The vlt query syntax enables usage of CSS-selector-like strings to filter and select packages in your dependency graph.
$ vlt query ':root > [name^=@vltpkg]'Many of the common elements of the CSS language are available, notably:
*Universal selector — matches all selected items.&Nesting selector — allows for nesting selectors.{}Curly braces — when querying, can be used to nest selectors.
Quick Reference
| Category | Examples | Description |
|---|---|---|
| Attribute Selectors | [name=foo], [version^=2] | Match by package.json metadata |
| Combinators | >, , ~ | Traverse the dependency graph |
| ID Selectors | #foo | Shortcut for [name=foo] |
| Pseudo-class Selectors | :has(), :outdated(), :semver() | Functional selectors with arguments |
| Pseudo-state Selectors | :root, :workspace, :dev | State-based selectors |
| Security Insights | :malware, :cve(), :license() | Security data from Socket |
Selector Categories
Attribute Selectors Match packages by package.json fields like name, version, or any custom property.
Combinators Traverse the dependency graph with child, descendant, and sibling combinators.
ID Selectors Quick shorthand to select packages by name.
Pseudo-class Selectors Functional selectors like :has(), :outdated(), :semver(), :type(), and more.
Pseudo-state Selectors State-based selectors like :root, :workspace, :dev, :prod, :private.
Security Insights Socket-powered security selectors for malware, CVEs, obfuscation, and more.
Examples
Find all outdated direct dependencies:
$ vlt query ':root > :outdated'Find all packages that depend on a vulnerable package:
$ vlt query ':has(> :cve(*))'Find all dev-only dependencies that use eval:
$ vlt query ':dev:eval'Combine multiple selectors:
$ vlt query ':workspace > :type(git), :root > :outdated(major)'