Zigbook
Chapter 24Zig Package Manager Deep

Zig Package Manager & (Deep)

Overview

Chapter 22 introduced the build system’s API for creating artifacts and configuring builds; Chapter 23 demonstrated workspace organization with libraries and executables.This chapter completes the build system foundation by examining dependency management—how Zig projects declare, fetch, verify, cache, and integrate external packages through the build.zig.zon manifest and the package manager built into the Zig toolchain. Build.zig

Unlike traditional package managers that operate as separate tools with their own metadata formats and resolution algorithms, Zig’s package manager is an integral part of the build system itself, leveraging the same deterministic caching infrastructure used for compilation artifacts (see Cache.zig). The build.zig.zon file—a Zig Object Notation (ZON) document—serves as the single source of truth for package metadata, dependency declarations, and inclusion rules, while build.zig orchestrates how those dependencies integrate into your project’s module graph. 20 By the end of this chapter, you will understand the full lifecycle of a dependency: from declaration in build.zig.zon, through cryptographic verification and caching, to module registration and import in your Zig source code. You will also learn patterns for reproducible builds, lazy dependency loading, and local development workflows that balance convenience with security.

Learning Goals

  • Understand the structure and semantics of build.zig.zon manifest files (see build.zig.zon template).
  • Declare dependencies using URL-based fetching and path-based local references.
  • Explain the role of cryptographic hashes in dependency verification and content-addressing.
  • Navigate the dependency resolution pipeline from fetch to cache to availability.
  • Integrate fetched dependencies into build.zig using b.dependency() and b.lazyDependency().
  • Differentiate between eager and lazy dependency loading strategies.
  • Understand reproducibility guarantees: lockfiles, hash verification, and deterministic manifests.
  • Work with the global package cache and understand offline build workflows.
  • Use zig fetch commands for dependency management.

The Schema

The build.zig.zon file is a Zig-native data format—essentially a single anonymous struct literal—that describes package metadata. It is parsed by the Zig compiler at build time, providing strong typing and familiar syntax while remaining human-readable and simple to author. Unlike JSON or TOML, ZON benefits from Zig’s compile-time evaluation, allowing structured data to be validated and transformed during the build process.

Minimal Manifest

Every build.zig.zon file must declare at least the package name, version, and minimum supported Zig version:

Zig
.{
    .name = "myproject",
    .version = "0.1.0",
    .minimum_zig_version = "0.15.2",
    .fingerprint = 0x1234567890abcdef,
    .paths = .{
        "build.zig",
        "build.zig.zon",
        "src",
        "LICENSE",
    },
}

The .paths field specifies which files and directories are included when this package is fetched by another project. This inclusion list directly affects the computed package hash—only listed files contribute to the hash, ensuring deterministic content addressing.

The .paths field acts as both an inclusion filter and a documentation aid. Always list build.zig, build.zig.zon, and your source directories. Exclude generated files, test artifacts, and editor-specific files that should not be part of the package’s canonical content.

Package Identity and Versioning

The .name and .version fields together establish package identity. As of Zig 0.15.2, the package manager does not yet perform automatic version resolution or deduplication, but these fields prepare for future enhancements and help human maintainers understand package relationships.

The .minimum_zig_version field communicates compatibility expectations. When a package declares a minimum version, the build system will refuse to proceed if the current Zig toolchain is older, preventing obscure compilation failures due to missing features or changed semantics.

The .fingerprint field (omitted in the minimal example but shown in the template) is a unique identifier generated once when the package is created and never changed thereafter. This fingerprint enables unambiguous detection of package forks and updates, protecting against hostile forks that attempt to impersonate upstream projects.

Changing the .fingerprint has security and trust implications. It signals that this package is a distinct entity from its origin, which may break trust chains and confuse dependency resolution in future Zig versions.

Declaring Dependencies

Dependencies are declared in the .dependencies struct. Each dependency must provide either a .url and .hash pair (for remote packages) or a .path (for local packages):

Zig
.{
    .name = "consumer",
    .version = "0.2.0",
    .minimum_zig_version = "0.15.2",
    .dependencies = .{
        // Path-based dependency (local development)
        .mylib = .{
            .path = "../mylib",
        },
        // URL-based dependency would look like:
        // .known_folders = .{
        //     .url = "https://github.com/ziglibs/known-folders/archive/refs/tags/v1.1.0.tar.gz",
        //     .hash = "1220c1aa96c9cf0a7df5848c9d50e0e1f1e8b6ac8e7f5e4c0f4c5e6f7a8b9c0d",
        // },
    },
    .paths = .{
        "build.zig",
        "build.zig.zon",
        "src",
    },
}

URL-based dependencies are fetched from the network, verified against the provided hash, and cached globally. Path-based dependencies reference a directory relative to the build root, useful during local development or when vendoring dependencies.

The hash uses the multihash format, where the prefix 1220 indicates SHA-256. This content-addressed approach ensures that packages are identified by their contents rather than their URLs, making the package manager resilient to URL changes and mirror availability.

The .hash field is the source of truth—packages do not come from a URL; they come from a hash. The URL is merely one possible mirror for obtaining content that matches the hash. This design separates package identity (content) from package location (URL).

Lazy vs Eager Dependencies

By default, all declared dependencies are eager: they are fetched and verified before the build script runs. For optional dependencies that are only needed under certain conditions (e.g., debugging tools, benchmarking utilities, or platform-specific extensions), you can mark them as lazy with .lazy = true:

Zig
.{
    .name = "app",
    .version = "1.0.0",
    .minimum_zig_version = "0.15.2",
    .dependencies = .{
        // Eager dependency: always fetched
        .core = .{
            .path = "../core",
        },
        // Lazy dependency: only fetched when actually used
        .benchmark_utils = .{
            .path = "../benchmark_utils",
            .lazy = true,
        },
        .debug_visualizer = .{
            .path = "../debug_visualizer",
            .lazy = true,
        },
    },
    .paths = .{
        "build.zig",
        "build.zig.zon",
        "src",
    },
}

Lazy dependencies are not fetched until build.zig explicitly requests them via b.lazyDependency(). If the build script never calls lazyDependency() for a given package, that package remains unfetched, saving download time and disk space.

This two-phase approach allows the build script to declare optional dependencies without forcing all users to download them. When a lazy dependency is requested but not yet available, the build runner will fetch it, then re-run the build script—a transparent process that balances flexibility with determinism.

Dependency Resolution Pipeline

Understanding how Zig transforms a .dependencies declaration into a usable module illuminates the package manager’s design and helps debug fetch failures or integration issues.

1. Parse and Validate

When you run zig build, the compiler first parses build.zig.zon as a ZON literal (see build_runner.zig). This parse step validates syntax and ensures all required fields are present. The compiler checks:

  • Each dependency has either .url+.hash or .path (but not both)
  • Hash strings use valid multihash encoding
  • The .minimum_zig_version is not newer than the running toolchain

2. Fetch and Verify

For each eager dependency with a .url, the build runner:

  1. Computes a unique cache key from the hash

  2. Checks if the package exists in the global cache (~/.cache/zig/p/<hash>/ on Unix-like systems)

  3. If not cached, downloads the URL contents

  4. Extracts the archive if needed (supports .tar.gz, .tar.xz, .zip)

  5. Applies the .paths filter from the dependency’s own build.zig.zon

  6. Computes the hash of the filtered content

  7. Verifies it matches the declared .hash field

  8. Stores the verified content in the global cache

If hash verification fails, the build aborts with a clear error message indicating hash mismatch. This prevents supply-chain attacks where a compromised mirror serves different content.

Path-based dependencies skip the fetch step—they are always available relative to the build root.

3. Cache Lookup and Reuse

Once a package is cached, subsequent builds reuse the cached version without re-downloading or re-verifying. The global cache is shared across all Zig projects on the system, so fetching a popular dependency once benefits all projects.

The cache directory structure is content-addressed: each package’s hash directly maps to a cache subdirectory. This makes cache management transparent and predictable—you can inspect cached packages or clear the cache without risk of corrupting build state.

4. Dependency Graph Construction

After all eager dependencies are available, the build runner constructs a dependency graph. Each package’s build.zig is loaded as a Zig module, and the build() function is called to register artifacts and steps.

Lazy dependencies are not loaded at this stage. Instead, the build runner marks them as "potentially needed" and proceeds. If build.zig calls b.lazyDependency() for a lazy package that hasn’t been fetched yet, the build runner records the request, completes the current build pass, fetches the lazy dependencies, and re-runs the build script.

This deferred-fetch mechanism allows build scripts to conditionally load dependencies based on user options or target characteristics without forcing all users to download every optional package.

Internally, Zig records dependencies on ZON manifests and other dependees inside the InternPool, so that changes to build.zig.zon or embedded files can invalidate only the analysis units that depend on them:

graph TB subgraph "InternPool - Dependency Storage" SRCHASHDEPS["src_hash_deps<br/>Map: TrackedInst.Index → DepEntry.Index"] NAVVALDEPS["nav_val_deps<br/>Map: Nav.Index → DepEntry.Index"] NAVTYDEPS["nav_ty_deps<br/>Map: Nav.Index → DepEntry.Index"] INTERNEDDEPS["interned_deps<br/>Map: Index → DepEntry.Index"] ZONFILEDEPS["zon_file_deps<br/>Map: FileIndex → DepEntry.Index"] EMBEDFILEDEPS["embed_file_deps<br/>Map: EmbedFile.Index → DepEntry.Index"] NSDEPS["namespace_deps<br/>Map: TrackedInst.Index → DepEntry.Index"] NSNAMEDEPS["namespace_name_deps<br/>Map: NamespaceNameKey → DepEntry.Index"] FIRSTDEP["first_dependency<br/>Map: AnalUnit → DepEntry.Index"] DEPENTRIES["dep_entries<br/>ArrayListUnmanaged<DepEntry>"] FREEDEP["free_dep_entries<br/>ArrayListUnmanaged<DepEntry.Index>"] end subgraph "DepEntry Structure" DEPENTRY["DepEntry<br/>{depender: AnalUnit,<br/>next_dependee: DepEntry.Index.Optional,<br/>next_depender: DepEntry.Index.Optional}"] end SRCHASHDEPS --> DEPENTRIES NAVVALDEPS --> DEPENTRIES NAVTYDEPS --> DEPENTRIES INTERNEDDEPS --> DEPENTRIES ZONFILEDEPS --> DEPENTRIES EMBEDFILEDEPS --> DEPENTRIES NSDEPS --> DEPENTRIES NSNAMEDEPS --> DEPENTRIES FIRSTDEP --> DEPENTRIES DEPENTRIES --> DEPENTRY FREEDEP -.->|"reuses indices from"| DEPENTRIES

ZON files participate in the same incremental compilation graph as source hashes and embedded files: updating build.zig.zon updates the corresponding zon_file_deps entries, which in turn mark dependent analysis units and build steps as outdated.

More broadly, ZON manifests are just one of several dependee categories that the compiler tracks; at a high level these groups look like this:

graph LR subgraph "Source-Level Dependencies" SRCHASH["Source Hash<br/>TrackedInst.Index<br/>src_hash_deps"] ZONFILE["ZON File<br/>FileIndex<br/>zon_file_deps"] EMBEDFILE["Embedded File<br/>EmbedFile.Index<br/>embed_file_deps"] end subgraph "Nav Dependencies" NAVVAL["Nav Value<br/>Nav.Index<br/>nav_val_deps"] NAVTY["Nav Type<br/>Nav.Index<br/>nav_ty_deps"] end subgraph "Type/Value Dependencies" INTERNED["Interned Value<br/>Index<br/>interned_deps<br/>runtime funcs, container types"] end subgraph "Namespace Dependencies" NSFULL["Full Namespace<br/>TrackedInst.Index<br/>namespace_deps"] NSNAME["Namespace Name<br/>NamespaceNameKey<br/>namespace_name_deps"] end subgraph "Memoized State" MEMO["Memoized Fields<br/>panic_messages, etc."] end

The package manager sits on top of this infrastructure: .dependencies entries in build.zig.zon ultimately translate into ZON-file dependees and cached content that participate in the same dependency system.

Conceptual Example: Resolution Pipeline

The following example demonstrates the logical flow of dependency resolution:

Zig
// Conceptual example showing the dependency resolution pipeline
const std = @import("std");

const DependencyState = enum {
    declared, // Listed in build.zig.zon
    downloading, // URL being fetched
    verifying, // Hash being checked
    cached, // Stored in global cache
    available, // Ready for use
};

const Dependency = struct {
    name: []const u8,
    url: ?[]const u8,
    path: ?[]const u8,
    hash: ?[]const u8,
    lazy: bool,
    state: DependencyState,
};

pub fn main() !void {
    std.debug.print("--- Zig Package Manager Resolution Pipeline ---\n\n", .{});

    // Stage 1: Parse build.zig.zon
    std.debug.print("1. Parse build.zig.zon dependencies\n", .{});
    var deps = [_]Dependency{
        .{
            .name = "core",
            .path = "../core",
            .url = null,
            .hash = null,
            .lazy = false,
            .state = .declared,
        },
        .{
            .name = "utils",
            .url = "https://example.com/utils.tar.gz",
            .path = null,
            .hash = "1220abcd...",
            .lazy = false,
            .state = .declared,
        },
        .{
            .name = "optional_viz",
            .url = "https://example.com/viz.tar.gz",
            .path = null,
            .hash = "1220ef01...",
            .lazy = true,
            .state = .declared,
        },
    };

    // Stage 2: Resolve eager dependencies
    std.debug.print("\n2. Resolve eager dependencies\n", .{});
    for (&deps) |*dep| {
        if (!dep.lazy) {
            std.debug.print("   - {s}: ", .{dep.name});
            if (dep.path) |p| {
                std.debug.print("local path '{s}' → available\n", .{p});
                dep.state = .available;
            } else if (dep.url) |_| {
                std.debug.print("fetching → verifying → cached → available\n", .{});
                dep.state = .available;
            }
        }
    }

    // Stage 3: Lazy dependencies deferred
    std.debug.print("\n3. Lazy dependencies (deferred until used)\n", .{});
    for (deps) |dep| {
        if (dep.lazy) {
            std.debug.print("   - {s}: waiting for lazyDependency() call\n", .{dep.name});
        }
    }

    // Stage 4: Build script execution triggers lazy fetch
    std.debug.print("\n4. Build script requests lazy dependency\n", .{});
    std.debug.print("   - optional_viz requested → fetching now\n", .{});

    // Stage 5: Cache lookup
    std.debug.print("\n5. Cache locations\n", .{});
    std.debug.print("   - Global: ~/.cache/zig/p/<hash>/\n", .{});
    std.debug.print("   - Project: .zig-cache/\n", .{});

    std.debug.print("\n=== Resolution Complete ===\n", .{});
}
Run
Shell
$ zig run 07_resolution_pipeline_demo.zig
Output
Shell
=== Zig Package Manager Resolution Pipeline ===

1. Parse build.zig.zon dependencies

2. Resolve eager dependencies
   - core: local path '../core' → available
   - utils: fetching → verifying → cached → available

3. Lazy dependencies (deferred until used)
   - optional_viz: waiting for lazyDependency() call

4. Build script requests lazy dependency
   - optional_viz requested → fetching now

5. Cache locations
   - Global: ~/.cache/zig/p/<hash>/
   - Project: .zig-cache/

=== Resolution Complete ===

This conceptual model matches the actual implementation in the build runner and standard library.

Integrating Dependencies in

Declaring a dependency in build.zig.zon makes it available for fetching; integrating it into your build requires calling b.dependency() or b.lazyDependency() in build.zig to obtain a *std.Build.Dependency handle, then extracting modules or artifacts from that dependency.

Using

For eager dependencies, use b.dependency(name, args) where name matches a key in .dependencies and args is a struct containing build options to pass down to the dependency’s build script:

Zig
const std = @import("std");

pub fn build(b: *std.Build) void {
    const target = b.standardTargetOptions(.{});
    const optimize = b.standardOptimizeOption(.{});

    // Fetch the dependency defined in build.zig.zon
    const mylib_dep = b.dependency("mylib", .{
        .target = target,
        .optimize = optimize,
    });

    // Get the module from the dependency
    const mylib_module = mylib_dep.module("mylib");

    const exe = b.addExecutable(.{
        .name = "app",
        .root_module = b.createModule(.{
            .root_source_file = b.path("src/main.zig"),
            .target = target,
            .optimize = optimize,
        }),
    });

    // Import the dependency module
    exe.root_module.addImport("mylib", mylib_module);

    b.installArtifact(exe);

    const run_cmd = b.addRunArtifact(exe);
    run_cmd.step.dependOn(b.getInstallStep());
    if (b.args) |args| {
        run_cmd.addArgs(args);
    }

    const run_step = b.step("run", "Run the app");
    run_step.dependOn(&run_cmd.step);
}

The b.dependency() call returns a *Dependency, which provides methods to access the dependency’s artifacts (.artifact()), modules (.module()), lazy paths (.path()), and named write-files (.namedWriteFiles()).

The args parameter forwards build options to the dependency, allowing you to configure the dependency’s target, optimization level, or custom features. This ensures the dependency is built with compatible settings.

Always pass .target and .optimize to dependencies unless you have a specific reason not to. Mismatched target settings can cause link errors or subtle ABI incompatibilities.

Using

For lazy dependencies, use b.lazyDependency(name, args) instead. This function returns ?*Dependencynull if the dependency has not yet been fetched:

Zig
const std = @import("std");

pub fn build(b: *std.Build) void {
    const target = b.standardTargetOptions(.{});
    const optimize = b.standardOptimizeOption(.{});

    // Core dependency is always loaded
    const core_dep = b.dependency("core", .{
        .target = target,
        .optimize = optimize,
    });

    const exe = b.addExecutable(.{
        .name = "app",
        .root_module = b.createModule(.{
            .root_source_file = b.path("src/main.zig"),
            .target = target,
            .optimize = optimize,
        }),
    });

    exe.root_module.addImport("core", core_dep.module("core"));
    b.installArtifact(exe);

    // Conditionally use lazy dependencies based on build options
    const enable_benchmarks = b.option(bool, "benchmarks", "Enable benchmark mode") orelse false;
    const enable_debug_viz = b.option(bool, "debug-viz", "Enable debug visualizations") orelse false;

    if (enable_benchmarks) {
        // lazyDependency returns null if not yet fetched
        if (b.lazyDependency("benchmark_utils", .{
            .target = target,
            .optimize = optimize,
        })) |bench_dep| {
            exe.root_module.addImport("benchmark", bench_dep.module("benchmark"));
        }
    }

    if (enable_debug_viz) {
        if (b.lazyDependency("debug_visualizer", .{
            .target = target,
            .optimize = optimize,
        })) |viz_dep| {
            exe.root_module.addImport("visualizer", viz_dep.module("visualizer"));
        }
    }

    const run_cmd = b.addRunArtifact(exe);
    run_cmd.step.dependOn(b.getInstallStep());

    const run_step = b.step("run", "Run the app");
    run_step.dependOn(&run_cmd.step);
}

When lazyDependency() returns null, the build runner records the request and re-runs the build script after fetching the missing dependency. On the second pass, lazyDependency() will succeed, and the build proceeds normally.

This pattern allows build scripts to conditionally include optional features without forcing all users to fetch those dependencies:

Shell
$ zig build                          # Core functionality only
$ zig build -Dbenchmarks=true        # Fetches benchmark_utils if needed
$ zig build -Ddebug-viz=true         # Fetches debug_visualizer if needed

Mixing b.dependency() and b.lazyDependency() for the same package is an error. If a dependency is marked .lazy = true in build.zig.zon, you must use b.lazyDependency(). If it’s eager (default), you must use b.dependency(). The build system enforces this to prevent inconsistent fetch behavior.

Hash Verification and Multihash Format

Cryptographic hashes are central to Zig’s package manager, ensuring that fetched content matches expectations and protecting against tampering or corruption.

Multihash Format

Zig uses the multihash format to encode hash digests. A multihash string consists of:

  1. A prefix indicating the hash algorithm (e.g., 1220 for SHA-256)

  2. The hex-encoded hash digest

For SHA-256, the prefix 1220 breaks down as:

  • 12 (hex) = SHA-256 algorithm identifier
  • 20 (hex) = 32 bytes = SHA-256 digest length

The following example demonstrates conceptual hash computation (the actual implementation lives in the build runner and cache system):

Zig
// This example demonstrates how hash verification works conceptually.
// In practice, Zig handles this automatically during `zig fetch`.

const std = @import("std");

pub fn main() !void {
    // Simulate fetching a package
    const package_contents = "This is the package source code.";

    // Compute the hash
    var hasher = std.crypto.hash.sha2.Sha256.init(.{});
    hasher.update(package_contents);
    var digest: [32]u8 = undefined;
    hasher.final(&digest); // Format as hex for display
    std.debug.print("Package hash: {x}\n", .{digest});
    std.debug.print("Expected hash in build.zig.zon: 1220{x}\n", .{digest});
    std.debug.print("\nNote: The '1220' prefix indicates SHA-256 in multihash format.\n", .{});
}
Run
Shell
$ zig run 06_hash_verification_example.zig
Output
Shell
Package hash: 69b2de89d968f316b3679f2e68ecacb50fd3064e0e0ee7922df4e1ced43744d2
Expected hash in build.zig.zon: 122069b2de89d968f316b3679f2e68ecacb50fd3064e0e0ee7922df4e1ced43744d2

Note: The `1220` prefix indicates SHA-256 in multihash format.

The compiler uses a similar "hash → compare → reuse" pattern for incremental compilation when deciding whether to reuse cached IR for a declaration:

graph TB Process["Process declaration"] --> UpdateHasher["src_hasher.update()"] UpdateHasher --> HashBytes["Hash relevant source bytes"] HashBytes --> HashDeps["Hash dependencies"] HashDeps --> FinalHash["Produce source hash"] FinalHash --> CompareOld["Compare with cached hash"] CompareOld -->|Different| Recompile["Invalidate and recompile"] CompareOld -->|Same| UseCached["Use cached ZIR/AIR"]

This is conceptually the same as package hashing: for both source and dependencies, Zig computes a content hash, compares it with a cached value, and either reuses cached artifacts or recomputes them.

In practice, you rarely need to compute hashes manually. The zig fetch command automates this:

Shell
$ zig fetch https://example.com/package.tar.gz

Zig downloads the package, computes the hash, and prints the complete multihash string you can copy into build.zig.zon.

The multihash format is forward-compatible with future hash algorithms. If Zig adopts SHA-3 or BLAKE3, new prefix codes will identify those algorithms without breaking existing manifests.

Reproducibility and Deterministic Builds

Reproducibility—the ability to recreate identical build outputs given the same inputs—is a cornerstone of reliable software distribution. Zig’s package manager contributes to reproducibility through content addressing, hash verification, and explicit versioning.

Content Addressing

Because packages are identified by hash rather than URL, the package manager is inherently resilient to URL changes, mirror failures, and upstream relocations. As long as some mirror provides content matching the hash, the package is usable.

This content-addressed design also prevents certain classes of supply-chain attacks: an attacker who compromises a single mirror cannot inject malicious code unless they also break the hash function (SHA-256), which is computationally infeasible.

The same content-addressing principle appears elsewhere in Zig’s implementation: the InternPool stores each distinct type or value exactly once and identifies it by an index, with dependency tracking built on top of these content-derived keys rather than on file paths or textual names.

Lockfile Semantics and Transitive Dependencies

As of Zig 0.15.2, the package manager does not generate a separate lockfile—build.zig.zon itself serves as the lockfile. Each dependency’s hash locks its content, and transitive dependencies are locked by the direct dependency’s hash (since the direct dependency’s build.zig.zon specifies its own dependencies).

This approach simplifies the mental model: there is one source of truth (build.zig.zon), and the hash chain ensures transitivity without additional metadata files.

Future Zig versions may introduce explicit lockfiles for advanced use cases (e.g., tracking resolved URLs or deduplicating transitive dependencies), but the core content-addressing principle will remain. v0.15.2

Offline Builds and Cache Portability

Once all dependencies are cached, you can build offline indefinitely. The global cache persists across projects, so fetching a dependency once benefits all future projects that use it.

To prepare for offline builds:

  1. Run zig build --fetch to fetch all declared dependencies without building

  2. Verify the cache is populated: ls ~/.cache/zig/p/

  3. Disconnect from the network and run zig build normally

If you need to transfer a project with its dependencies to an air-gapped environment, you can:

  1. Fetch all dependencies on a networked machine

  2. Archive the ~/.cache/zig/p/ directory

  3. Extract the archive on the air-gapped machine to the same cache location

  4. Run zig build normally

Path-based dependencies (.path = "…​") do not require network access and work immediately offline.

Using for Dependency Management

The zig fetch command provides a CLI for managing dependencies without editing build.zig.zon manually.

Fetching and Saving Dependencies

To add a new dependency:

Shell
$ zig fetch --save https://github.com/example/package/archive/v1.0.0.tar.gz

This command:

  1. Downloads the URL

  2. Computes the hash

  3. Adds an entry to .dependencies in build.zig.zon

  4. Saves the package name and hash

You can then reference the dependency by name in build.zig.

Fetching Without Saving

To fetch a URL and print its hash without modifying build.zig.zon:

Shell
$ zig fetch https://example.com/package.tar.gz

This is useful for verifying package integrity or preparing vendored dependencies.

Recursive Fetch

To fetch all dependencies transitively (including dependencies of dependencies):

Shell
$ zig build --fetch

This populates the cache with everything needed for a complete build, ensuring offline builds will succeed.

Exercises

  1. Minimal Package: Create a new Zig library with zig init-lib, examine the generated build.zig.zon, and explain the purpose of each top-level field. 21

  2. Path-Based Dependency: Set up two sibling directories (mylib/ and myapp/). Make myapp depend on mylib using .path, implement a simple function in mylib, call it from myapp, and build successfully.

  3. Hash Verification Failure: Intentionally corrupt a dependency’s hash in build.zig.zon (change one character) and run zig build. Observe and interpret the error message.

  4. Lazy Dependency Workflow: Create a project with a lazy dependency for a benchmarking module. Verify that zig build (without options) does not fetch the dependency, but zig build -Dbenchmarks=true does.

  5. Cache Inspection: Run zig build --fetch on a project with remote dependencies, then explore the global cache directory (~/.cache/zig/p/ on Unix). Identify the package directories by their hash prefixes.

  6. Offline Build Test: Fetch all dependencies for a project, disconnect from the network (or block DNS resolution), and confirm zig build succeeds. Reconnect and add a new dependency to verify fetch works again.

Notes & Caveats

  • URL Stability: While content addressing makes the package manager resilient to URL changes, always prefer stable release URLs (tagged releases, not main branch archives) to minimize maintenance burden.
  • Path Dependencies in Distributed Packages: If your package uses .path dependencies, those paths must exist relative to the package root when fetched by consumers. Prefer URL-based dependencies for distributed packages to avoid path resolution issues.
  • Transitive Dependency Deduplication: Zig 0.15.2 does not deduplicate transitive dependencies with different hash strings, even if they refer to the same content. Future versions may implement smarter deduplication.
  • Security and Trust: Hash verification protects against transport corruption and most tampering, but does not validate package provenance. Trust the source of the hash (e.g., a project’s official repository or release page), not just any mirror.
  • Build Option Forwarding: When calling b.dependency(), carefully choose which build options to forward. Forwarding too many can cause build failures if the dependency doesn’t recognize an option; forwarding too few can result in mismatched configurations.

Caveats, Alternatives, and Edge Cases

  • Lazy Dependency Refetch: If you delete a lazy dependency from the cache and re-run zig build without the option that triggers it, the dependency remains unfetched. Only when the build script calls lazyDependency() again will the fetch occur.
  • Hash Mismatches After Upstream Changes: If an upstream package changes its content without changing its version tag, and you re-fetch the URL, you’ll encounter a hash mismatch. Always delete the old .hash in build.zig.zon when updating a URL to signal that you expect new content.
  • Vendoring Dependencies: For projects with strict supply-chain requirements, consider vendoring dependencies by committing them to your repository (using .path references) instead of relying on URL-based fetches. This trades repository size for control.
  • Mirror Configuration: Zig 0.15.2 does not yet support mirror lists or fallback URLs per dependency. If your primary URL becomes unavailable, you must manually update build.zig.zon to a new URL (the hash remains the same, ensuring content integrity).
  • Fingerprint Collisions: The .fingerprint field is a 64-bit value chosen randomly. Collisions are statistically unlikely but not impossible. Future Zig versions may detect and handle fingerprint conflicts during dependency resolution.

Summary

This chapter explored the full lifecycle of Zig package management:

  • schema: Package metadata, dependency declarations, inclusion rules, and fingerprint identity.
  • Dependency types: URL-based vs path-based; eager vs lazy loading strategies.
  • Resolution pipeline: Parse → fetch → verify → cache → construct dependency graph.
  • Integration in : Using b.dependency() and b.lazyDependency() to access modules and artifacts.
  • Hash verification: Multihash format, SHA-256 content addressing, supply-chain protection.
  • Reproducibility: Content addressing, lockfile semantics, offline builds, cache portability.
  • commands: Adding, fetching, and verifying dependencies from the CLI.

You now have a complete mental model of Zig’s build system: artifact creation, workspace organization, and dependency management (this chapter). The next chapter will extend this foundation by diving deeper into module resolution mechanics and discovery patterns.

Understanding the package manager’s design—content addressing, lazy loading, cryptographic verification—empowers you to build reproducible, secure, and maintainable Zig projects, whether working solo or integrating third-party libraries into production systems.

Help make this chapter better.

Found a typo, rough edge, or missing explanation? Open an issue or propose a small improvement on GitHub.

Open issueView repository