A git subcommand that indexes your dependency changes into a queryable database.
Find out who added a package, when, and why.
Your lockfile shows what dependencies you have, but not how you got here. Running git log Gemfile.lock produces noise that no one reads. git-pkgs walks through your git history and builds a SQLite database so you can ask: when did we add this? who added it? what changed between releases? has anyone touched this in the last year?
git pkgs init # index your history (one-time)
git pkgs blame # who added each dependency
git pkgs history rails # when was this package changed?
git pkgs why express # why was this added?
git pkgs diff main..feature # what changed between branches?The database lives in .git/pkgs.sqlite3 and stays current through git hooks. Core commands work entirely offline with no network access.
See who added each dependency, when it was last updated, and the commit message explaining why.
Respects your git config for colors, pager, and environment. Shell completions included.
Parses lockfiles from npm, RubyGems, Go, Cargo, pip, Composer, Maven, and 30+ other package managers.
Check dependencies against OSV for known CVEs. See who introduced each vulnerability and when it was fixed.
Compare dependencies between commits, branches, or tags without parsing lockfile noise.
Run stateless commands in CI without initializing a database. Output JSON or SARIF for GitHub code scanning.