Ara is a package manager built for an era where supply chain attacks are routine. It scans every dependency for malicious patterns before anything is unpacked, resolves versions deterministically using Minimum Version Selection, and stores packages by SHA-256 hash so installs are always reproducible. Drop it into any existing npm project — no migration required.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ara-home/ara/llms.txt
Use this file to discover all available pages before exploring further.
Introduction
Learn what makes Ara different from npm, Yarn, and pnpm.
Installation
Install the Ara binary on Linux, macOS, or Windows.
Quickstart
Install your first project’s dependencies in under two minutes.
CLI Reference
Every command, flag, and default value documented.
Why Ara?
Built-in Security Analysis
Scans 17+ suspicious patterns — eval, child_process, prototype pollution, credential access — before any package touches your project.
Deterministic Resolution
Minimum Version Selection (MVS) guarantees identical dependency graphs across every machine and CI run.
Content-Addressed Store
Packages stored by SHA-256 hash. Identical packages are never duplicated. Rollbacks are trivial.
Sandboxed Execution
Run build and test scripts inside Linux seccomp-BPF profiles: Hermetic, Restricted, or Open.
Get started in minutes
Install your project dependencies
Run
ara install from any directory that contains a package.json. Ara reads it natively.Review security findings
Ara scans every package before unpacking it. If a package contains suspicious code, Ara shows you exactly what it found and asks for your decision.
Explore the docs
Manifest Format
How package.json and ara.toml work together.
Workspaces
Monorepo support with the workspace: protocol.
Migrate from npm
Zero-migration path for existing npm projects.