and safe on cold ones.

The core commands

meow install          # resolve package.json deps, write lockfile, materialize
meow i                # alias
add and remove edit the relevant section of your package.json and then run a normal install, so your manifest and lockfile never drift apart.

What a resolve looks like

╭─ meow install ──────────────────────────────╮
│ 🐾 128 packages ready · 1.8s                  │
│ materialized  128 packages · 342 edges       │
│ disk          copy-on-write                  │
│ lockfile      meow.lock.jsonl                │
╰──────────────────────────────────────────────╯
On a fully warm cache the materialize cost is essentially zero — the panel shows copy-on-write instead of bytes written, and node_modules/ may be skipped entirely if it’s already up to date.

Fast by engineering, not by cheating

meow is fast because of how it does the work, not because it skips steps:

Integrity is never skipped

Every package is verified against its SHA-512 Subresource-Integrity hash — the same integrity npm publishes. meow constructs tarball URLs mathematically from name + version (it doesn’t trust registry-supplied URLs), preventing cache poisoning.

CPU work leaves the network thread

SHA-512 verification and tarball decompression run on background OS threads, so downloads never stall waiting on a hash. The network stays saturated.

Bounded concurrency

Up to 40 concurrent tarball downloads and a high metadata fan-out, with exponential-backoff retries on transient registry failures (429, 5xx).

EMFILE shield

Filesystem writes pass through an internal semaphore, so heavily parallel installs never crash the OS with “too many open files.”

Content-addressed cache

Packages download once into a global, content-addressed store at ~/.meow/cache/<algo>/<hash>. Every project on your machine shares it, so a dependency used by ten projects occupies disk a single time.
  • Self-verifying. A cache read recomputes the blob’s hash and refuses to return bytes that don’t match — corrupt or tampered content is an error, never served.
  • Self-healing. A corrupt blob is repaired by re-writing the known-good bytes.
  • Crash-safe. Stores are atomic (write to a temp file, then rename), so an interrupted install never leaves a half-written blob.

Registry metadata caching

Package metadata is cached under ~/.meow/cache/metadata with a freshness window (default 5 minutes, matching the registry’s own Cache-Control). Within the window, resolves are served from disk; past it, meow revalidates so a freshly published version isn’t invisible. If the network is down, meow falls back to any cached copy rather than failing the install.
MEOW_METADATA_MAX_AGE_SECS=0   meow install   # always revalidate
MEOW_METADATA_MAX_AGE_SECS=86400 meow install  # stay effectively offline for a day

Version specifiers

meow uses npm semantics, not Cargo’s:
You writeMeans
1.2.3exactly 1.2.3
1.2>=1.2.0 <1.3.0
1>=1.0.0 <2.0.0
^1.2.3>=1.2.3 <2.0.0
~1.2.3>=1.2.3 <1.3.0
1.2.x, *wildcard ranges
^4 || ^5disjunction
1.2.3 - 2.3.4hyphen range
latesta dist-tag
npm:other-pkg@^1an alias to another package
overrides in your package.json force a specific resolution for a transitive dependency, and are respected during resolve.

Where things land

meow add lodash-es           # → dependencies, then install
meow add -D typescript       # → devDependencies
meow install --clean         # remove node_modules first, then rebuild
meow install --vendor        # copy packages into vendor/ instead of node_modules/
meow install --compat-lockfile  # also write a package-lock.json marker

The lockfile

Inside meow.lock.jsonl and why it survives merges.

node_modules & materialization

Copy-on-write, hardlinks, edge links, and vendoring.