A git subcommand that indexes your dependency changes into a queryable database.
Find out who added a package, when, and why.
Your lockfile shows what dependencies you have, but not how you got here. Running git log Gemfile.lock produces noise that no one reads. git-pkgs walks through your git history and builds a SQLite database so you can ask: when did we add this? who added it? what changed between releases? has anyone touched this in the last year?
git pkgs init # analyze history (one-time)
git pkgs list # show current dependencies
git pkgs stats # see overview
git pkgs blame # who added each dependency
git pkgs history # all dependency changes over time
git pkgs history rails # track a specific package
git pkgs why rails # why was this added?
git pkgs diff # HEAD vs working tree
git pkgs diff --from=HEAD~10 # what changed recently?
git pkgs diff main..feature # compare branches
git pkgs vulns # scan for known CVEs
git pkgs vulns blame # who introduced each vulnerability
git pkgs outdated # find packages with newer versions
git pkgs update # update all dependencies
git pkgs add lodash # add a packageThe database lives in .git/pkgs.sqlite3 and stays current through git hooks. Core commands work entirely offline with no network access.
Static scanners tell you what’s vulnerable. git-pkgs tells you who introduced it, when, and how long it took to fix.
git pkgs vulns # scan current dependencies
git pkgs vulns blame # who introduced each vulnerability
git pkgs vulns praise --summary # who fixes vulnerabilities fastest
git pkgs vulns history lodash # timeline for a specific package$ git pkgs vulns blame
CRITICAL CVE-2024-1234 lodash 4.17.15 abc1234 2024-03-15 Alice "Add utility helpers"
HIGH GHSA-xxxx express 4.18.0 def5678 2024-02-01 Bob "Bump express"Enforce license policies in CI. Flag copyleft licenses or use an explicit allow list.
git pkgs licenses # show license for each dependency
git pkgs licenses --permissive # flag copyleft licenses
git pkgs licenses --allow=MIT,Apache-2.0,BSD-3-ClauseExits with code 1 if any dependency fails the policy check.
Check registries for newer versions. The --at flag shows what was outdated at any point in history.
git pkgs outdated # packages with updates available
git pkgs outdated --major # only major version updates
git pkgs outdated --at v2.0.0 # what was outdated when we released v2.0?
git pkgs outdated --at 2024-01-01 # what was outdated on this date?Binary search through commits that changed dependencies. If you have 1000 commits between good and bad but only 15 changed dependencies, you search 15 instead of 1000.
git pkgs bisect start
git pkgs bisect bad HEAD
git pkgs bisect good v1.0.0
git pkgs bisect run npm test # automated bisect with a scriptExport a Software Bill of Materials in CycloneDX or SPDX format.
git pkgs sbom # CycloneDX JSON
git pkgs sbom --type spdx # SPDX JSON
git pkgs sbom -f xml # XML instead of JSONSee who added each dependency, when it was last updated, and the commit message explaining why.
Parses lockfiles from npm, RubyGems, Go, Cargo, pip, Composer, Maven, CocoaPods, NuGet, and more.
Not just what’s vulnerable, but who introduced it, when, and how long it took to fix.
Enforce license policies in CI. Flag copyleft or use an allow list.
See what was outdated at any point in history. Useful for audits and post-mortems.
Binary search through commits that changed dependencies. Find when a problem was introduced.
Generate CycloneDX or SPDX for compliance workflows and vulnerability tracking.
Stateless mode works without a database. Output JSON or SARIF for GitHub code scanning.
Reusable modules for manifest parsing, registry APIs, version ranges, and SPDX licenses.