Protocols
Dependency protocols supported by snpm
snpm supports the same dependency protocols as npm and pnpm, plus first-class workspace: and catalog: resolution.
npm:
The default protocol for registry packages. Either explicit or implicit:
{
"dependencies": {
"react": "npm:^18.2.0",
"lodash": "^4.17.21"
}
}npm:<name>@<range> also works to alias a package under a different name (e.g. "react-19": "npm:react@^19.0.0").
jsr:
Packages from the JSR registry. snpm maps these onto the npm-compatible JSR distribution endpoint.
{
"dependencies": {
"@std/json": "jsr:@std/json^1.0.0"
}
}file:
Local-filesystem dependencies. Useful for unpublished libraries or fixtures.
{
"dependencies": {
"my-lib": "file:../my-lib",
"fixture": "file:./test/fixtures/pkg"
}
}- Paths can be relative (to
package.json) or absolute. - The target directory must contain a valid
package.json. - Directory-backed
file:deps stay in the project-local virtual store — they are not shared across projects.
git:
Dependencies fetched directly from a Git repository.
{
"dependencies": {
"my-lib": "git+https://github.com/my-org/my-lib.git",
"pinned": "git+ssh://git@github.com:my-org/another.git#v1.0.0",
"branch": "git+https://github.com/my-org/lib.git#main"
}
}Supported URL schemes: git+https://, git+ssh://, git://. Use #<ref> to pin a commit hash, tag, or branch.
workspace:
Reference another package inside the same workspace.
{
"dependencies": {
"@acme/utils": "workspace:*",
"@acme/ui": "workspace:^"
}
}| Specifier | Behavior |
|---|---|
workspace:* | Any version of the local package |
workspace:^ | Caret range of the local package's current version |
workspace:~ | Tilde range of the local package's current version |
workspace:1.2.3 | Specific local version |
On publish, workspace: specifiers are rewritten to concrete semver ranges, so consumers outside the workspace see the resolved version.
See Workspaces for more.
catalog:
Resolve via the workspace catalog.
{
"dependencies": {
"react": "catalog:",
"vite": "catalog:build"
}
}| Specifier | Behavior |
|---|---|
catalog: | Use the default catalog from snpm-workspace.yaml / snpm-catalog.yaml |
catalog:<name> | Use the named catalog (catalogs.<name>) |
See Catalog for the full reference.
Auth and protocol routing
Registry packages route through the configured default registry, or a scoped registry when one is set:
registry=https://registry.npmjs.org/
@myorg:registry=https://npm.myorg.com/
//npm.myorg.com/:_authToken=${NPM_TOKEN}Tarball URLs that come from a registry response are only authorized against the registry that announced them. Cross-host tarballs fall back to anonymous fetches, so a malicious registry cannot trick snpm into leaking your credentials to a third-party host.