I'm proud and excited to be supporting @darcy, @izs, and @ruyadorno as they build @vltpkg.
Their goal is a worthy one: massively improve the packaging ecosystem for developers everywhere.
🚀🚀🚀
Feross
@feross
Press & Community
Command Palette
Search for a command to run...
Podcasts, talks & video
Podcast interviews, conference talks, and video coverage about vlt and the JavaScript ecosystem.
News & Analysis
Articles, blog posts, and industry analysis covering vlt.
Announcing Bun and vlt Support in Socket
SocketNov 2025
Platform Integration
vlt is now available in builds via zero configuration
VercelAug 2025
Platform Integration
vlt Launches Real-Time Dependency Analysis Powered by Socket
SocketApr 2025
Integration
vlt Launches "reproduce": A New Tool Challenging the Limits of Provenance
SocketFeb 2025
Product Launch
Node v22.11.0 (LTS)、Nuxt 3.14、vlt Package Manager
JSer.infoNov 2024
News
Our Seed Investment in vlt: The Future of JavaScript Packages
AccelMar 2024
Investor Spotlight
Solving the Challenges of the JS Ecosystem
OpenJS Foundation
Foundation Blog
vlt: The Future of JavaScript Package Management
DEV Community
Deep Dive
vlt: A New Dawn for Package Management
Hashnode
Community Post
vlt: The Next-Gen Package Manager by npm Veterans
Medium
Analysis
npm Author Launches New JavaScript Package Manager
JavaScript in Plain English
News
JSR Open Governance Board
Deno Blog
Governance
A Paradigm Shift in JavaScript: Introducing vlt and VSR
Skynix
Analysis
Security Research
Coverage of manifest confusion and npm security research by Darcy Clarke and the broader security community.
Patch Release GitLab 17.1.2 (CVE-2024-6595)
GitLabJul 2024
CVE Patch
Manifest Confusion in npm Packages Identified by Novel Tool
SC WorldMar 2024
Brief
800 npm Registry Packages at Risk of Manifest Confusion
SecureBlinkMar 2024
News
Over 800 npm Packages Found with Discrepancies
The Hacker NewsMar 2024
Investigation
npm Manifest Confusion Six Months Later
JFrogJan 2024
Follow-Up
Manifest Confusion: A Major Bug in npm
InfoQJul 2023
Analysis
npm Manifest Confusion: What Is It and Should You Worry?
SonatypeJul 2023
Explainer
Manifest Confusion: Don't Believe What You See
CheckmarxJul 2023
Research
Node.js Users Beware: Manifest Confusion Attack
The Hacker NewsJul 2023
News
Addressing the npm Manifest Confusion Vulnerability
JFrogJul 2023
Security Advisory
Manifest Confusion
Lutra SecurityJul 2023
Advisory
npm's Manifest Confusion
FindSecJul 2023
Advisory
npm Manifest Confusion: A Malware Hiding Weakness
Dark ReadingJun 2023
Analysis
npm Ecosystem Vulnerable to Manifest Confusion Attack
CSO OnlineJun 2023
News
Manifest Confusion: A New Threat to npm Trust
Infosecurity MagazineJun 2023
News
Manifest Confusion
SocketJun 2023
Original Research
npm Ecosystem at Risk from Manifest Confusion Attacks
BleepingComputerJun 2023
News
JavaScript Registry npm Vulnerable to Manifest Confusion
The RegisterJun 2023
News
CVE-2024-6595
CVE
CVE Record
Newsletter Features
Featured in industry newsletters reaching thousands of JavaScript developers.
ECMAScript News (June 2025)
ECMAScript NewsJun 2025
Featured
ECMAScript News (March 2025)
ECMAScript NewsMar 2025
Featured
JavaScript Weekly #713
JavaScript WeeklyNov 2024
Featured
Node Weekly #557
Node WeeklyNov 2024
Featured
Bytes.dev #371
Bytes.devNov 2024
Featured
JavaScript Weekly #680
JavaScript WeeklyMar 2024
Featured
Community Sentiment
What developers are saying about vlt across social media.
beyond stoked on what @darcy / @vltpkg team is cooking for the future of JavaScript packages
🫶✨🥺
Marc Laventure
@MarcLaventure
📦 At #NodeConfEU, @vltpkg debuted their new #JavaScript package manager and serverless registry, innovating in a space where npm has stagnated. Today on the Socket blog: Find out what the team has been creating for the past 6 months. 📩
Socket
@SocketSecurity
Can't wait for vlt to fix all our problems!!!! 🔥🔥🔥❤️❤️🙏🏾🙏🏾
Amal Hussein
@nomadtechie
Congrats @darcy @izs @ruyadorno and @lukekarrys on this launch!
'vlt gui' is SUPER COOL. Will come with more positive feedback when I kick the tires of the registry.
sMyle (🦋 @myles.dev)
@MylesBorins
How do you feel about npm? Not the client (npm vs. pnpm vs. yarn etc.), but the full product—package hosting, upload/download, team permissions, etc.?
I just had a call with @darcy about @vltpkg and honestly, I'm super stoked about it because it's what I hoped npm would become.
Tejas Kumar
@tejask
The JS ecosystem isn't known for its safety/security but this one is pretty wild. 👇
npm doesn't validate/compare a package's tarball and manifest.
You basically can't trust any info on npm relying on manifest metadata. 😥
Kudos to @darcy for uncovering!
Stefan Judis
@stefanjudis
Will npm be used mainly to install vlt like IE was used to install Chrome 🤔🙈
Jabran Rafique
@jabranr
Holy crap! Vlt — the new JavaScript package manager — just announced Isaac Schlueter is on the team.
Isaac is the creator of npm.
So now we have the guy who made Node working on JSR, and the guy who made npm working on vlt.
exciting times
Wes Bos
@wesbos
A new wave of innovation and investments in JS is coming.
Have you checked out @vltpkg yet?
Link in thread for the full interview.
Modern Web
@moderndotweb
I ❤️ @vltpkg's query syntax. I've found it helpful with "vlt view" (there's something similar with "npm query"). It's the better "list" option of package managers and is a pathway to actually get accurate results 🎉
jddalton.bsky.social
@jdalton
Exciting news for JavaScript developers!
Isaac Schlueter, the creator of npm, has brought back the original npm team to launch vlt. This new company is all about making JavaScript package management better.
vlt is introducing a new package manager and a serverless registry.
Amit Mirgal
@amit_mirgal
🙇♂️ Thank you @vlt.sh @ruyadorno.com et al. for giving the community a cohesive toolkit for working with packages. I wish I had some of these when I was building Paka ❤️!
Jason Kuhrt
@kuhrt.me