Skip to main content
Commands

vg why

Trace a dependency through git history — who added it, every version since, and any open vulnerabilities it carries.

Overview

vg why <package> traces a dependency through your git history — who added it, every version since, and any open vulnerabilities it carries.


Usage

vg why <package>

What You See

vg why reads your lockfile's history and reconstructs the dependency's timeline: the commit that first added it and every version change since, each with its author and date. When your most recent vg scan --vulns found open vulnerabilities for the package, they appear with the commit that introduced the affected version and how long you have been exposed.


Supported Ecosystems

vg why works wherever a resolved lockfile is committed: npm / pnpm / yarn, pip / poetry / pipenv, cargo, composer, bundler, go, pub, hex, NuGet, and Maven/Gradle. For Maven/Gradle it reads a resolved gradle.lockfile, or a pom.xml's pinned direct-dependency versions (BOM/dependencyManagement-managed versions aren't resolved). Attribution needs git history, so run it inside a git repository.


JSON Output

vg why express --json

Returns the version history and open advisories as structured JSON.

Related

Example use cases

Expand any use case to watch a live replay of the real @vibgrate/cli running against one of our test repositories. Nothing executes in your browser — these are recordings of actual runs, with the scan time shown as of now.

vg why lodash

Related Documentation

Related Help Articles