npm_install
Add a dependency to the project. Writes package.json inside the stage dir; it resolves when you deploy your repo — the live in-IDE preview uses a pre-baked dependency set and does not install new packages.
When the agent uses it
Only when you explicitly ask for a library the scaffold does not ship — for example "install framer-motion and add a fade to the hero". The agent never installs libraries speculatively.
Safety
- Maximum 10 packages per call (Zod `.max(10)`); anything beyond is rejected before the file touches disk.
- Package names are validated against a regex allow-list (`@scope/name` shape) plus a small deny-list (npm, node, child_process, fs, cross-env, preinstall-always-fail).
- Bare names only — `react@18.3` style version suffixes are rejected. Everything is pinned to `latest`.
- The live in-IDE preview runs a pre-baked dependency set, so a newly added package resolves when you deploy your repo — not in the preview.
- You see the added dependencies in the next git commit, so a wrong addition is obvious before deploy.
Was this page helpful?