🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

Security News

vlt Launches Real-Time Dependency Analysis Powered by Socket

vlt adds real-time security selectors powered by Socket, enabling developers to query and analyze package risks directly in their dependency graph.

vlt Launches Real-Time Dependency Analysis Powered by Socket

Sarah Gooding

April 17, 2025

vlt, a fast, modern JavaScript package manager and registry, has launched a new feature that brings real-time security analysis to the dependency graph, powered by Socket.

Known for its high-performance CLI, serverless registry, and tools like reproduce (which verifies package integrity from source), vlt is continuing to push the boundaries of security-aware package management. This latest update introduces a powerful set of Dependency Selector Syntax (DSS) selectors that let developers query their dependency graph for specific risk patterns — with metadata sourced directly from Socket.

Real-Time Security Queries in the CLI and GUI#

The new security selectors allow vlt users to instantly spot risks like unmaintained packages, dangerous patterns (eval, filesystem access), known malware, or problematic licenses — all from a single query:

vlt query :malware
vlt query :license(restricted)
vlt query :eval

The selectors support advanced, composable queries, enabling nuanced searches like 'all postinstall packages that access the network' or 'unmaintained transitive dependencies of react'.

This is made possible by a deep integration with Socket’s metadata engine, which continuously analyzes packages for risk indicators across the JavaScript ecosystem. Socket provides the enriched metadata that vlt deeply integrates into its graph model, enabling complex, security-aware analysis across the entire dependency tree.

The selectors work in both the terminal and vlt’s GUI, giving developers rich insight into their dependencies at a glance and laying the groundwork for future policy enforcement features like blocking builds based on risk.

Supporting a More Secure Ecosystem#

We’re thrilled to support vlt’s vision for a queryable, introspectable, and eventually policy-driven package manager. vlt's new Socket integration brings security insights earlier into the development workflow, and makes risk analysis feel natural and fast. We’re excited to see what the community builds on top of this foundation.

Read vlt’s announcement →

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a demo

Related posts

Back to all posts
Malicious ‘Checker’ Packages on PyPI Probe TikTok and Instagram for Valid Accounts

Research

Security News

Malicious ‘Checker’ Packages on PyPI Probe TikTok and Instagram for Valid Accounts

Malicious PyPI checkers validate stolen emails against TikTok and Instagram APIs, enabling targeted account attacks and dark web credential sales.

By Olivia Brown  -  May 15, 2025