System-wide Queries
Published on

Query Across Projects with the host selector

Authors

We're excited to introduce a powerful addition to vlt's Dependency Selector Syntax (DSS): the :host selector! This powerful new feature allows you to query and manage dependencies across multiple projects seamlessly, breaking down the traditional barriers between individual project boundaries.

What is :host?

The :host(<context>) selector is a pseudo-selector that switches your current graph context to load dependencies from different project sources, inspired by the CSS host pseudo-class function. Think of it as a way to "teleport" your queries across your entire development ecosystem - whether that's all your configured projects or a specific project folder.

This opens up exciting possibilities for:

  • Cross-project security auditing: Find vulnerabilities across your entire project portfolio
  • Dependency management at scale: Manage package.json files across multiple projects with a single command
  • Portfolio analysis: Get insights into your technology stack across all projects
  • Centralized maintenance: Perform bulk operations on your project ecosystem

Getting Started: Two Context Types

The local Context

The most powerful context is local, which loads graphs from all projects configured in your vlt dashboard:

vlt query ':host(local) :malware'

This command scans every project in your configured dashboard for potential malware packages - giving you a bird's eye view of security across your entire development portfolio.

Specific Project Contexts

You can also target specific projects using file paths:

vlt query ':host("file:~/projects/my-app") :outdated'

This switches the context to load the dependency graph from ~/projects/my-app, allowing you to query that specific project's dependencies.

Real-World Examples

Let's explore some powerful use cases that demonstrate the flexibility of :host:

Security Auditing Across Projects

# Find all malware across configured projects
vlt query ':host(local) :malware'

# Check for specific CVEs in a project
vlt query ':host("file:~/production-app") :cve(CVE-2023-1234)'

# Find abandoned packages across your portfolio
vlt query ':host(local) :abandoned'

Bulk Version Management

Package authors can also benefit from combining :host with vlt's version management:

# Bump patch version for a specific project
vlt version patch --scope=':host("file:~/tmp/test-vite")'

# Find all projects using a specific outdated package
vlt query ':host(local) [name=lodash]:outdated'

Portfolio Insights

Get comprehensive insights across your entire development ecosystem:

# Get name and version of all direct dependencies across all projects
vlt pkg pick name version --scope=':host(local) > :root > *'

# Find all scoped projects in your portfolio
vlt query ':host(local) [name^=@myscope]'

# List all private packages across projects
vlt query ':host(local) :private'

Advanced Querying

Combine :host with other powerful DSS selectors:

# Find all workspace packages across all projects
vlt query ':host(local) :workspace'

# Find packages with install scripts across your portfolio
vlt query ':host(local) :scripts'

How It Works Under the Hood

When you use :host, vlt dynamically loads dependency graphs from the specified sources. Here's what happens:

  1. Context Resolution: The selector parses the context parameter (local or file path)
  2. Graph Loading: vlt loads the actual dependency graphs from the specified sources
  3. Context Switching: The current query context switches to use the loaded graphs
  4. Query Execution: Your selector continues executing against the new context

For the local context, vlt:

  • Reads all projects from your configured dashboard paths
  • Loads dependency graphs from each vlt-installed project
  • Creates a virtual root that aggregates all projects
  • Initializes Socket's security data for comprehensive analysis

For file-based contexts, vlt loads the graph from the specific project directory, allowing you to query that project's dependencies as if you were running the command from within that project.

Configuration and Setup

The :host selector works with your existing vlt dashboard configuration. Projects are discovered from your configured dashboard-root paths in your user level config.

This is how you set up the dashboard-root location to (as an example) a folder named ~/projects in your system for the current user:

$ vlt config set dashboard-root=~/projects --config=user

No additional setup is required - once your projects are configured in the dashboard, they're automatically available via :host(local).

It's also possible to set up the dashboard-root from the browser-based UI client, by default the UI will guide you to set it up the first time you visit it, to start the power vlt UI client, run:

$ vlt serve

Best Practices

As you start using :host, here are some recommendations:

  1. Start with local context: Use :host(local) to get familiar with cross-project querying
  2. Combine with specific selectors: Pair with security selectors (:malware, :cve, etc.) for comprehensive auditing
  3. Use file contexts for targeted operations: Switch to specific projects when you need focused operations
  4. Leverage for maintenance workflows: Create scripts that use :host for regular maintenance tasks

What's Next?

The :host selector is just the beginning of vlt's multi-project capabilities. We're working on several exciting enhancements:

๐ŸŒ Remote Context Support

Keep an eye on this space as we introduce Remote Context Support, which will allow users to jump out of locally installed projects and query from remote registries:

# Query dependencies from remote repositories (future)
vlt query ':host(npm) #react'

๐Ÿ”ฎ More magic keys

We'll be adding more special keys to target package information across your system such as: exec to target all packages downloaded when running a vlt exec command.

# Query from exec-installed dependencies (future)
vlt query ':host(exec) #eslint'

๐Ÿ“Š Enhanced UI Integration

We're expanding the browser-based UI to provide better visualization and project management capacities, making it even easier to understand and operate in your projects.

Try It Today!

The :host selector is available now in the latest version of vlt. Whether you're managing a handful of projects or an entire organization's dependency portfolio, this feature gives you unprecedented visibility and control.

Ready to start querying across your projects? Set up your dashboard paths and try your first cross-project security scan:

vlt query ':host(local) :malware'

Have feedback or questions about :host? Join our Discord community - we'd love to hear how you're using this feature and what other multi-project capabilities you'd like to see!

Want to dive deeper into vlt's DSS query capabilities? Check out our complete Dependency Selector Syntax documentation for all available selectors and combinators.

Discuss on:BlueskyยทX (Formerly Twitter)

Join the waitlist

Curious to learn more about vlt? Join our waitlist and get early access.

Sign up