Usage
vg why <package>
What It Does
vg why reads your lockfile's history and reconstructs a dependency's timeline: the commit that first added it, every version change since, and who made each one. When your most recent vg scan --vulns found open vulnerabilities for the package, they are listed with their introduction attribution and how long you have been exposed.
Example
vg why lodash
The run shows when lodash was added, each version bump with its commit and author, and any open advisories alongside the commit that introduced the affected version.
Supported Ecosystems
vg why works wherever a resolved lockfile is committed: npm / pnpm / yarn, pip / poetry / pipenv, cargo, composer, bundler, go, pub, hex, NuGet, and Maven/Gradle. For Maven/Gradle it reads a resolved gradle.lockfile, or a pom.xml's pinned direct-dependency versions (BOM/dependencyManagement-managed versions aren't resolved). Attribution needs git history, so run it inside a git repository.
JSON Output
vg why express --json
Returns the version history and any open advisories as structured JSON for automation.
How It Relates to Scanning
vg why reads vulnerability data from the artifact written by vg scan --vulns. Run a scan first to see open advisories alongside the introduction history; without one, vg why still shows the full version and authorship timeline.