Beyond disabling postinstalls: how npm install will change in npm 12

vlt /vōlt/

  • PricingDocs (opens in new window)Benchmarks (opens in new window)
Sign UpLog In

Dependency policies,
enforced in CI

A GitHub Action that gates your CI pipeline with powerful dependency queries. Check for malware, enforce license compliance, track outdated packages, and more—all with CSS-like selectors.

GitHub Marketplace
Source

.github/workflows/deps.yml

name: Dependency Audit
on: [push, pull_request]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: vltpkg/setup-vlt@v1
      - run: vlt install

      - uses: vltpkg/policies@v1
        with:
          queries: |
            :malware --expect-results=0
            *:license(copyleft) --expect-results=0
            :outdated --view=json

One action, many policies

Express security, licensing,
and quality as simple queries.

Block Malware
Fail the build if any dependency is flagged as malware.

$vltquery:malware--expect-results=0

Enforce Licenses
Ensure no copyleft-licensed packages enter your project.

$vltquery*:license(copyleft)--expect-results=0

Catch Vulnerabilities
Block packages with known security vulnerabilities.

$vltquery:vulnerable--expect-results=0

Track Outdated
Surface outdated dependencies in every pull request.

$vltquery:outdated--view=json

Limit Dependencies
Cap direct dependency count to keep your project lean.

$vltquery:root > *--expect-results=<=25

Audit Workspaces
Monitor workspace package structure across your monorepo.

$vltquery:workspace--view=count

Built for real workflows

Not a scanner—a flexible policy engine that fits how your team ships.

Security Gates
Block malware, vulnerable, and deprecated packages before they reach your main branch. Fail CI when threats are detected.
License Compliance
Enforce license policies automatically. Block copyleft, AGPL, or any license category that conflicts with your requirements.
Dependency Health
Track outdated packages, enforce dependency limits, and monitor the overall health of your dependency tree in every PR.
CSS-Like Selectors
Query your dependency graph with powerful, familiar CSS-inspired syntax. Filter by name, version, license, scripts, and more.
Multi-Query Support
Run multiple checks in a single action — security, licensing, and quality gates all at once with independent pass/fail criteria.
GitHub Native
Beautiful summary tables in your PR checks, detailed output in job summaries, and structured JSON outputs for downstream automation.

How it works

From a single workflow step to a fully gated pipeline.

  1. 1

    Add the Action

    Drop vltpkg/policies into any GitHub Actions workflow. Works alongside your existing CI pipeline.

  2. 2

    Define Your Policies

    Write queries using CSS-like selectors to express your security, licensing, and quality requirements.

  3. 3

    Gate Every PR

    Every pull request is automatically checked. Violations fail the build with clear, actionable output.

  4. 4

    Ship With Confidence

    Merge knowing that your dependency policies are enforced — no manual review of transitive dependencies required.

Clear results in every PR

Failed checks tell you exactly what went wrong. Passing checks let you merge.

Dependency Audit

✓:malware— 0 results (expected 0)

✓:vulnerable— 0 results (expected 0)

✓*:license(copyleft)— 0 results (expected 0)

✓:deprecated— 0 results (expected 0)

✗:root > *— 28 results (expected <=25)

Failed:1 of 5 queries did not meet expectations

$

Start enforcing
dependency policies today

Get StartedSelector Docs
Open Source
  • Package Manager
  • Serverless Registry
  • Policies
  • Reproduce
  • Packages & Ecosystem
Platform
  • Packages
  • Projects
Resources
  • Blog
  • Press
  • Brand Kit
  • Benchmarks
  • Documentation
Company
  • About
  • Careers
  • Status
  • Contact
© 2026 vlt technology inc, All rights reserved
  • Terms
  • Privacy
  • Security
All Systems Operational