Beyond disabling postinstalls: how npm install will change in npm 12

vlt /vōlt/

  • PricingDocs (opens in new window)Benchmarks (opens in new window)
Sign UpLog In

Private packages,
Public simplicity

An npm-compatible registry for development, automated tests, and CI—private packages and granular access with minimal setup, right next to your editor and your pipelines.

GitHub

~ Registry

$vlx@vltpkg/vsr

~VSR ready onhttp://localhost:1337

$npmconfig set registryhttp://localhost:1337

$npmpublish

+@acme/ui@1.2.0

$

Private, secure, and controlled by you

Built for local dev, shared sandboxes, test fixtures, and CI.

Secure
Store and manage dependencies for dev and CI workflows without exposing internal packages to the public registry.
Controlled
Decide who can publish, read, or update packages—useful for team sandboxes, CI bots, and licensed or proprietary artifacts.
Local
Run beside your laptop or in CI: private packages, scoped installs, and reproducible pipelines with a small footprint.
Reliable
Fewer surprises in pipelines when installs are not pinned to a flaky or changing public mirror for every run.
Stable
Pin versions across dev machines, test jobs, and CI so everyone resolves the same tarballs before code ships.
Fast & Efficient
Caches and proximity matter most in tight dev/CI loops—faster installs when your registry sits next to your runners instead of across the internet.

Granular access tokens

Precise control over who can interact with what, and how.

subscriber tokensRead Only
Read-only tokens offer secure, controlled, and revokable access to proprietary packages, enabling businesses to manage third-party access while protecting intellectual property.
  • Read and Download packages they've been granted access to
  • Rotate and Remove associated tokens & profile information for their accounts
maintainer tokensRead & Write
Create read-only and read & write maintainer tokens to provide comprehensive and flexible access control for managing packages within an organization, allowing for collaborative and secure package management.
  • Permission to publish, update, and delete packages
  • Controlled access based on specific team roles or environments

How VSR compares

The baseline both VSR and Verdaccio support today.

Features
Granular Access
Proxy Upstream Registries
Unscoped Package Names
npm Package Publishing
npm Package Installation
Search
VSR
✓
✓
✓
✓
✓
✓

Fair Source: Functional Source License (FSL)

VSR is released under the Functional Source License (FSL) - a Fair Source license. You get source access and broad use rights while the license protects sustainable product development; under FSL, each version typically becomes permissive open source (Apache 2.0 or MIT) after two years. Our managed registry, mirror, and related hosted services are primarily closed source and sold separately - see our open source page for the libraries and tools we publish under permissive licenses.

Run a private registry
in seconds.

GitHub
Open Source
  • Package Manager
  • Serverless Registry
  • Policies
  • Reproduce
  • Packages & Ecosystem
Platform
  • Packages
  • Projects
Resources
  • Blog
  • Press
  • Brand Kit
  • Benchmarks
  • Documentation
Company
  • About
  • Careers
  • Status
  • Contact
© 2026 vlt technology inc, All rights reserved
  • Terms
  • Privacy
  • Security
All Systems Operational