Sunday, January 25, 2026

vlt: new JS package manager by the creator of npm

 A new package manager by the creator of npm - vlt (volt) : r/node

vlt /vōlt/

Develop, Run, Distribute, Discover, and Secure your JavaScript Packages



Next-Gen JavaScript Package Management with Ruy Adorno and Darcy Clarke - Software Engineering Daily

Darcy Clarke and Ruy Adorno are veterans of this ecosystem. Both spent years maintaining the npm CLI and helping guide the Node.js project, where they saw firsthand the technical debt and design tradeoffs that define modern JavaScript tooling. Now they’re building vlt, a new package manager and registry that rethinks performance, security, and developer experience from the ground up.


AI summary:

In this episode of Software Engineering Daily, Darcy Clarke and Ruy Adorno discuss the launch of vlt, a new package manager and registry designed to address long-standing limitations in the JavaScript ecosystem.

Here are the key takeaways from their conversation:

1. The Need for a "Server-Side Reboot"

  • Legacy Bottlenecks: Most innovation in package management (Yarn, pnpm) has been client-side. The underlying registry APIs haven't changed in over 15 years.

  • Centralized Intelligence: vlt introduces the Vlt Serverless Registry (VSR), which allows for server-side resolution of dependency graphs. This reduces redundant compute on local machines and enables a "global cache."

2. Safety by Default

  • Install Scripts: Unlike traditional managers, vlt does not run arbitrary install scripts by default.

  • Malware Detection: Through partnerships with security providers like Socket, vlt integrates real-time scanning. Users can query their dependency tree for specific vulnerabilities or malware using built-in selectors.

3. A Powerful New Query Language

  • CSS-Inspired Syntax: vlt introduces a declarative query language to navigate and manage dependency graphs.

  • The host Selector: This allows developers to query and apply configurations across all projects on a machine simultaneously, rather than being limited to a single repository or monorepo.

  • Granular Control: Using selectors, developers can filter packages by metadata, such as finding all dependencies that have file system access or identifying outdated polyfills.

4. Modernizing the Developer Experience

  • Self-Hosting: vlt provides a lightweight, self-hostable registry proxy, offering an alternative to tools like Verdaccio.

  • Better Documentation: The team has prioritized documenting the npm registry APIs, which they claim have historically been poorly documented or closed-source.

  • Visual Tooling: vlt includes a browser-based UI for visualizing dependency graphs and supports Mermaid output for easy documentation in tools like Notion or GitHub.

5. The Future of Node.js and Corepack

  • Deprecation of Corepack: Ruy (Vice Chair of the Node.js TSC) confirmed that Corepack is being deprecated in Node.js to simplify the runtime's relationship with various package managers.

  • Compatibility: Despite being a new tool, vlt maintains a high level of interoperability with the existing npm ecosystem to ensure a smooth transition for developers.


Posted by at No comments:
Subscribe to: Comments (Atom)