Next-Gen JavaScript Package Management with Ruy Adorno and Darcy Clarke

17 snips

Jan 22, 2026

Darcy Clarke and Ruy Adorno, veterans in the JavaScript world, discuss their innovative project, Vault, aimed at rethinking package management. With their extensive experience in npm and Node.js, they explore the limitations of current tools and share insights on performance bottlenecks, dependency conflicts, and security concerns. Their discussions include new features like a CSS-inspired query language, self-hosted registries, and real-time security scanning, promising to reshape how developers handle JavaScript package management in the future.

Ask episode

AI Snips

Chapters

Books

Transcript

Episode notes

INSIGHT

Lockfiles Are Dual-Purpose

Lockfiles both reproduce installs and speed up installs by providing a realized dependency graph for machines to follow.
Ruy Adorno notes lockfiles also serve humans auditing dependency evolution.

INSIGHT

Why Dependency Resolution Is Hard

Dependency ranges lack a single spec; semver only defines versions, not ranges, so managers implement different grammars.
That leads to divergent resolution strategies and the classic 'diamond dependency' challenges.

ADVICE

Prefer Safe-By-Default Tools

Use package managers that are 'safe by default' and avoid running install scripts unless explicitly allowed.
Volt defaults to not running install scripts and offers query-based allowlists for trusted packages.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Package management sits at the foundation of modern software development, quietly powering nearly every software project in the world. Tools like npm and Yarn have long been the core of the JavaScript ecosystem, enabling developers to install, update, and share code with ease. But as projects grow larger and the ecosystem more complex, this older infrastructure is beginning to show its limits with performance bottlenecks, dependency conflicts, and growing concerns around supply chain security.

Darcy Clarke and Ruy Adorno are veterans of this ecosystem. Both spent years maintaining the npm CLI and helping guide the Node.js project, where they saw firsthand the technical debt and design tradeoffs that define modern JavaScript tooling. Now they’re building vlt, a new package manager and registry that rethinks performance, security, and developer experience from the ground up.

In this episode, Darcy and Ruy join Josh Goldberg to discuss how vlt works, why they believe package management needs a server-side reboot, what lessons they’ve drawn from npm’s evolution, and how features like declarative querying, self-hosted registries, and real-time security scanning could reshape how developers build and share JavaScript in the years ahead.

Josh Goldberg is an independent full time open source developer in the TypeScript ecosystem. He works on projects that help developers write better TypeScript more easily, most notably on typescript-eslint: the tooling that enables ESLint and Prettier to run on TypeScript code. Josh regularly contributes to open source projects in the ecosystem such as ESLint and TypeScript. Josh is a Microsoft MVP for developer technologies and the author of the acclaimed Learning TypeScript (O’Reilly), a cherished resource for any developer seeking to learn TypeScript without any prior experience outside of JavaScript. Josh regularly presents talks and workshops at bootcamps, conferences, and meetups to share knowledge on TypeScript, static analysis, open source, and general frontend and web development.

Please click here to see the transcript of this episode.

Sponsorship inquiries: sponsor@softwareengineeringdaily.com

The post Next-Gen JavaScript Package Management with Ruy Adorno and Darcy Clarke appeared first on Software Engineering Daily.