Go Modules

git-pkgs is built from a set of Go libraries that handle different aspects of dependency management. Each library is independently usable if you’re building your own tooling.

• archives reads and browses archive files in memory
• attestation parses SLSA Provenance v1 identity fields from sigstore bundles
• changelog parses changelog files into structured entries
• cooldown filters package versions by publish age
• enrichment combines registry and ecosyste.ms lookups behind a single interface
• forge fetches repository metadata and drives issues/PRs/CI across git forges
• gitignore matches paths against gitignore rules
• managers wraps package manager CLIs behind a common interface for install, add, update, and remove
• manifests parses lockfiles and manifest files to extract dependency information
• markup renders README markup formats to HTML
• platforms translates platform identifiers across package ecosystems
• pom resolves effective Maven POMs without a JVM
• purl handles Package URL parsing and generation
• registries fetches package metadata from registry APIs
• resolve parses package manager CLI output into dependency trees with PURLs
• reuse extracts SPDX license info from REUSE-compliant projects
• sbom reads and writes CycloneDX and SPDX documents
• sigstore verifies sigstore bundles against the TUF trust root
• spdx normalizes and validates license expressions
• vers parses version ranges across different ecosystem syntaxes
• vulns queries vulnerability databases (OSV, NVD, GitHub Advisories) with PURL-based lookups