clippity
v0.1.6
Published
a playful JavaScript package manager — no preinstall scripts, no auto code execution
Maintainers
Readme
clippity
Fast, secure, and playful JavaScript dependency management.
Fast: clippity caches every package it downloads to ~/.clippity/cache/, so re-installs skip the network entirely. Downloads run 6 at a time concurrently for maximum throughput.
Secure: clippity never runs lifecycle scripts (preinstall, install, postinstall, prepare) without asking you first. Every tarball is verified against the registry's SHA-512 checksum before extraction.
Reliable: Lockfile-locked deterministic installs — clippity.lock.json guarantees the same dependency tree on every machine. Works offline for anything already cached.
Features
- Offline mode — packages cached on first install are available without internet
- No auto-execution — lifecycle scripts prompt for permission (
y/N/a) - Concurrent downloads — pool of 6 workers, max 4 concurrent extracts
- Integrity verification — SHA-512 checksums on every tarball
- Deterministic installs — lockfile ensures identical trees everywhere
- Orphan cleanup — removing a package also removes its unused transitive dependencies
- PATH-aware scripts —
node_modules/.binis on PATH when running lifecycle scripts - Audit support — check installed packages against the npm security advisory database
- Playful CLI — animated spinner with random quips per phase
Install
npm install -g clippity
npm linkRequires Node.js >= 18.
Usage
clippity <command> [options]
Commands:
init Create a package.json interactively
install Install all dependencies (prompts for scripts)
add Add a dependency
remove Remove a dependency (cleans up orphan sub-deps)
list List installed packages
outdated Show outdated packages
info Show package info from registry
doctor Check project for common issues
why Explain why a package is installed
link Symlink a local package for development
audit Check installed packages for known vulnerabilities
run Run a script from package.json
cache Manage the on-disk on-disk package cacheclippity by itself runs install.
Aliases
| Command | Aliases |
|---|---|
| install | i |
| remove | uninstall, rm, un |
| list | ls |
| info | view, show |
Security
When a package has lifecycle scripts, clippity shows what it wants to run and asks for permission:
⚠ [email protected] has lifecycle scripts:
postinstall → node install.js
? Run these scripts? (y/N/a)- y — run once
- n — skip (default)
- a — always allow for this session
Checksums are verified against the registry before any file is extracted. The audit command checks all installed packages against the npm security advisory database.
How it works
clippity resolves dependencies against the npm registry, downloads and caches tarballs, verifies integrity, extracts packages into node_modules/, and optionally runs lifecycle scripts with explicit user approval. The lockfile (clippity.lock.json) records every installed package with its resolved version and exact dependency tree for reproducible installs.
Contributing
Syntax check all files with node --check before submitting. PRs welcome.
License
MIT
