Next-Gen JavaScript Package Management with Ruy Adorno and Darcy Clarke

What It Covers

Darcy Clarke and Ruy Adorno, former NPM CLI maintainers, explain their new package manager Vlt and VSR registry. They address JavaScript dependency resolution challenges, server-side performance optimization through centralized graph resolution, CSS-inspired query selectors for package management, and integrated security scanning with real-time malware detection across projects.

Key Questions Answered

• •Server-side innovation gap: JavaScript package managers have only innovated client-side for fifteen years while using unchanged NPM registry APIs. Vlt introduces server-side optimization by pre-resolving dependency graphs centrally rather than having every machine redundantly compute the same resolutions, reducing wasted compute cycles across millions of developer installations worldwide.
• •Query selector syntax: Vlt implements CSS-inspired query language for package selection, enabling cross-project operations like updating social media links across 1000+ packages with conditions. Users can write selectors like host colon malware or not FS to find malicious packages or exclude packages requiring filesystem access, replacing bespoke filtering syntax with familiar patterns.
• •Safe-by-default execution: Vlt blocks arbitrary install scripts by default, requiring explicit allowlists via query selectors to run post-install code. This prevents supply chain attacks while letting developers opt into trusted packages needing native binary compilation. PNPM and Bun adopted similar approaches, marking industry shift away from automatic script execution.
• •Real-time security metadata: Vlt integrates Socket and other security vendors to enrich dependency graphs with malware flags, CVE types, filesystem access, and network permissions. Developers can gate installations on scan status, filter specific CWE types like regex denial-of-service, or audit all configured projects system-wide for newly-flagged malware using mutable selectors.
• •Self-hosted registry proxy: VSR runs locally as lightweight NPM-compatible proxy with private package support, offering round-trip performance benefits and comprehensive API documentation. Vlt provides interactive Scalar-based docs at slash docs endpoint, filling documentation gap left by NPM's undocumented registry APIs, enabling dev tools authors to build compatible tooling.