feat: add package download button

[Adebesin-Cell]

🔗 Linked issue

resolves #1528

🧭 Context

There was previously no way to directly download a package tarball or fetch all dependencies from the package detail page.

This PR introduces a Download button to make that happen.

📚 Description

This change adds a new Download button to the package detail page. The button includes a dropdown menu with two options:

• Download the package .tgz tarball directly.
• Generate and download a .sh script to fetch all dependencies.

Screenshot

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
npmx.dev	Ready	Preview, Comment	Feb 23, 2026 10:37am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs.npmx.dev	Ignored	Preview	Feb 23, 2026 10:37am
npmx-lunaria	Ignored		Feb 23, 2026 10:37am

[github-actions]

Lunaria Status Overview

🌕 This pull request will trigger status changes.

Learn more

By default, every PR changing files present in the Lunaria configuration's files property will be considered and trigger status changes accordingly.

You can change this by adding one of the keywords present in the ignoreKeywords property in your Lunaria configuration file in the PR's title (ignoring all files) or by including a tracker directive in the merged commit's description.

Tracked Files

File	Note
lunaria/files/en-GB.json	Localization changed, will be marked as complete.
lunaria/files/en-US.json	Source changed, localizations will be marked as outdated.

Warnings reference

Icon	Description
🔄️	The source for this localization has been updated since the creation of this pull request, make sure all changes in the source have been applied.

[codecov]

❌ 1 Tests Failed:

Tests completed	Failed	Passed	Skipped
1716	1	1715	6

View the top 1 failed test(s) by shortest run time

test/unit/a11y-component-coverage.spec.ts > a11y component test coverage > should have accessibility tests for all components (or be explicitly skipped)

Stack Traces | 0.0127s run time

AssertionError: Missing a11y tests for 1 component(s):
  - Package/DownloadButton.vue

To fix: Add tests in test/nuxt/a11y.spec.ts or add to SKIPPED_COMPONENTS in test/unit/a11y-component-coverage.spec.ts with justification.: expected 1 to equal +0

- Expected
+ Received

- 0
+ 1

 ❯ test/unit/a11y-component-coverage.spec.ts:166:12
 ❯ node_modules/.pnpm/@voidzero-dev+vite-plus-test@0.0.0-833c515fa25cef20905a7f9affb156dfa6f151ab_@types+node_310e5dad6395fccdf5f424a1dccab9b9/node_modules/@voidzero-dev/vite-plus-test/dist/@vitest/runner/index.js:145:14
 ❯ node_modules/.pnpm/@voidzero-dev+vite-plus-test@0.0.0-833c515fa25cef20905a7f9affb156dfa6f151ab_@types+node_310e5dad6395fccdf5f424a1dccab9b9/node_modules/@voidzero-dev/vite-plus-test/dist/@vitest/runner/index.js:915:28
 ❯ node_modules/.pnpm/@voidzero-dev+vite-plus-test@0.0.0-833c515fa25cef20905a7f9affb156dfa6f151ab_@types+node_310e5dad6395fccdf5f424a1dccab9b9/node_modules/@voidzero-dev/vite-plus-test/dist/@vitest/runner/index.js:1243:24
 ❯ runWithTimeout node_modules/.pnpm/@voidzero-dev+vite-plus-test@0.0.0-833c515fa25cef20905a7f9affb156dfa6f151ab_@types+node_310e5dad6395fccdf5f424a1dccab9b9/node_modules/@voidzero-dev/vite-plus-test/dist/@vitest/runner/index.js:1209:12
 ❯ node_modules/.pnpm/@voidzero-dev+vite-plus-test@0.0.0-833c515fa25cef20905a7f9affb156dfa6f151ab_@types+node_310e5dad6395fccdf5f424a1dccab9b9/node_modules/@voidzero-dev/vite-plus-test/dist/@vitest/runner/index.js:1653:42
 ❯ Traces.$ node_modules/.pnpm/@voidzero-dev+vite-plus-test@0.0.0-833c515fa25cef20905a7f9affb156dfa6f151ab_@types+node_310e5dad6395fccdf5f424a1dccab9b9/node_modules/@.../dist/chunks/traces.CCmnQaNT.js:142:29
 ❯ trace node_modules/.pnpm/@voidzero-dev+vite-plus-test@0.0.0-833c515fa25cef20905a7f9affb156dfa6f151ab_@types+node_310e5dad6395fccdf5f424a1dccab9b9/node_modules/@.../dist/chunks/test.B8ej_ZHS.js:239:23
 ❯ runTest node_modules/.pnpm/@voidzero-dev+vite-plus-test@0.0.0-833c515fa25cef20905a7f9affb156dfa6f151ab_@types+node_310e5dad6395fccdf5f424a1dccab9b9/node_modules/@voidzero-dev/vite-plus-test/dist/@vitest/runner/index.js:1653:17

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b3419bd and 07261cb.

📒 Files selected for processing (1)

• test/unit/server/utils/dependency-analysis.spec.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• test/unit/server/utils/dependency-analysis.spec.ts

---

📝 Walkthrough

Walkthrough

Adds a subtle variant to the Button component and adjusts its border/size class logic. Introduces a new Package DownloadButton Vue component that provides a teleport-ed dropdown menu to download package tarballs or a dependencies script with keyboard and focus handling. Integrates the download button into the package detail page. Extracts install-size types to shared/types, adds tarballUrl to resolved/dependency structures and tests, and adds i18n entries and schema for download-related labels.

Possibly related PRs

• refactor: separate npm composables #827 — Reorganises npm-related composables and utils; likely touches the same import paths and type exports affected by moving install-size types.

Suggested labels

front, a11y

Suggested reviewers

• danielroe
• graphieros

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description clearly relates to the changeset, explaining the addition of a Download button to the package detail page with dropdown options for tarball and dependencies script downloads.
Linked Issues check	✅ Passed	The PR successfully implements the requirements from issue #1528 by adding a download button allowing users to directly download packages and optionally their dependencies through UI controls on the package detail page.
Out of Scope Changes check	✅ Passed	All changes are within scope: new DownloadButton component, Button variant extension to support 'subtle', shared types for install size, dependency resolver tarball URL tracking, and i18n translations—all directly supporting the download feature.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

app/pages/package/[[org]]/[name].vue (1)

1144-1154: Consider showing the download button without waiting for install-size.
Right now the button only appears once install-size resolves; if the fetch is slow or fails, users lose direct tarball download. Consider rendering on displayVersion and disabling the dependencies action until installSize arrives.

Possible tweak

-            <PackageDownloadButton
-              v-if="displayVersion && installSize"
+            <PackageDownloadButton
+              v-if="displayVersion"
               :package-name="pkg.name"
               :version="displayVersion"
-              :install-size="installSize"
+              :install-size="installSize ?? undefined"
               size="small"
             />

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Avoid per-button focus-visible utilities for the subtle variant.
Buttons already get focus-visible styling globally; adding inline focus-visible classes here diverges from the shared pattern. Consider dropping the inline focus-visible utility (or moving the styling to the global rule).

Suggested change

-      'bg-bg-subtle text-fg-muted hover:enabled:(text-fg border-border-hover) focus-visible:enabled:(text-fg border-border-hover) active:enabled:scale-95':
+      'bg-bg-subtle text-fg-muted hover:enabled:(text-fg border-border-hover) active:enabled:scale-95':
         variant === 'subtle',

Based on learnings: focus-visible styling for buttons and selects is applied globally via main.css (button:focus-visible, select:focus-visible { outline: 2px solid var(--accent); outline-offset: 2px; border-radius: 4px; }); therefore individual buttons should not use inline focus-visible utility classes.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

link.download is ignored for cross-origin URLs — tarball downloads will behave unreliably across browsers.

The HTML download attribute doesn't work with cross-origin URLs due to browser security restrictions implemented in Chrome 65 and other modern browsers; it is ignored for cross-origin URLs to prevent security issues. Since registry.npmjs.org is cross-origin from npmx.dev, browsers will ignore the download for cross-origin resources; as a result, no download is triggered and the resource is simply treated as another navigation destination.

The custom filename set at line 111 will never be applied. Whether the file downloads at all depends entirely on whether the npm registry sends Content-Disposition: attachment, which is outside this code's control.

The reliable fix is a Nuxt server route that proxies the tarball and sets the Content-Disposition: attachment; filename=... header itself, or fetching it as a Blob first:

🔧 Blob-based workaround (client-side, loads entire file into memory)

-function downloadPackage() {
-  const tarballUrl = props.version.dist.tarball
-  if (!tarballUrl) return
-
-  const link = document.createElement('a')
-  link.href = tarballUrl
-  link.download = `${props.packageName}-${props.version.version}.tgz`
-  document.body.appendChild(link)
-  link.click()
-  document.body.removeChild(link)
-}
+async function downloadPackage() {
+  const tarballUrl = props.version.dist.tarball
+  if (!tarballUrl) return
+
+  const response = await fetch(tarballUrl)
+  const blob = await response.blob()
+  const blobUrl = URL.createObjectURL(blob)
+  const link = document.createElement('a')
+  link.href = blobUrl
+  link.download = `${props.packageName.replace(/\//g, '__')}-${props.version.version}.tgz`
+  document.body.appendChild(link)
+  link.click()
+  document.body.removeChild(link)
+  URL.revokeObjectURL(blobUrl)
+}

Note the blob-based fix also applies the / → __ replacement for scoped packages (e.g. @types/react), keeping the filename consistent with downloadDependenciesScript at lines 132 and 139, which already does this. The current line 111 is missing that replacement.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Remove the unnecessary as any cast — dist.tarball is already typed on SlimPackumentVersion.

downloadPackage() on line 106 accesses props.version.dist.tarball directly without any cast, proving the field is properly typed on SlimPackumentVersion. The as any here silently bypasses TypeScript for no reason. As per the coding guidelines, strictly type-safe code is required.

🔧 Proposed fix

-  const rootTarball = (props.version.dist as any).tarball
+  const rootTarball = props.version.dist.tarball

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const rootTarball = (props.version.dist as any).tarball
	const rootTarball = props.version.dist.tarball

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Replace dep: any with DependencySize; add a guard for empty tarballUrl; quote URLs in the curl commands.

Three related issues in this block:

1. dep: any (line 137) — installSize.dependencies is typed as DependencySize[], so dep is already statically typed. Annotating it as any defeats type checking on dep.tarballUrl, dep.name, and dep.version. As per the coding guidelines, strictly type-safe code is required.

2. Missing tarballUrl guard (line 139) — DependencySize.tarballUrl is a string (not optional), but an empty string is valid at the type level. If dep.tarballUrl is "", the generated curl command becomes curl -L -o … which silently fails.

3. Unquoted URL in curl (lines 132, 139) — interpolating an unquoted URL into a shell command is fragile. Quoting removes any ambiguity.

🔧 Proposed fix

-  props.installSize.dependencies.forEach((dep: any) => {
-    lines.push(`# ${dep.name}@${dep.version}`)
-    lines.push(`curl -L ${dep.tarballUrl} -o ${dep.name.replace(/\//g, '__')}-${dep.version}.tgz`)
-  })
+  props.installSize.dependencies.forEach((dep) => {
+    if (!dep.tarballUrl) return
+    lines.push(`# ${dep.name}@${dep.version}`)
+    lines.push(`curl -L "${dep.tarballUrl}" -o ${dep.name.replace(/\//g, '__')}-${dep.version}.tgz`)
+  })

Apply the same quoting fix to the root package curl command (line 132):

-    lines.push(
-      `curl -L ${rootTarball} -o ${props.packageName.replace(/\//g, '__')}-${props.version.version}.tgz`,
-    )
+    lines.push(
+      `curl -L "${rootTarball}" -o ${props.packageName.replace(/\//g, '__')}-${props.version.version}.tgz`,
+    )

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Add dependencies
	props.installSize.dependencies.forEach((dep: any) => {
	lines.push(`# ${dep.name}@${dep.version}`)
	lines.push(`curl -L ${dep.tarballUrl} -o ${dep.name.replace(/\//g, '__')}-${dep.version}.tgz`)
	})
	// Add dependencies
	props.installSize.dependencies.forEach((dep) => {
	if (!dep.tarballUrl) return
	lines.push(`# ${dep.name}@${dep.version}`)
	lines.push(`curl -L "${dep.tarballUrl}" -o ${dep.name.replace(/\//g, '__')}-${dep.version}.tgz`)
	})