- Published on
Package Insights Selectors Powered by Socket
- Authors
- Name
- Ruy Adorno
- Bluesky@ruyadorno.com
Today, we're introducing a powerful new set of security-focused Dependency Selector Syntax (DSS) selectors in the vlt client — available now via the query subcommand and integrated directly into our gui experience.
These new selectors are all about giving developers deep, actionable insights into the risks that may be lurking in their dependency trees — using real-time metadata sourced from our friends at Socket.
We're incredibly excited about this release. Not only because of the new selector capabilities it unlocks, but because this marks the beginning of something much bigger: a security-aware package manager, where metadata-rich graphs can be queried, filtered, and eventually governed by policies — right from your terminal or from our browser-based GUI.
In the clip above you can see how a combination of different Insights Selectors helps us filter out results up to a single package.
Note: If you have been paying attention to our browser-based user interface, you will notice that it has come a long way since our last post on the Fresh New GUI Features.
🔍 Why are we introducing security-focused Selectors?
Every package in your graph carries risk — some more than others. From unmaintained dependencies and suspicious install scripts to license ambiguity or known malware — these risks aren't always easy to detect at a glance.
By integrating Socket's in-depth security signals directly into the vlt graph, you can now ask precise questions about your dependencies — and get answers in seconds.
Want to know which packages are unmaintained, use eval(), access the file system, or ship native binaries? Now you can:
$ vlt query :unmaintained
$ vlt query :eval
$ vlt query :fs
$ vlt query :native
Or maybe you're interested in more specific threat patterns:
$ vlt query :cve(CVE-2023-1234)
$ vlt query :license(copyleft)
$ vlt query :malware(critical)
Every one of these selectors adds new visibility into the packages you depend on — helping you make better decisions and reduce supply chain risk.
🧠 Dependency Graphs Now Enhanced By Socket
These selectors are made possible by a metadata enrichment layer powered by Socket, whose industry-leading package analysis helps surface risky behaviors, CVEs, license issues, and more. They expand the already existing query language grammar and allow for the composition of security-aware query searches.
Let's look at an advanced query example that returns:
- Any package with a postinstall script that also reaches out for network access
- Unmaintained transitive dependencies of react
- Direct dependencies of my root project that have a version smaller than 1
![Query example: *:attr("scripts", [postinstall]):network, #react *:unmaintained, :root > *:v(<1)](/_next/image?url=%2Fstatic%2Fimages%2Finsights-selector%2Fquery-example-01.png&w=3840&q=75)
We've built this to feel like a native extension of vlt — and while the underlying metadata could be fetched by others, we've integrated it deeply into our graph model, enabling richer queries today and more powerful features tomorrow.
We're treating this as a foundational layer. Expect to see more sources, more signals, and more selectors as we expand this capability.
Note: ⚠️ Heads Up: These Selectors Make Network Calls
Because these selectors rely on external metadata, the first time you use them, vlt will make a network request to hydrate the graph. This may slightly delay query results — but only while security metadata is being fetched and cached.
We've optimized this to feel snappy, but wanted to be transparent that these selectors aren't “free” from a performance perspective.
🛡️ What's Next: Policies
We're building towards a future where developers and teams can not only query for insights, but also enforce policies directly within the package graph.
Imagine a world where:
- You get a warning if you install a package that accesses :network or is :unmaintained
- Your CI fails builds if a dependency matches :malware(high) or :license(restricted)
- Your team can define custom rules to avoid risky patterns at the edge
This is the future of vlt. Queryable, introspectable, policy-enforceable dependency graphs — with deep security metadata embedded at the core.
📘 Full List of Insights Selectors
Here's the full set of selectors we're launching today. All of them are available in both vlt query and the vlt GUI client:
| :abandoned | :confused | :cve | :cwe |
| :debug | :deprecated | :dynamic | :entropic |
| :env | :eval | :fs | :license |
| :malware | :minified | :native | :network |
| :obfuscated | :scanned | :score | :scripts |
| :sev | :severity | :shell | :shrinkwrap |
| :squat | :suspicious | :tracker | :trivial |
| :undesirable | :unknown | :unmaintained | :unpopular |
| :unstable |
👉 Read the documentation on how to use the Insights Selectors
💬 Feedback? Ideas? Let's Build This Together.
This is just the beginning. We believe that transparency, insight, and control are essential to modern package management — and we're thrilled to work with the community to shape what comes next.
Got ideas for new selectors? Want to plug in your own metadata source? Interested in writing or enforcing policies?
Reach out — or hop into our Discord. We'd love to hear from you.