Zero is distributed as:
- an npm package,
@gitlawb/zero - release archives on GitHub Releases
- source builds with Go 1.25+
The npm package and install scripts download a platform-specific release archive. They require a published GitHub Release for the requested version.
npm install -g @gitlawb/zero
zeroThe package supports Linux, macOS, and Windows on x64 and arm64. It installs the
zero command and downloads the matching release binary during postinstall.
Requirements:
- Node.js 18+
- network access to npm and GitHub Releases
Bun is "default-secure" and does not run lifecycle scripts of installed
dependencies (only the installing project's own scripts), so the postinstall
that fetches the Zero binary is silently skipped. The first run then fails with
No native binary found next to the npm wrapper.
The simplest fix is to trust the package after installing, which runs the blocked postinstall. This works for project and global installs:
# project install
bun add @gitlawb/zero
bun pm trust @gitlawb/zero
# global install
bun add -g @gitlawb/zero
bun pm -g trust @gitlawb/zerobun pm untrusted (or bun pm -g untrusted) lists the blocked postinstalls if
you want to inspect before trusting.
Alternatively, allow the postinstall to run at install time by adding the
package to your project's trustedDependencies before installing:
{
"trustedDependencies": ["@gitlawb/zero"]
}bun add @gitlawb/zeroOn Bun versions that do not have bun pm trust, run the installer manually
after installing:
node node_modules/@gitlawb/zero/scripts/postinstall.mjsReference: https://bun.sh/docs/pm/lifecycle
Install the latest release:
curl -fsSL https://raw.githubusercontent.com/Gitlawb/zero/main/scripts/install.sh | bashFrom a checkout:
scripts/install.shInstall a specific version:
ZERO_VERSION=0.1.0 scripts/install.sh
scripts/install.sh --version 0.1.0Install somewhere else:
ZERO_INSTALL_DIR="$HOME/bin" scripts/install.sh
scripts/install.sh --install-dir "$HOME/bin"Defaults:
- Repository:
Gitlawb/zero - Version: latest GitHub release
- Install path:
~/.local/bin/zero
Requirements: Bash, curl or wget, tar, and shasum or sha256sum.
Install the latest release:
irm https://raw.githubusercontent.com/Gitlawb/zero/main/scripts/install.ps1 | iexFrom a checkout:
powershell -ExecutionPolicy Bypass -File scripts/install.ps1Install a specific version:
powershell -ExecutionPolicy Bypass -File scripts/install.ps1 -Version 0.1.0Install somewhere else:
powershell -ExecutionPolicy Bypass -File scripts/install.ps1 -InstallDir "$env:USERPROFILE\bin"Defaults:
- Repository:
Gitlawb/zero - Version: latest GitHub release
- Install path:
%LOCALAPPDATA%\zero\bin\zero.exe
git clone https://github.com/Gitlawb/zero.git
cd zero
go run ./cmd/zeroBuild a local binary:
go build -o zero ./cmd/zeroSource builds require Go 1.25+.
Release archives include the platform sandbox helpers. If you build directly from source, build the helpers you need:
Linux:
go build -o zero ./cmd/zero
go build -o zero-linux-sandbox ./cmd/zero-linux-sandbox
go build -o zero-seccomp ./cmd/zero-seccompPut zero and zero-linux-sandbox in the same directory on PATH, for example
~/.local/bin. zero-seccomp is kept as a compatibility wrapper; the sandbox
helper applies the Unix-socket filter itself when that sandbox option is enabled.
Linux native sandboxing also requires Bubblewrap to be installed.
macOS uses the system sandbox and does not need an extra helper binary.
Windows source builds can use the main zero.exe as the command runner and setup
helper through Zero's built-in self-dispatch path. If you want a release-style
layout anyway, build the standalone helper executables next to zero.exe:
go build -o zero.exe ./cmd/zero
go build -o zero-windows-command-runner.exe ./cmd/zero-windows-command-runner
go build -o zero-windows-sandbox-setup.exe ./cmd/zero-windows-sandbox-setupRelease archives are named:
zero-v<version>-linux-<arch>.tar.gzzero-v<version>-macos-<arch>.tar.gzzero-v<version>-windows-<arch>.zip
Supported targets:
linux-x64linux-arm64macos-x64macos-arm64windows-x64windows-arm64
Each archive must have a matching .sha256 file. The install scripts download
both files, verify the checksum, and then copy the binary into the install
directory.
Check for a newer release:
zero update --checkThen reinstall with npm or rerun the install script for the version you want.