Skip to main content

vg why — Who Introduced a Dependency

Trace any dependency through git history: who added it, every version since, and any open vulnerabilities it carries — across npm, Python, Go, Rust, Ruby, PHP, Dart, Elixir, and .NET projects.

Vibgrate Docs

Vibgrate Help

Usage

vg why <package>

What It Does

vg why reads your lockfile's history and reconstructs a dependency's timeline: the commit that first added it, every version change since, and who made each one. When your most recent vg scan --vulns found open vulnerabilities for the package, they are listed with their introduction attribution and how long you have been exposed.

Example

vg why lodash

The run shows when lodash was added, each version bump with its commit and author, and any open advisories alongside the commit that introduced the affected version.

Supported Ecosystems

vg why works wherever a resolved lockfile is committed: npm / pnpm / yarn, pip / poetry / pipenv, cargo, composer, bundler, go, pub, hex, NuGet, and Maven/Gradle. For Maven/Gradle it reads a resolved gradle.lockfile, or a pom.xml's pinned direct-dependency versions (BOM/dependencyManagement-managed versions aren't resolved). Attribution needs git history, so run it inside a git repository.

JSON Output

vg why express --json

Returns the version history and any open advisories as structured JSON for automation.

How It Relates to Scanning

vg why reads vulnerability data from the artifact written by vg scan --vulns. Run a scan first to see open advisories alongside the introduction history; without one, vg why still shows the full version and authorship timeline.

Related Commands