> ## Documentation Index
> Fetch the complete documentation index at: https://docs.meow.style/llms.txt
> Use this file to discover all available pages before exploring further.

# Managing dependencies

> install, add, and remove — backed by a verified, content-addressed, copy-on-write package store.

meow is a full npm-compatible package manager. It resolves from the public npm
registry, verifies every tarball, writes a strict lockfile, and materializes
`node_modules` — fast on warm caches and safe on cold ones.

## The core commands

<CodeGroup>
  ```bash Install from manifest theme={null}
  meow install          # resolve package.json deps, write lockfile, materialize
  meow i                # alias
  ```

  ```bash Add theme={null}
  meow add zod                 # add to dependencies (latest), then install
  meow add -D vitest           # add to devDependencies
  meow add "p-limit@^5"        # add with a version range
  meow add react react-dom     # add several at once
  ```

  ```bash Remove theme={null}
  meow remove zod       # drop from package.json, then re-install
  meow rm zod           # aliases: rm, del, delete, uninstall
  ```
</CodeGroup>

`add` and `remove` edit the relevant section of your `package.json` and then run a
normal install, so your manifest and lockfile never drift apart.

## What a resolve looks like

```text theme={null}
╭─ meow install ──────────────────────────────╮
│ 🐾 128 packages ready · 1.8s                  │
│ materialized  128 packages · 342 edges       │
│ disk          copy-on-write                  │
│ lockfile      meow.lock.jsonl                │
╰──────────────────────────────────────────────╯
```

On a fully warm cache the materialize cost is essentially zero — the panel shows
`copy-on-write` instead of bytes written, and `node_modules/` may be skipped
entirely if it's already up to date.

## Fast by engineering, not by cheating

meow is fast because of *how* it does the work, not because it skips steps:

<CardGroup cols={2}>
  <Card title="Integrity is never skipped" icon="shield-check">
    Every package is verified against its **SHA-512** Subresource-Integrity hash —
    the same integrity npm publishes. meow constructs tarball URLs mathematically
    from name + version (it doesn't trust registry-supplied URLs), preventing cache
    poisoning.
  </Card>

  <Card title="CPU work leaves the network thread" icon="bolt">
    SHA-512 verification and tarball decompression run on background OS threads, so
    downloads never stall waiting on a hash. The network stays saturated.
  </Card>

  <Card title="Bounded concurrency" icon="gauge">
    Up to 40 concurrent tarball downloads and a high metadata fan-out, with
    exponential-backoff retries on transient registry failures (`429`, `5xx`).
  </Card>

  <Card title="EMFILE shield" icon="folder-open">
    Filesystem writes pass through an internal semaphore, so heavily parallel
    installs never crash the OS with "too many open files."
  </Card>
</CardGroup>

## Content-addressed cache

Packages download **once** into a global, content-addressed store at
`~/.meow/cache/<algo>/<hash>`. Every project on your machine shares it, so a
dependency used by ten projects occupies disk a single time.

* **Self-verifying.** A cache read recomputes the blob's hash and refuses to return
  bytes that don't match — corrupt or tampered content is an error, never served.
* **Self-healing.** A corrupt blob is repaired by re-writing the known-good bytes.
* **Crash-safe.** Stores are atomic (write to a temp file, then rename), so an
  interrupted install never leaves a half-written blob.

## Registry metadata caching

Package metadata is cached under `~/.meow/cache/metadata` with a freshness window
(default **5 minutes**, matching the registry's own `Cache-Control`). Within the
window, resolves are served from disk; past it, meow revalidates so a freshly
published version isn't invisible. If the network is down, meow falls back to any
cached copy rather than failing the install.

```bash theme={null}
MEOW_METADATA_MAX_AGE_SECS=0   meow install   # always revalidate
MEOW_METADATA_MAX_AGE_SECS=86400 meow install  # stay effectively offline for a day
```

## Version specifiers

meow uses **npm semantics**, not Cargo's:

| You write          | Means                       |
| ------------------ | --------------------------- |
| `1.2.3`            | **exactly** `1.2.3`         |
| `1.2`              | `>=1.2.0 <1.3.0`            |
| `1`                | `>=1.0.0 <2.0.0`            |
| `^1.2.3`           | `>=1.2.3 <2.0.0`            |
| `~1.2.3`           | `>=1.2.3 <1.3.0`            |
| `1.2.x`, `*`       | wildcard ranges             |
| `^4 \|\| ^5`       | disjunction                 |
| `1.2.3 - 2.3.4`    | hyphen range                |
| `latest`           | a dist-tag                  |
| `npm:other-pkg@^1` | an alias to another package |

`overrides` in your `package.json` force a specific resolution for a transitive
dependency, and are respected during resolve.

## Where things land

```bash theme={null}
meow add lodash-es           # → dependencies, then install
meow add -D typescript       # → devDependencies
meow install --clean         # remove node_modules first, then rebuild
meow install --vendor        # copy packages into vendor/ instead of node_modules/
meow install --compat-lockfile  # also write a package-lock.json marker
```

<CardGroup cols={2}>
  <Card title="The lockfile" icon="lock" href="/package-manager/lockfile">
    Inside meow\.lock.jsonl and why it survives merges.
  </Card>

  <Card title="node_modules & materialization" icon="folder-tree" href="/package-manager/node-modules">
    Copy-on-write, hardlinks, edge links, and vendoring.
  </Card>
</CardGroup>
