# Package manager (`cplus-pm`) `cplus-pm` is a standalone tool for managing the packages in a project's `vendor/` directory. It resolves and fetches dependencies so you do not have to vendor them by hand. It is **independent of the compiler** — `cplus-pm` manages packages, `cpc` builds them — so the two version and ship separately. ## Commands ```bash cplus-pm install # resolve + fetch everything in the manifest cplus-pm install # add a dependency and fetch it cplus-pm remove # drop a dependency cplus-pm update # re-resolve to the latest allowed versions ``` `install` writes the resolved packages into `vendor/` and records exact versions in a lockfile, so a later checkout reproduces the same set. ## How resolution works - **Git-tag versioning.** Package versions are git tags, so a dependency is a repository plus a version constraint. - **pubgrub resolution.** The resolver uses the pubgrub algorithm to pick a version set that satisfies every constraint, or to report a clear conflict when none exists. - **SHA-256 content addressing.** Each fetched package is identified by the hash of its contents, so what you build is exactly what was resolved. - **Shared cache.** Downloaded packages live in a machine-wide cache and are hard-linked or copied into each project's `vendor/`, so the same version is fetched once. - **Lockfile.** The resolved graph is pinned to a lockfile for reproducible installs across machines and CI. ## Relationship to the manifest Dependencies are still declared in `Cplus.toml` (see [Modules & packages](/docs/modules-and-packages)); `cplus-pm` is what reads those declarations, resolves them, and populates `vendor/`. The compiler then resolves imports from `vendor/` exactly as described in the [packages overview](/docs/packages). You can still vendor packages by hand — `cplus-pm` automates the same layout.