Darcy Clarke
@darcyclarke.me
@vlt.sh Founder & Chief End-User Officer
Prev: GitHub, npm & Themify Co-Founder
Prev: GitHub, npm & Themify Co-Founder
Agent skills are the new postinstall scripts... #changemymind
February 4, 2026 at 12:26 AM
Agent skills are the new postinstall scripts... #changemymind
What do people use to stay up to date with/monitor socials these days? My feed is 🔥 with AI tools & I feel like my meat brain & thumbs can't process the thousands of experiments/insights. Do I just spin up OpenClaw & make it monitor socials w/ daily recaps?
February 3, 2026 at 4:32 PM
What do people use to stay up to date with/monitor socials these days? My feed is 🔥 with AI tools & I feel like my meat brain & thumbs can't process the thousands of experiments/insights. Do I just spin up OpenClaw & make it monitor socials w/ daily recaps?
The @vlt.sh benchmark suite has been updated to include the yarn v6 canaries (still a WIP & improving all the time): benchmarks.vlt.sh
January 30, 2026 at 6:45 PM
The @vlt.sh benchmark suite has been updated to include the yarn v6 canaries (still a WIP & improving all the time): benchmarks.vlt.sh
Notably, we weren't sharing this widely as we are still pre-1.0.0 & have many optimizations to make ahead of that milestone which we think will make us much more competitive/comparable to `bun`. I'll be interested to see how yarn v6 stacks up here imminently...
January 30, 2026 at 5:46 AM
Notably, we weren't sharing this widely as we are still pre-1.0.0 & have many optimizations to make ahead of that milestone which we think will make us much more competitive/comparable to `bun`. I'll be interested to see how yarn v6 stacks up here imminently...
We (@vlt.sh) have put together a pretty extensive set of benchmarks; I'm in the midst of add yarn v6.x right now: benchmarks.vlt.sh#/package-man...
Of course, all benchmarking is tough given the nuances of the feature-sets but we do a best effort to configure the instances to be competitive.
Of course, all benchmarking is tough given the nuances of the feature-sets but we do a best effort to configure the instances to be competitive.
vlt benchmarks
benchmarks.vlt.sh
January 30, 2026 at 5:46 AM
We (@vlt.sh) have put together a pretty extensive set of benchmarks; I'm in the midst of add yarn v6.x right now: benchmarks.vlt.sh#/package-man...
Of course, all benchmarking is tough given the nuances of the feature-sets but we do a best effort to configure the instances to be competitive.
Of course, all benchmarking is tough given the nuances of the feature-sets but we do a best effort to configure the instances to be competitive.
Reposted by Darcy Clarke
I was recently on the Changelog podcast to talk about npm's security issues, what can be done, and why the npm registry is unique amongst programming language source code registries.
💥 New Changelog interview! changelog.fm/674
Changelog Interviews #674
As the creator and long-time maintainer of ESLint, Nicholas Zakas is well-positioned to criticize GitHub's recent response to npm's insecurity. He found the response insufficient, and has other ideas on how GitHub could secure npm better. On this episode, Nicholas details these ideas, paints a bleak picture of npm alte...
changelog.fm
January 29, 2026 at 4:52 PM
I was recently on the Changelog podcast to talk about npm's security issues, what can be done, and why the npm registry is unique amongst programming language source code registries.
In regards to "Trusted Publishing", I have a LONG blog post about this alongside work we've been doing to support human in-the-loop publishing.
January 30, 2026 at 5:03 AM
In regards to "Trusted Publishing", I have a LONG blog post about this alongside work we've been doing to support human in-the-loop publishing.
In regards to eliminating these all together, it requires enumerating the usecases & creating safe alternatives (ex. I made an RFC for the primary usecase of distributing native bin dists called "Package Distributions" years ago which we intend to support).
github.com/npm/rfcs/pul...
github.com/npm/rfcs/pul...
RFC: Package Distributions by darcyclarke · Pull Request #519 · npm/rfcs
adds RFC for new distributions capabilities
See rendered RFC
github.com
January 30, 2026 at 5:03 AM
In regards to eliminating these all together, it requires enumerating the usecases & creating safe alternatives (ex. I made an RFC for the primary usecase of distributing native bin dists called "Package Distributions" years ago which we intend to support).
github.com/npm/rfcs/pul...
github.com/npm/rfcs/pul...
In regards to a backwards compatible solution to posinstall scripts, check this out: blog.vlt.sh/blog/vlt-build
Introducing Phased Package Installations
When you run vlt install, packages are downloaded and extracted to node_modules, but no lifecycle scripts execute.
blog.vlt.sh
January 30, 2026 at 5:03 AM
In regards to a backwards compatible solution to posinstall scripts, check this out: blog.vlt.sh/blog/vlt-build
Also, I'm sorry your `reproduce` issue got buried in my notifications. 100% it's NOT you. The minute I saw it I cut a new release w/ the fix. Jump into my DMs anytime you have feedback/need something & you're not seeing activity. Maintainers are what drives this ecosystem.
January 30, 2026 at 5:03 AM
Also, I'm sorry your `reproduce` issue got buried in my notifications. 100% it's NOT you. The minute I saw it I cut a new release w/ the fix. Jump into my DMs anytime you have feedback/need something & you're not seeing activity. Maintainers are what drives this ecosystem.
Notably, I actually started @vlt.sh to solve a lot of what you've highlighted on this pod. For the record, yes, we ARE building registry software. It's unfortunately taken longer then we'd like because but it's coming.
January 30, 2026 at 5:03 AM
Notably, I actually started @vlt.sh to solve a lot of what you've highlighted on this pod. For the record, yes, we ARE building registry software. It's unfortunately taken longer then we'd like because but it's coming.
Love this! I think I could provide a lot of context/answers to the Qs y'all had (/cc @changelog.com). We should jump on a call so I can share a bit more & get you using some things early (DMs open).
January 30, 2026 at 5:03 AM
Love this! I think I could provide a lot of context/answers to the Qs y'all had (/cc @changelog.com). We should jump on a call so I can share a bit more & get you using some things early (DMs open).
Reposted by Darcy Clarke
nvm.sh users: please upgrade to github.com/nvm-sh/nvm/r... if you're using `wget` on your system, to fix a medium vulnerability (github.com/nvm-sh/nvm/s...).
Release v0.40.4 · nvm-sh/nvm
Bug Fixes
sanitize NVM_AUTH_HEADER in wget path
nvm_has_colors: also check if stdout is a terminal
nvm_strip_path: avoid gawk-specific RT variable for mawk compatibility
nvm_get_default_packages: ...
github.com
January 29, 2026 at 11:07 PM
nvm.sh users: please upgrade to github.com/nvm-sh/nvm/r... if you're using `wget` on your system, to fix a medium vulnerability (github.com/nvm-sh/nvm/s...).
Annnnnd it's gone. "Fed Rescinds Software Supply Chain Mandates Making SBOMs Optional". A lot of SecOps folks made a killing off this box checking. Hopefully they banked the money somewhere other than South Park: socket.dev/blog/federal...
a man in a suit and tie is sitting at a desk with a computer and the word and written on it
ALT: a man in a suit and tie is sitting at a desk with a computer and the word and written on it
media.tenor.com
January 29, 2026 at 7:55 PM
Annnnnd it's gone. "Fed Rescinds Software Supply Chain Mandates Making SBOMs Optional". A lot of SecOps folks made a killing off this box checking. Hopefully they banked the money somewhere other than South Park: socket.dev/blog/federal...
You might notice a familiar "9 circles of dependency hell" slide there 😉 (talk is from 2024)
January 22, 2026 at 2:58 PM
You might notice a familiar "9 circles of dependency hell" slide there 😉 (talk is from 2024)
You may also like my talk "Spec-tacular" which was partly a retort to Rich Hickey, part deep insight into the JS ecosystem's variance in resolution & a whole lot of semantics.
Slides: docs.google.com/presentation...
Video: gitnation.com/contents/spe...
Slides: docs.google.com/presentation...
Video: gitnation.com/contents/spe...
docs.google.com
January 22, 2026 at 2:57 PM
You may also like my talk "Spec-tacular" which was partly a retort to Rich Hickey, part deep insight into the JS ecosystem's variance in resolution & a whole lot of semantics.
Slides: docs.google.com/presentation...
Video: gitnation.com/contents/spe...
Slides: docs.google.com/presentation...
Video: gitnation.com/contents/spe...
Love this. Also, you should check our (@vlt.io's) Dependency Selector Syntax (DSS) which we believe is highly portable & could help standardize graph querying/traversal across package managers: docs.vlt.sh/cli/selectors
Dependency Selector Syntax
docs.vlt.sh
January 22, 2026 at 2:52 PM
Love this. Also, you should check our (@vlt.io's) Dependency Selector Syntax (DSS) which we believe is highly portable & could help standardize graph querying/traversal across package managers: docs.vlt.sh/cli/selectors
Reposted by Darcy Clarke
Darcy Clarke and Ruy Adorno are longtime npm CLI maintainers and Node.js contributors. They join @joshuakgoldberg.com to discuss vlt, a new package manager and registry designed to improve performance, security, and developer experience.
@darcyclarke.me
@ruyadorno.com
bit.ly/3YNGniF
@darcyclarke.me
@ruyadorno.com
bit.ly/3YNGniF
Next-Gen JavaScript Package Management with Ruy Adorno and Darcy Clarke - Software Engineering Daily
Package management sits at the foundation of modern software development, quietly powering nearly every software project in the world. Tools like npm and Yarn have long been the core of the JavaScript...
softwareengineeringdaily.com
January 22, 2026 at 10:34 AM
Darcy Clarke and Ruy Adorno are longtime npm CLI maintainers and Node.js contributors. They join @joshuakgoldberg.com to discuss vlt, a new package manager and registry designed to improve performance, security, and developer experience.
@darcyclarke.me
@ruyadorno.com
bit.ly/3YNGniF
@darcyclarke.me
@ruyadorno.com
bit.ly/3YNGniF
💙 20yrs since $(this) thing made you fall in love w/ the DOM & CSS selectors. Never forget the amazing work @johnresig.com & team did to make this happen & then ensure the awesomeness got standardized in Web APIs like querySelector() & querySelectorAll().
John, thanks for all the $ 😉
John, thanks for all the $ 😉
January 15, 2026 at 3:22 AM
💙 20yrs since $(this) thing made you fall in love w/ the DOM & CSS selectors. Never forget the amazing work @johnresig.com & team did to make this happen & then ensure the awesomeness got standardized in Web APIs like querySelector() & querySelectorAll().
John, thanks for all the $ 😉
John, thanks for all the $ 😉
Reposted by Darcy Clarke
@lukekarrys.com joins HalfStack Phoenix.
A practical story about building for kids, using NFC cards to control music, and turning everyday interactions into something playful and intuitive.
📅 𝐉𝐚𝐧𝐮𝐚𝐫𝐲 𝟑𝟎𝐭𝐡, 𝟐𝟎𝟐𝟔 — 𝐌𝐚𝐣𝐞𝐬𝐭𝐢𝐜 𝐓𝐡𝐞𝐚𝐭𝐞𝐫, 𝐆𝐢𝐥𝐛𝐞𝐫𝐭
🎟️ halfstackconf.com/phoenix
#HalfStackphoenix #TechEvents
A practical story about building for kids, using NFC cards to control music, and turning everyday interactions into something playful and intuitive.
📅 𝐉𝐚𝐧𝐮𝐚𝐫𝐲 𝟑𝟎𝐭𝐡, 𝟐𝟎𝟐𝟔 — 𝐌𝐚𝐣𝐞𝐬𝐭𝐢𝐜 𝐓𝐡𝐞𝐚𝐭𝐞𝐫, 𝐆𝐢𝐥𝐛𝐞𝐫𝐭
🎟️ halfstackconf.com/phoenix
#HalfStackphoenix #TechEvents
January 9, 2026 at 6:11 PM
@lukekarrys.com joins HalfStack Phoenix.
A practical story about building for kids, using NFC cards to control music, and turning everyday interactions into something playful and intuitive.
📅 𝐉𝐚𝐧𝐮𝐚𝐫𝐲 𝟑𝟎𝐭𝐡, 𝟐𝟎𝟐𝟔 — 𝐌𝐚𝐣𝐞𝐬𝐭𝐢𝐜 𝐓𝐡𝐞𝐚𝐭𝐞𝐫, 𝐆𝐢𝐥𝐛𝐞𝐫𝐭
🎟️ halfstackconf.com/phoenix
#HalfStackphoenix #TechEvents
A practical story about building for kids, using NFC cards to control music, and turning everyday interactions into something playful and intuitive.
📅 𝐉𝐚𝐧𝐮𝐚𝐫𝐲 𝟑𝟎𝐭𝐡, 𝟐𝟎𝟐𝟔 — 𝐌𝐚𝐣𝐞𝐬𝐭𝐢𝐜 𝐓𝐡𝐞𝐚𝐭𝐞𝐫, 𝐆𝐢𝐥𝐛𝐞𝐫𝐭
🎟️ halfstackconf.com/phoenix
#HalfStackphoenix #TechEvents
It would be like if TC39 had no one on it responsible for/maintaining a runtime/engine.
January 9, 2026 at 11:24 PM
It would be like if TC39 had no one on it responsible for/maintaining a runtime/engine.
Haven't looked at the lib/code (I'm on mobile rn) but what happens when you pass a file, http or git spec/ref? Does it error? A successful "purl" spec should have started with including anything that npa supported/understood.
January 9, 2026 at 11:15 PM
Haven't looked at the lib/code (I'm on mobile rn) but what happens when you pass a file, http or git spec/ref? Does it error? A successful "purl" spec should have started with including anything that npa supported/understood.
I guess if you changed what "name" represents but then you wouldn't have a "name" defined for that package (which seems broken).
Afaik, no one on that standards body maintains a package manager so they don't control what a "package" even is (ie. why it's hard to take it seriously in retrospect).
Afaik, no one on that standards body maintains a package manager so they don't control what a "package" even is (ie. why it's hard to take it seriously in retrospect).
January 9, 2026 at 10:43 PM
I guess if you changed what "name" represents but then you wouldn't have a "name" defined for that package (which seems broken).
Afaik, no one on that standards body maintains a package manager so they don't control what a "package" even is (ie. why it's hard to take it seriously in retrospect).
Afaik, no one on that standards body maintains a package manager so they don't control what a "package" even is (ie. why it's hard to take it seriously in retrospect).