What are the key takeaways from this Software Engineering Daily episode?

Key insights include: **Server-side innovation gap:** JavaScript package managers have only innovated client-side for fifteen years while using unchanged NPM registry APIs. Vlt introduces server-side optimization by pre-resolving dependency graphs centrally rather than having every machine redundantly compute the same resolutions, reducing wasted compute cycles across millions of developer installations worldwide.; **Query selector syntax:** Vlt implements CSS-inspired query language for package selection, enabling cross-project operations like updating social media links across 1000+ packages with conditions. Users can write selectors like host colon malware or not FS to find malicious packages or exclude packages requiring filesystem access, replacing bespoke filtering syntax with familiar patterns.; **Safe-by-default execution:** Vlt blocks arbitrary install scripts by default, requiring explicit allowlists via query selectors to run post-install code. This prevents supply chain attacks while letting developers opt into trusted packages needing native binary compilation. PNPM and Bun adopted similar approaches, marking industry shift away from automatic script execution.

What did Ruy Adorno discuss on Software Engineering Daily?

Darcy Clarke and Ruy Adorno, former NPM CLI maintainers, explain their new package manager Vlt and VSR registry. They address JavaScript dependency resolution challenges, server-side performance optimization through centralized graph resolution, CSS-inspired query selectors for package management, and integrated security scanning with real-time malware detection across projects. Key topics include: **Server-side innovation gap:** JavaScript package managers have only innovated client-side for fifteen years while using unchanged NPM registry APIs. Vlt introduces server-side optimization by pre-resolving dependency graphs centrally rather than having every machine redundantly compute the same resolutions, reducing wasted compute cycles across millions of developer installations worldwide.; **Query selector syntax:** Vlt implements CSS-inspired query language for package selection, enabling cross-project operations like updating social media links across 1000+ packages with conditions. Users can write selectors like host colon malware or not FS to find malicious packages or exclude packages requiring filesystem access, replacing bespoke filtering syntax with familiar patterns..

How long is this episode of Software Engineering Daily?

This episode is 57 minutes long. SignalCast provides an AI-generated summary so you can get the key insights in about 3 minutes.

Software Engineering Daily

Next-Gen JavaScript Package Management with Ruy Adorno and Darcy Clarke

January 22, 2026

57 min episode · 2 min read

Ruy Adorno

Episode

57 min

Read time

2 min

Topics

Leadership, Marketing, Software Development

AI-Generated Summary

Published Jan 22, 2026

Key Takeaways

✓Server-side innovation gap: JavaScript package managers have only innovated client-side for fifteen years while using unchanged NPM registry APIs. Vlt introduces server-side optimization by pre-resolving dependency graphs centrally rather than having every machine redundantly compute the same resolutions, reducing wasted compute cycles across millions of developer installations worldwide.
✓Query selector syntax: Vlt implements CSS-inspired query language for package selection, enabling cross-project operations like updating social media links across 1000+ packages with conditions. Users can write selectors like host colon malware or not FS to find malicious packages or exclude packages requiring filesystem access, replacing bespoke filtering syntax with familiar patterns.
✓Safe-by-default execution: Vlt blocks arbitrary install scripts by default, requiring explicit allowlists via query selectors to run post-install code. This prevents supply chain attacks while letting developers opt into trusted packages needing native binary compilation. PNPM and Bun adopted similar approaches, marking industry shift away from automatic script execution.
✓Real-time security metadata: Vlt integrates Socket and other security vendors to enrich dependency graphs with malware flags, CVE types, filesystem access, and network permissions. Developers can gate installations on scan status, filter specific CWE types like regex denial-of-service, or audit all configured projects system-wide for newly-flagged malware using mutable selectors.
✓Self-hosted registry proxy: VSR runs locally as lightweight NPM-compatible proxy with private package support, offering round-trip performance benefits and comprehensive API documentation. Vlt provides interactive Scalar-based docs at slash docs endpoint, filling documentation gap left by NPM's undocumented registry APIs, enabling dev tools authors to build compatible tooling.

What It Covers

Darcy Clarke and Ruy Adorno, former NPM CLI maintainers, explain their new package manager Vlt and VSR registry. They address JavaScript dependency resolution challenges, server-side performance optimization through centralized graph resolution, CSS-inspired query selectors for package management, and integrated security scanning with real-time malware detection across projects.

Key Questions Answered

•Server-side innovation gap: JavaScript package managers have only innovated client-side for fifteen years while using unchanged NPM registry APIs. Vlt introduces server-side optimization by pre-resolving dependency graphs centrally rather than having every machine redundantly compute the same resolutions, reducing wasted compute cycles across millions of developer installations worldwide.
•Query selector syntax: Vlt implements CSS-inspired query language for package selection, enabling cross-project operations like updating social media links across 1000+ packages with conditions. Users can write selectors like host colon malware or not FS to find malicious packages or exclude packages requiring filesystem access, replacing bespoke filtering syntax with familiar patterns.
•Safe-by-default execution: Vlt blocks arbitrary install scripts by default, requiring explicit allowlists via query selectors to run post-install code. This prevents supply chain attacks while letting developers opt into trusted packages needing native binary compilation. PNPM and Bun adopted similar approaches, marking industry shift away from automatic script execution.
•Real-time security metadata: Vlt integrates Socket and other security vendors to enrich dependency graphs with malware flags, CVE types, filesystem access, and network permissions. Developers can gate installations on scan status, filter specific CWE types like regex denial-of-service, or audit all configured projects system-wide for newly-flagged malware using mutable selectors.
•Self-hosted registry proxy: VSR runs locally as lightweight NPM-compatible proxy with private package support, offering round-trip performance benefits and comprehensive API documentation. Vlt provides interactive Scalar-based docs at slash docs endpoint, filling documentation gap left by NPM's undocumented registry APIs, enabling dev tools authors to build compatible tooling.

Notable Moment

The hosts revealed that SemVer specification only defines version numbers, not version ranges. Every package manager interprets range syntax differently without standardization, creating ecosystem-wide inconsistency. This fundamental ambiguity in how 1.1 or higher gets parsed explains why different package managers produce conflicting dependency resolutions for identical package specifications.

Know someone who'd find this useful?