rush install

rush install [flags]

Reads package.json, resolves the full dependency tree against the registry (or rush.lock if present), downloads and extracts every package, links binaries into node_modules/.bin/, and runs trusted lifecycle scripts.

If a rush.lock exists, Rush installs the exact pinned versions — no resolution step needed.

Flags

Dependency selection

Flag	Short	Default	Description
`--production` / `--no-production`	`-P`	include	Include/exclude `dependencies`
`--dev` / `--no-dev`	`-D`	include	Include/exclude `devDependencies`
`--optional` / `--no-optional`		include	Include/exclude `optionalDependencies`

Lockfile

Flag	Default	Description
`--frozen-lockfile`	`false`	Fail if `rush.lock` is missing or out of date
`--lockfile-only`	`false`	Resolve and write `rush.lock` but do not download or extract
`--no-lockfile`	`false`	Do not read or write `rush.lock`

Cache & store

Flag	Default	Description
`--force`	`false`	Re-download all packages, bypassing the local store
`--no-cache`	`false`	Disable metadata cache and shared-store reuse

Platform

Flag	Default	Description
`--os <os>`	detected	Override OS for platform matching (`darwin`, `linux`, `win32`, …)
`--cpu <cpu>`	detected	Override CPU for platform matching (`arm64`, `x64`, …)

Lifecycle scripts

Flag	Default	Description
`--ignore-scripts`	`false`	Skip all lifecycle scripts and blocked-script reporting

Output

Flag	Default	Description
`--dry-run`	`false`	Resolve and print packages without downloading or extracting
`--no-bin-links`	`false`	Skip creating symlinks in `node_modules/.bin`
`--verbose`	`false`	Print detailed progress

Examples

Install everything (development included):

rush install

Production-only install (for deployment):

rush install --production

Strict CI install — fails if the lockfile would change:

rush install --frozen-lockfile

Re-download every package from scratch:

rush install --force

Just resolve and write the lockfile, no extraction:

rush install --lockfile-only

Dry run — see what would be installed:

rush install --dry-run

How it works

Read package.json (and rush.lock if present)
Resolve — greedy single-pass BFS, picking the newest satisfying version for each dependency
Check store — packages already extracted and verified with an integrity sentinel are skipped
Download — missing tarballs fetched from the registry (or a local tarball cache)
Verify — SHA-512 integrity check against the registry manifest
Extract — tarball unpacked into node_modules/.rush/<name>@<version>/
Link bins — direct-dependency executables symlinked into node_modules/.bin/
Scripts — lifecycle hooks run in order: preinstall → install → postinstall (trusted packages only)
Write rush.lock

Lifecycle scripts and trust

Packages that declare install hooks (preinstall, install, postinstall) are blocked by default. After each install, Rush reports which packages were blocked. To allow a package’s scripts to run, add it to trustedDependencies in package.json:

{
  "trustedDependencies": ["esbuild", "sharp"]
}

Or use the rush trust add command:

rush trust add esbuild

Use --ignore-scripts to skip both trusted script execution and blocked-script reporting for the current install.

The lockfile

rush.lock is a JSON file committed alongside package.json. It records the exact resolved version, integrity hash, tarball URL, and bin entries for every package in the tree. On subsequent installs, Rush skips resolution entirely and goes straight to download/extract using the lockfile data.

{
  "lockfileVersion": 1,
  "packages": {
    "express": {
      "version": "4.18.2",
      "resolved": "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
      "integrity": "sha512-...",
      "dependencies": { ... }
    }
  }
}