FAQ resource for What does the vg why command do?.
Answer
`vg why <package>` traces a dependency through your git history: who added it, every version change since, and who made each one. If your latest `vg scan --vulns` found open vulnerabilities for that package, `vg why` lists them with the commit that introduced the affected version and how long you have been exposed.