Expand description
Install a dependency tree into a node_modules/ directory — a pure-Rust “npm install”
(node_modules, from a package.json) and “npm ci” (from_lockfile, from a
package-lock.json). Each downloads, integrity-verifies, and extracts every package; the
lockfile path also creates node_modules/.bin/ shims. Both are skip-if-unchanged (a marker
beside node_modules/) and concurrency-safe via a cross-process lock.
The npm-format parsing lives in the crate::package_json module; this module is the action that
orchestrates the primitives (crate::registry, crate::download, crate::integrity,
crate::extract) over those parsed structures — and owns the path-safety step that turns a
package name or lockfile key into a contained install directory (crate::path_safety).
Functions§
- from_
lockfile - Install the exact dependency tree pinned by a
package-lock.jsoninto<dest>/node_modules/— a pure-Rust,npm ci-faithful install. - node_
modules - Resolve
package_json’s dependencies transitively, verify each tarball’s registrydist.integrity(sha512), and extract the flat tree into<dest>/node_modules/. Returns the resolved set (sorted by name). A package whose registry metadata advertises no sha512 is refused rather than installed unverified. Skips all work when the resolved set is unchanged.