Overview
vg why <package> traces a dependency through your git history — who added it, every version since, and any open vulnerabilities it carries.
Usage
vg why <package>
What You See
vg why reads your lockfile's history and reconstructs the dependency's timeline: the commit that first added it and every version change since, each with its author and date. When your most recent vg scan --vulns found open vulnerabilities for the package, they appear with the commit that introduced the affected version and how long you have been exposed.
Supported Ecosystems
vg why works wherever a resolved lockfile is committed: npm / pnpm / yarn, pip / poetry / pipenv, cargo, composer, bundler, go, pub, hex, NuGet, and Maven/Gradle. For Maven/Gradle it reads a resolved gradle.lockfile, or a pom.xml's pinned direct-dependency versions (BOM/dependencyManagement-managed versions aren't resolved). Attribution needs git history, so run it inside a git repository.
JSON Output
vg why express --json
Returns the version history and open advisories as structured JSON.
Related
- vg scan --vulns — detect the vulnerabilities
vg whyattributes - vg scan — the base drift scan