Overview

A tour of the GasPackᵐ ecosystem — the CLI, the Exchange, the IDE extension, and how the pieces fit together.

The ecosystem

GasPackᵐ is four things that work together to make Google Apps Script feel like a modern language ecosystem.

CLI

gpm

A Node.js command-line tool you install once on your machine. It scaffolds projects, resolves dependencies, builds packages into Apps Script-compatible bundles, and publishes to the Exchange.

Registry

GasPackᵐ Exchange

The public registry at gaspackm.org. Where packages live, where you search and discover them, and where security scores and provenance attestations are surfaced.

IDE

Chrome extension

Adds GasPackᵐ to the Apps Script editor itself. Install packages, browse versions, and view security scores without leaving the editor — no terminal required.

Scanner

Continuous scanning

Every publish runs through static analysis powered by Semgrep. Each package on the Exchange carries a security score with the findings laid out. Trust is verifiable, not asserted.

How the pieces fit

Two flows. They share infrastructure but they're driven by different people.

Publishing a package

1

Scaffold and write

Author runs gpm create on their machine. The CLI sets up a package with modules, types, and a gpm.json manifest declaring scope, version, and dependencies.

2

Publish

gpm publish verifies the publisher's domain, runs the Scanner against the artifact, and uploads it to the Exchange. Publishes from CI carry a provenance attestation tying the artifact to the source commit.

3

Listed and scored

The package appears on the Exchange with its security score, scopes it requests, and the list of modules it exposes.

Using a package

1

Discover

Browse the Exchange, or — if you're already inside the Apps Script editor — search through the Chrome extension. Review the security score and the scopes the package needs.

2

Install

Run gpm install <package> in your project, or click Install in the Chrome extension. The CLI resolves versions and pulls module code into your project.

3

Import and ship

Modules are exposed as global namespaces inside your Apps Script project — call them directly. gpm build produces the artifact you push to Apps Script with clasp or your existing deploy flow.

Install the CLI

Everything starts with the CLI. Install it once from npm and you have what you need to use packages or publish your own.

$ npm install -g @gaspackm/gpm

Requires Node.js 18 or later.

Where to go next

From here, the docs split by what you're doing.

  • Core Concepts — read first. Packages, modules, namespaces, versioning, and module-level dependencies. The mental model the rest of the docs assumes.
  • Using Packages — the guide for adding GasPackᵐ to a Google Apps Script project. Initialize, install, build, deploy.
  • Creating Packages — for publishers. Module authoring, scopes, dependencies, and the publish flow.
  • CLI Reference — every command, every flag.
  • Chrome Extension — install packages without leaving the Apps Script editor.