Podcast Summary: Next-Gen JavaScript Package Management with Ruy Adorno and Darcy Clark

Podcast: Software Engineering Daily
Host: Josh Goldberg
Guests: Darcy Clark & Rui (Ruy) Adorno (Vault / VLT)
Date: January 22, 2026

Episode Overview

This episode journeys into the evolving landscape of JavaScript package management. Host Josh Goldberg welcomes Darcy Clark and Rui Adorno, veterans from the NPM ecosystem and now founders of Vault (VLT). They dissect the current pains of JavaScript infrastructure (performance, security, dependency management) and discuss how Vault is rethinking package managers and registries from the ground up. Features like declarative querying, next-gen security, self-hosted registries, and real-time insights are highlighted as the future of this vital tooling.

1. Backgrounds & Perspectives

Introduction to Guests

Darcy Clark:
- 20+ years developing in JS.
- Joined NPM in 2019, experienced the GitHub/Microsoft acquisition, witnessed scaling and trade-offs in package management.
- Loves building for community and open source.
- “We got to support the world’s largest package registry. I really enjoyed the space and care deeply about community and open source.” (02:21)
Rui (Ruy) Adorno:
- Also 20+ years in software.
- Joined Darcy’s team at NPM 2019, lived through major transitions.
- Currently Vice Chair of the Node.js TSC, with an international background (Brazilian/Canadian).
- “These days, I’m a member of the technical steering committee in the Node JS project...” (03:44)

2. The State of Package Management

The Relationship Between Runtimes and Package Managers

Node and NPM: Invented tight runtime-package manager coupling.
- “Node really... trailblazed the path in the early aughts... of the relationship between NPM and Node having distributed... a package manager with the runtime for so long.” (05:11)
Modern Trends: Tools like Bun, Deno blur lines between runtimes and package managers.
Key Value: Package managers provide developer consistency, security, and timely updates; the alternative was “hot-linking” or manual bundling, which led to stale/unsafe code. (06:03)

Corepack & Package Manager Management

Corepack designed as a “package manager manager” to manage which tool your project uses.
Node is deprecating built-in Corepack support after internal debates; users are being given time to migrate. (07:56)
- “The whole discussion... lingered for a while within the Node project… Eventually... the project itself wants to move past the corepack story.” — Rui (07:56)
Corepack allowed explicit selection/stateful management of tools, but also risked ecosystem “regulatory capture.” (10:03)
- “It’s a bit of a regulatory capture move to say, hey, let’s sort of lock in your tooling ecosystem…” (12:58)

3. Why Vault? A New Approach to Package Management

Traditional Landscape

All major new clients (Yarn, PNPM, Deno, Bun) simply changed the client, still relying on old NPM APIs designed 15+ years ago. (14:02)
No innovation on the registry/server side, only local client optimizations.

Vault & VSR: What’s Different

Server-Side Innovation:
- Vault introduces the VSR (Vault Serverless Registry): lightweight registry/proxy, enabling private/self-hosted registries, real-time indexing, and centralized knowledge of dependency graphs.
- “We think there’s a huge opportunity… to unlock the server side aspect… create net new endpoints… [and] invest in the registry side.” — Darcy (14:02)
Delivers: Global caches, less redundant computation, true performance and security improvements, and developer-friendly orchestration.
Compatibility: Vault client works with legacy NPM registry as well as their new VSR.

4. Performance, Lockfiles & Dependency Resolution

Real-World Speed

Fast Installs: Local VSR proxy = lower network overhead. Volt’s engine aims for best-in-class speed.
- “We actually are the fastest package manager that isn’t named Bun and we think that we can get there.” — Darcy (21:05)
Efficient Graph Resolution:
- Roy developed a new lockfile format and graph resolver to optimize performance and ensure deterministic installs.

What is a Lockfile?

“It is there to help you lock a given install... you just want to reproduce a given install, they can just be installing from that source... it also serves other purposes like speeding up install because you already have a fully realized graph...” — Rui (22:07)

Dependency Hell & Version Resolution

Nuanced discussion of how even semver range parsing isn’t formally specified—every package manager handles version ranges and dependency graphs idiosyncratically.
- “Every time we say semver, we’re... stealing a term that actually doesn’t have any basis for the ranges.” — Darcy (24:29)
JS’s approach: Allow multiple versions (nested dependencies), but deduplication and optimization are hard problems.

5. Next-Generation Features in Vault

Safety and Security by Default

Volt does not run install scripts by default—a security milestone.
- “Being safe by default has become standard... by default, if you run Volt Install, we’re not going to run any install scripts and we’re going to print a nice message...” — Darcy (29:26)
Provides nuanced allow-lists if you want to opt into running them, powered by their custom query language.

Declarative Query Language

Inspired by CSS selectors; enables expressive dependency selection for audits, config management, publishing, and more.
- “It’s kind of like pnpm... filtering syntax on steroids...” (36:36)
System-wide selectors: scope queries across multiple projects—e.g., update configs or metadata in all packages you own in one command. (34:33, 37:03)

Memorable Example

“Let’s say you configure all [your packages] using Vault Client... you want to update all your packages... you could use a command like vote pkg and go ahead and set your social media handler...” — Rui (37:03)

Security: Real-Time Malware Scanning

Integration with security partners (like Socket) for ongoing scan results; provides selectors like :malware to identify risky packages system-wide.
- “It does seem super scary to run that query and maybe get results. Unfortunately, it’s very possible... But this selector is mutable, updating all the time.” — Darcy (39:08)
Offers selectors for provenance, access, and vulnerability types (e.g., packages that access FS, HTTP, or match CVEs).

Registry & Devtools: Interoperability & Visualization

Fully documented APIs for both Vault’s registry and NPM’s, with interactive browser-based UI and documentation (using Scalar UI).
- “We have the best NPM docs that exist out there... You can actually play with the APIs in real time...” — Darcy (47:58)
CLI and browser UI for graph exploration; supports output formats like Mermaid for visualizing dependency trees.

6. Quality-of-Life and Innovation

Most commands accept a --scope flag (query selector support) to batch or target operations across the tree/monorepo/etc.
Output options: tree structures, enriched JSON, and visual outputs (Mermaid).
Intuitive, familiar syntax and “small details” tailored for productivity.
- “I'm a big terminal user, but sometimes I just want the product to take my hand, guide me to that experience.” — Rui (50:29)
Commitment to NPM interop, thorough documentation, and community support.

7. What’s Next for Vault?

Ongoing work to pre-crawl the ecosystem and resolve dependency graphs before the user does—faster, safer, and more insightful than current approaches.
Future releases will provide security and performance guarantees previously only “theoretical in a lot of other tools.”
Watch for continued innovation both in the client and as a platform for other dev tools authors. (52:42)

8. Memorable Moments & Quotes

On the ambiguities of semver:
“There’s no actual specification... for ranges... every package manager interprets that spec [differently].” — Darcy (24:29)
“Dependency hell really sounds like it puts the hell in dependency hell.” — Josh (28:01)
“Destruction is a form of creation.” — Josh, paraphrasing Donnie Darko (57:26)
On not running install scripts:
“...being safe by default has become standard... I’m very happy about that...” — Darcy (29:26)
“You want to be able to find it [malware] if it did happen... we think it is still super powerful for you.” — Darcy on security selectors (39:08)
On the value of Brazilian Jiu-Jitsu for developers:
“Just getting us out of the desk or chair every single day long... getting in shape...” — Rui (53:52)
Kurt Cobain’s journal:
“It was nice to see, you know, just how creative but also how much unfortunately is very pained... let it rest, let’s all burn our copies.” — Darcy (55:02)

9. References & Resources

Vault: vlt.sh
Vault documentation
GitHub: vltpkg
Twitter/X: @vltpkg
Bluesky: @vlt.sh
Rui Adorno Bluesky
Darcy Clark X/Twitter: @darcy
[TypeScript ESLint, Josh Goldberg, etc.]

10. Timestamps of Key Topics

02:21 – Darcy’s journey in JavaScript and package management
05:11 – History: Node, package managers, and the origins of coupling
07:56 – Rui on Corepack, Node’s approach, and recent deprecation vote
10:03-12:58 – Corepack’s purpose and downsides (Darcy)
14:02-17:16 – The birth and architecture of Vault & VSR
19:50 – Performance: registry proxy and local caching
21:05 – Benchmarks and Volt’s lockfile innovations
22:07 – Explanation of lock files (Rui)
24:17–28:10 – Dependency resolution difficulties and “dependency hell”
29:26–32:52 – Security by default, query language, and host selectors
37:03 – Practical use cases: cross-project bulk edits with selectors
39:08–43:53 – Security, malware detection, and selector-driven heuristics
47:58–50:29 – Documentation, registry interop, and CLI/UX niceties
52:42 – Roadmap and upcoming large-scale graph crawling
53:52 – The importance of Brazilian Jiu-Jitsu for developers
55:02 – Reflections on Kurt Cobain’s journal and creative influences
57:40–58:45 – Where to find Darcy, Rui, and Vault on the web

Conclusion

This episode provides a nuanced, enthusiastic, and insightful look at the next generation of JavaScript package management. Darcy and Rui blend deep historical understanding with forward-thinking technical design, aiming for a safer, faster, and more developer-friendly ecosystem. Vault, with its server-backed registry, expressive query language, and emphasis on security and transparency, represents a meaningful leap forward in how JavaScript communities might build and share code in the years ahead.

Podcast Summary: Next-Gen JavaScript Package Management with Ruy Adorno and Darcy Clark

Podcast: Software Engineering Daily
Host: Josh Goldberg
Guests: Darcy Clark & Rui (Ruy) Adorno (Vault / VLT)
Date: January 22, 2026

Episode Overview

1. Backgrounds & Perspectives

Introduction to Guests

Darcy Clark:
- 20+ years developing in JS.
- Joined NPM in 2019, experienced the GitHub/Microsoft acquisition, witnessed scaling and trade-offs in package management.
- Loves building for community and open source.
- “We got to support the world’s largest package registry. I really enjoyed the space and care deeply about community and open source.” (02:21)
Rui (Ruy) Adorno:
- Also 20+ years in software.
- Joined Darcy’s team at NPM 2019, lived through major transitions.
- Currently Vice Chair of the Node.js TSC, with an international background (Brazilian/Canadian).
- “These days, I’m a member of the technical steering committee in the Node JS project...” (03:44)

2. The State of Package Management

The Relationship Between Runtimes and Package Managers

Node and NPM: Invented tight runtime-package manager coupling.
- “Node really... trailblazed the path in the early aughts... of the relationship between NPM and Node having distributed... a package manager with the runtime for so long.” (05:11)
Modern Trends: Tools like Bun, Deno blur lines between runtimes and package managers.
Key Value: Package managers provide developer consistency, security, and timely updates; the alternative was “hot-linking” or manual bundling, which led to stale/unsafe code. (06:03)

Corepack & Package Manager Management

Corepack designed as a “package manager manager” to manage which tool your project uses.
Node is deprecating built-in Corepack support after internal debates; users are being given time to migrate. (07:56)
- “The whole discussion... lingered for a while within the Node project… Eventually... the project itself wants to move past the corepack story.” — Rui (07:56)
Corepack allowed explicit selection/stateful management of tools, but also risked ecosystem “regulatory capture.” (10:03)
- “It’s a bit of a regulatory capture move to say, hey, let’s sort of lock in your tooling ecosystem…” (12:58)

3. Why Vault? A New Approach to Package Management

Traditional Landscape

All major new clients (Yarn, PNPM, Deno, Bun) simply changed the client, still relying on old NPM APIs designed 15+ years ago. (14:02)
No innovation on the registry/server side, only local client optimizations.

Vault & VSR: What’s Different

Server-Side Innovation:
- Vault introduces the VSR (Vault Serverless Registry): lightweight registry/proxy, enabling private/self-hosted registries, real-time indexing, and centralized knowledge of dependency graphs.
- “We think there’s a huge opportunity… to unlock the server side aspect… create net new endpoints… [and] invest in the registry side.” — Darcy (14:02)
Delivers: Global caches, less redundant computation, true performance and security improvements, and developer-friendly orchestration.
Compatibility: Vault client works with legacy NPM registry as well as their new VSR.

4. Performance, Lockfiles & Dependency Resolution

Real-World Speed

Fast Installs: Local VSR proxy = lower network overhead. Volt’s engine aims for best-in-class speed.
- “We actually are the fastest package manager that isn’t named Bun and we think that we can get there.” — Darcy (21:05)
Efficient Graph Resolution:
- Roy developed a new lockfile format and graph resolver to optimize performance and ensure deterministic installs.

What is a Lockfile?

“It is there to help you lock a given install... you just want to reproduce a given install, they can just be installing from that source... it also serves other purposes like speeding up install because you already have a fully realized graph...” — Rui (22:07)

Dependency Hell & Version Resolution

Nuanced discussion of how even semver range parsing isn’t formally specified—every package manager handles version ranges and dependency graphs idiosyncratically.
- “Every time we say semver, we’re... stealing a term that actually doesn’t have any basis for the ranges.” — Darcy (24:29)
JS’s approach: Allow multiple versions (nested dependencies), but deduplication and optimization are hard problems.

5. Next-Generation Features in Vault

Safety and Security by Default

Volt does not run install scripts by default—a security milestone.
- “Being safe by default has become standard... by default, if you run Volt Install, we’re not going to run any install scripts and we’re going to print a nice message...” — Darcy (29:26)
Provides nuanced allow-lists if you want to opt into running them, powered by their custom query language.

Declarative Query Language

Inspired by CSS selectors; enables expressive dependency selection for audits, config management, publishing, and more.
- “It’s kind of like pnpm... filtering syntax on steroids...” (36:36)
System-wide selectors: scope queries across multiple projects—e.g., update configs or metadata in all packages you own in one command. (34:33, 37:03)

Memorable Example

“Let’s say you configure all [your packages] using Vault Client... you want to update all your packages... you could use a command like vote pkg and go ahead and set your social media handler...” — Rui (37:03)

Security: Real-Time Malware Scanning

Integration with security partners (like Socket) for ongoing scan results; provides selectors like :malware to identify risky packages system-wide.
- “It does seem super scary to run that query and maybe get results. Unfortunately, it’s very possible... But this selector is mutable, updating all the time.” — Darcy (39:08)
Offers selectors for provenance, access, and vulnerability types (e.g., packages that access FS, HTTP, or match CVEs).

Registry & Devtools: Interoperability & Visualization

Fully documented APIs for both Vault’s registry and NPM’s, with interactive browser-based UI and documentation (using Scalar UI).
- “We have the best NPM docs that exist out there... You can actually play with the APIs in real time...” — Darcy (47:58)
CLI and browser UI for graph exploration; supports output formats like Mermaid for visualizing dependency trees.

6. Quality-of-Life and Innovation

Most commands accept a --scope flag (query selector support) to batch or target operations across the tree/monorepo/etc.
Output options: tree structures, enriched JSON, and visual outputs (Mermaid).
Intuitive, familiar syntax and “small details” tailored for productivity.
- “I'm a big terminal user, but sometimes I just want the product to take my hand, guide me to that experience.” — Rui (50:29)
Commitment to NPM interop, thorough documentation, and community support.

7. What’s Next for Vault?

Ongoing work to pre-crawl the ecosystem and resolve dependency graphs before the user does—faster, safer, and more insightful than current approaches.
Future releases will provide security and performance guarantees previously only “theoretical in a lot of other tools.”
Watch for continued innovation both in the client and as a platform for other dev tools authors. (52:42)

8. Memorable Moments & Quotes

On the ambiguities of semver:
“There’s no actual specification... for ranges... every package manager interprets that spec [differently].” — Darcy (24:29)
“Dependency hell really sounds like it puts the hell in dependency hell.” — Josh (28:01)
“Destruction is a form of creation.” — Josh, paraphrasing Donnie Darko (57:26)
On not running install scripts:
“...being safe by default has become standard... I’m very happy about that...” — Darcy (29:26)
“You want to be able to find it [malware] if it did happen... we think it is still super powerful for you.” — Darcy on security selectors (39:08)
On the value of Brazilian Jiu-Jitsu for developers:
“Just getting us out of the desk or chair every single day long... getting in shape...” — Rui (53:52)
Kurt Cobain’s journal:
“It was nice to see, you know, just how creative but also how much unfortunately is very pained... let it rest, let’s all burn our copies.” — Darcy (55:02)

9. References & Resources

Vault: vlt.sh
Vault documentation
GitHub: vltpkg
Twitter/X: @vltpkg
Bluesky: @vlt.sh
Rui Adorno Bluesky
Darcy Clark X/Twitter: @darcy
[TypeScript ESLint, Josh Goldberg, etc.]

10. Timestamps of Key Topics

02:21 – Darcy’s journey in JavaScript and package management
05:11 – History: Node, package managers, and the origins of coupling
07:56 – Rui on Corepack, Node’s approach, and recent deprecation vote
10:03-12:58 – Corepack’s purpose and downsides (Darcy)
14:02-17:16 – The birth and architecture of Vault & VSR
19:50 – Performance: registry proxy and local caching
21:05 – Benchmarks and Volt’s lockfile innovations
22:07 – Explanation of lock files (Rui)
24:17–28:10 – Dependency resolution difficulties and “dependency hell”
29:26–32:52 – Security by default, query language, and host selectors
37:03 – Practical use cases: cross-project bulk edits with selectors
39:08–43:53 – Security, malware detection, and selector-driven heuristics
47:58–50:29 – Documentation, registry interop, and CLI/UX niceties
52:42 – Roadmap and upcoming large-scale graph crawling
53:52 – The importance of Brazilian Jiu-Jitsu for developers
55:02 – Reflections on Kurt Cobain’s journal and creative influences
57:40–58:45 – Where to find Darcy, Rui, and Vault on the web

Next-Gen JavaScript Package Management with Ruy Adorno and Darcy Clarke

Powered by Wave AI

Summary

Podcast Summary: Next-Gen JavaScript Package Management with Ruy Adorno and Darcy Clark

Episode Overview

1. Backgrounds & Perspectives

Introduction to Guests

2. The State of Package Management

The Relationship Between Runtimes and Package Managers

Corepack & Package Manager Management

3. Why Vault? A New Approach to Package Management

Traditional Landscape

Vault & VSR: What’s Different

4. Performance, Lockfiles & Dependency Resolution

Real-World Speed

What is a Lockfile?

Dependency Hell & Version Resolution

5. Next-Generation Features in Vault

Safety and Security by Default

Declarative Query Language

Memorable Example

Security: Real-Time Malware Scanning

Registry & Devtools: Interoperability & Visualization

6. Quality-of-Life and Innovation

7. What’s Next for Vault?

8. Memorable Moments & Quotes

9. References & Resources

10. Timestamps of Key Topics

Conclusion

Summary

Podcast Summary: Next-Gen JavaScript Package Management with Ruy Adorno and Darcy Clark

Episode Overview

1. Backgrounds & Perspectives

Introduction to Guests

2. The State of Package Management

The Relationship Between Runtimes and Package Managers

Corepack & Package Manager Management

3. Why Vault? A New Approach to Package Management

Traditional Landscape

Vault & VSR: What’s Different

4. Performance, Lockfiles & Dependency Resolution

Real-World Speed

What is a Lockfile?

Dependency Hell & Version Resolution

5. Next-Generation Features in Vault

Safety and Security by Default

Declarative Query Language

Memorable Example

Security: Real-Time Malware Scanning

Registry & Devtools: Interoperability & Visualization

6. Quality-of-Life and Innovation

7. What’s Next for Vault?

8. Memorable Moments & Quotes

9. References & Resources

10. Timestamps of Key Topics

Conclusion