Beyond disabling postinstalls: how npm install will change in npm 12

vlt /vōlt/

  • PricingDocs (opens in new window)Benchmarks (opens in new window)
Sign UpLog In

Is your package
truly reproducible?

Independently verify whether a published npm package can be faithfully rebuilt from its declared source. Unlike provenance systems that merely associate a package with a build environment, reproduce empirically tests whether the package actually corresponds to its source.

GitHub

50,099

Package names tracked in the community registry

6.3%

Reproducible version checks (full or partial)

Among 65,976 indexed versions in reprogistry precompute.

Aggregate counts from the community-run reprogistry project on GitHub. Figures are a static snapshot (January 2026), not live. Maintainers use our open-source reproduce library.

How it works

Instead of trusting metadata, reproduce rebuilds packages from their linked source and compares the result.

Read the blog post
  1. 1

    Fetch

    Fetches the package's source metadata from the npm registry — repository URL, commit hash, and directory.

  2. 2

    Clone

    Clones the source repository at the exact commit linked to the package.

  3. 3

    Build

    Runs the package's build steps in a clean environment using configurable strategies.

  4. 4

    Compare

    Compares the resulting artifact with the actual published npm package to verify integrity.

Trust that's earned, not assumed

Empirical verification, from the CLI or your pipeline.

Verify Package Integrity
Determines whether a package can be reproduced from its referenced repository metadata — including repository URL, type, directory, and gitHead.
Detect Manifest Confusion
Validates repository information against package.json. Mismatching metadata is flagged as potential manifest confusion.
Empirical Verification
Goes beyond provenance metadata by actually rebuilding the package and comparing artifacts. Trust is earned, not assumed.
CLI & Programmatic API
Use it from the command line with vlx or integrate it into your workflows programmatically. Persistent caching included.

Reproducibility vs. provenance

Provenance tells you where a package claims to come from. Reproducibility proves it.

Features
Verifies build output matches source
Works with existing packages
No maintainer opt-in required
Backwards compatible
Improves over time with new strategies
reproduce
✓
✓
✓
✓
✓

Get started in seconds

One command returns a structured verdict you can pipe anywhere.

~ reproduce

$vlxreproduceaxios--json

{
  "reproduced": false,
  "strategy": "npm:10.9.1",
  "package": { "name": "axios", "version": "1.7.9" },
  "source": { "location": "git+https://github.com/axios/axios.git" }
}

Verify before you trust

GitHub
Open Source
  • Package Manager
  • Serverless Registry
  • Policies
  • Reproduce
  • Packages & Ecosystem
Platform
  • Packages
  • Projects
Resources
  • Blog
  • Press
  • Brand Kit
  • Benchmarks
  • Documentation
Company
  • About
  • Careers
  • Status
  • Contact
© 2026 vlt technology inc, All rights reserved
  • Terms
  • Privacy
  • Security
All Systems Operational