git-pkgs tracks package dependencies across your repository's git history. It answers questions like "who added this dependency?", "when was it introduced?", and "how long were we exposed to this vulnerability?" Works with 35+ package managers.
Install it with:
brew tap git-pkgs/git-pkgs
brew install git-pkgsOr download a binary from the releases page.
Or build from source:
go install github.com/git-pkgs/git-pkgs@latest- archives - Reading and browsing archive files in memory
- changelog - Parsing changelog files into structured entries
- enrichment - Fetching package metadata from multiple sources
- forges - Fetching repository metadata from git forges
- gitignore - Matching paths against gitignore rules
- managers - Wrapping package manager CLIs behind a common interface
- manifests - Parsing package manager manifest and lockfiles
- platforms - Translating platform identifiers across package ecosystems
- purl - Package URL construction, parsing, and registry URL mapping
- registries - Fetching package metadata from registry APIs
- spdx - SPDX license expression parsing, normalization, and validation
- vers - Version range parsing and comparison per the VERS spec
- vulns - Fetching vulnerability data from multiple sources