Latest Threat ResearchGlassWorm Loader Hits Open VSX via Developer Account Compromise.Details
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

@vltpkg/query

Package Overview
Dependencies
Maintainers
6
Versions
51
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@vltpkg/query

Query syntax parser that retrieves items from a graph

Source
npmnpm
Version
1.0.0-rc.13
Version published
Weekly downloads
318
-8.36%
Maintainers
6
Weekly downloads
 
Created
Source

query

@vltpkg/query

The vlt query syntax engine.

Usage · Examples

Usage

import { Query } from '@vltpkg/query'

const query = new Query({ nodes, specOptions, securityArchive })
const res = await query.search(':root > *')

Examples

Querying against an ideal/virtual graph

import { ideal } from '@vltpkg/graph'
import { Query } from '@vltpkg/query'
import { PackageJson } from '@vltpkg/package-json'
const signal = new AbortController().signal
const projectRoot = process.cwd()
const packageJson = new PackageJson()
const graph = await ideal.build({ projectRoot, packageJson })
const query = new Query({ graph })
const res = await query.search(':root > *', { signal })

Querying against a local node_modules folder

import { actual } from '@vltpkg/graph'
import { Query } from '@vltpkg/query'
import { PackageJson } from '@vltpkg/package-json'
import { PathScurry } from 'path-scurry'
const signal = new AbortController().signal
const projectRoot = process.cwd()
const scurry = new PathScurry(projectRoot)
const packageJson = new PackageJson()
const graph = await actual.load({ projectRoot, packageJson, scurry })
const query = new Query({ graph })
const res = await query.search(':root > *', { signal })

Querying against a lockfile

import { lockfile } from '@vltpkg/graph'
import { Query } from '@vltpkg/query'
const signal = new AbortController().signal
const projectRoot = process.cwd()
const graph = await lockfile.load({
  mainManifest: 'package.json',
  projectRoot,
})
const query = new Query({ graph })
const res = await query.search(':root > *', { signal })

FAQs

Package last updated on 19 Dec 2025

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

OpenClaw Skill Marketplace Emerges as Active Malware Vector

Security News

OpenClaw Skill Marketplace Emerges as Active Malware Vector

Security researchers report widespread abuse of OpenClaw skills to deliver info-stealing malware, exposing a new supply chain risk as agent ecosystems scale.

By Sarah Gooding  -  Feb 09, 2026
Malicious dYdX Packages Published to npm and PyPI After Maintainer Compromise

Research

/

Security News

Malicious dYdX Packages Published to npm and PyPI After Maintainer Compromise

Malicious dYdX client packages were published to npm and PyPI after a maintainer compromise, enabling wallet credential theft and remote code execution.

By Kush Pandya  -  Feb 06, 2026