git-pkgs 0.6.1 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: da979135545dc93ed1b362560e7a5f9659097512603a522e6665bc2268b46466
-  data.tar.gz: 7b1a2838c823ec205761288f9126f0015597e890e7ba768c3e071ecdd14efb4b
+  metadata.gz: 0f9ff177f3dd7cbb4f5591a0c0f2b936d5fb98629329294dae9f57380a69709e
+  data.tar.gz: e8760e948aea3b7252176fc6a0b4bb0d74432ad05e4fa20693468b9440b126bd
 SHA512:
-  metadata.gz: 801260e17dabe686670fbcc10a5c0e760ef5f39df0273029c1f3ab9ef2502f0f7ea78d6a3cfc633fb547f6df604d2d895411c5921c345365d6ea85dd12578403
-  data.tar.gz: 138cdd14d12798c7d1d2ea6c7c7cd920805c008f10ce4057c8f3c9ebf6db7b7191720d88cb228e53786e50b7c077c17c9014c73be037a1582592965ef46889f3
+  metadata.gz: a670a1b046b7d0953aefe8bd57a6a03fa69624eb3bdb4e8867a647521a88c936e559973b6470989cca45714e79de19c0f6d2a2c85fa7340c3b677e07923cb97a
+  data.tar.gz: dcbb08683dfe053e70801ae36fe74f3d1f33ce0a6f74a7df3b6cb1a6d5df70d5a7c5db9ca9c7fc8efb6ee94463fbc96a68ef7e09f20808fd6b41b1c2d2e6b873

data/.gitattributes

@@ -0,0 +1,28 @@
+# git-pkgs textconv for lockfiles
+Brewfile.lock.json diff=pkgs
+Cargo.lock diff=pkgs
+Cartfile.resolved diff=pkgs
+Gemfile.lock diff=pkgs
+Gopkg.lock diff=pkgs
+Package.resolved diff=pkgs
+Pipfile.lock diff=pkgs
+Podfile.lock diff=pkgs
+Project.lock.json diff=pkgs
+bun.lock diff=pkgs
+composer.lock diff=pkgs
+gems.locked diff=pkgs
+glide.lock diff=pkgs
+go.mod diff=pkgs
+mix.lock diff=pkgs
+npm-shrinkwrap.json diff=pkgs
+package-lock.json diff=pkgs
+packages.lock.json diff=pkgs
+paket.lock diff=pkgs
+pnpm-lock.yaml diff=pkgs
+poetry.lock diff=pkgs
+project.assets.json diff=pkgs
+pubspec.lock diff=pkgs
+pylock.toml diff=pkgs
+shard.lock diff=pkgs
+uv.lock diff=pkgs
+yarn.lock diff=pkgs

data/.ruby-version

@@ -0,0 +1 @@
+4.0.0

data/CHANGELOG.md

@@ -1,5 +1,28 @@
 ## [Unreleased]
 
+## [0.7.0] - 2026-01-09
+
+- `git pkgs vulns` subcommand for vulnerability scanning via OSV API
+- `git pkgs vulns scan` to scan dependencies for known vulnerabilities
+- `git pkgs vulns show` to display details for a specific vulnerability
+- `git pkgs vulns sync` to prefetch vulnerability data for all packages
+- `git pkgs vulns exposure` to analyze vulnerability exposure over time
+- `git pkgs vulns praise` to show resolved vulnerabilities with attribution
+- SARIF output format for CI integration (`--format=sarif`)
+- Docker container support for running git-pkgs without local Ruby installation
+- `list` command now shows locked versions and manifest kind
+- `--stateless` flag for `list`, `show`, and `diff` commands (auto-enabled when no database exists)
+- Update ecosystems-bibliothecary to ~> 15.2
+- Fix `-f` flag conflict in `diff` command (was defined for both `--from` and `--format`)
+
+## [0.6.2] - 2026-01-06
+
+- `--format=json` support for `diff`, `tree`, `stale`, and `why` commands
+- Ignore go.sum (checksums only), treat go.mod as lockfile
+- Update ecosystems-bibliothecary to ~> 15.1
+- `--manifest` filter for `list` command to filter by manifest path
+- Stateless parsing API for forge integration (`Git::Pkgs.parse_file`, `parse_files`, `diff_file`)
+
 ## [0.6.1] - 2026-01-05
 
 - Fix `stats` command crash on most changed dependencies query

data/Dockerfile

@@ -0,0 +1,18 @@
+FROM ruby:4.0-alpine
+
+RUN apk add --no-cache \
+    build-base \
+    git \
+    libgit2-dev \
+    cmake
+
+RUN gem install git-pkgs
+
+# The git repository (the mounted directory) has different ownership that the root user of the container.
+# Due to an update in git, a different user cannot perform git operations on the mounted directory.
+# This command allows the any user to perform git operations on the mounted directory.
+RUN git config --system --add safe.directory /mnt
+
+WORKDIR /mnt
+
+ENTRYPOINT ["git", "pkgs"]

data/Formula/git-pkgs.rb

@@ -0,0 +1,28 @@
+class GitPkgs < Formula
+  desc "Track package dependencies across git history"
+  homepage "https://github.com/andrew/git-pkgs"
+  url "https://github.com/andrew/git-pkgs/archive/refs/tags/v0.6.2.tar.gz"
+  sha256 "ccd7a8a5b9cb21c52cc488923ed1318387a9fefa4baff2057bd96b27591577aa"
+  license "AGPL-3.0"
+
+  depends_on "cmake" => :build
+  depends_on "pkg-config" => :build
+  depends_on "libgit2"
+  depends_on "ruby"
+
+  def install
+    ENV["GEM_HOME"] = libexec
+
+    system "git", "init"
+    system "git", "add", "."
+
+    system "gem", "build", "git-pkgs.gemspec"
+    system "gem", "install", "--no-document", "git-pkgs-#{version}.gem"
+    bin.install libexec/"bin/git-pkgs"
+    bin.env_script_all_files(libexec/"bin", GEM_HOME: ENV.fetch("GEM_HOME", nil))
+  end
+
+  test do
+    system bin/"git-pkgs", "--version"
+  end
+end

data/README.md

@@ -2,18 +2,36 @@
 
 A git subcommand for tracking package dependencies across git history. Analyzes your repository to show when dependencies were added, modified, or removed, who made those changes, and why.
 
+[Installation](#installation) · [Quick start](#quick-start) · [Commands](#commands) · [Configuration](#configuration) · [Ruby API](#ruby-api) · [Contributing](#contributing)
+
 ## Why this exists
 
 Your lockfile shows what dependencies you have, but it doesn't show how you got here, and `git log Gemfile.lock` is useless noise. git-pkgs indexes your dependency history into a queryable database so you can ask questions like: when did we add this? who added it? what changed between these two releases? has anyone touched this in the last year?
 
+For best results, commit your lockfiles. Manifests show version ranges but lockfiles show what actually got installed, including transitive dependencies.
+
 It works across many ecosystems (Gemfile, package.json, Dockerfile, GitHub Actions workflows) giving you one unified history instead of separate tools per ecosystem. Everything runs locally and offline with no external services or network calls, and the database lives in your `.git` directory where you can use it in CI to catch dependency changes in pull requests.
 
 ## Installation
 
+```bash
+brew tap andrew/git-pkgs https://github.com/andrew/git-pkgs
+brew install git-pkgs
+```
+
+Or with RubyGems:
+
 ```bash
 gem install git-pkgs
 ```
 
+Or using Docker:
+
+```bash
+docker build -t git-pkgs .
+docker run -it --rm -v $(pwd):/mnt git-pkgs <subcommand>
+```
+
 ## Quick start
 
 ```bash
@@ -95,6 +113,8 @@ Snapshot Coverage
 git pkgs list
 git pkgs list --commit=abc123
 git pkgs list --ecosystem=rubygems
+git pkgs list --manifest=Gemfile
+git pkgs list --stateless           # parse manifests directly, no database needed
 ```
 
 Example output:
@@ -239,11 +259,24 @@ git pkgs outdated               # alias for stale
 
 Shows dependencies sorted by how long since they were last changed in your repo. Useful for finding packages that may have been forgotten or need review.
 
+### Vulnerability scanning
+
+```bash
+git pkgs vulns                  # scan current dependencies for known CVEs
+git pkgs vulns -s high          # only critical and high severity
+git pkgs vulns blame            # who introduced each vulnerability
+git pkgs vulns praise           # who fixed vulnerabilities
+git pkgs vulns exposure --all-time --summary  # remediation metrics
+```
+
+Uses the [OSV database](https://osv.dev) to check your dependencies against known security advisories. Because git-pkgs tracks the full history, it can show who introduced and fixed each vulnerability. See [docs/vulns.md](docs/vulns.md) for full documentation.
+
 ### Diff between commits
 
 ```bash
 git pkgs diff --from=abc123 --to=def456
 git pkgs diff --from=HEAD~10
+git pkgs diff main..feature --stateless  # no database needed
 ```
 
 This shows added, removed, and modified packages with version info.
@@ -254,6 +287,7 @@ This shows added, removed, and modified packages with version info.
 git pkgs show              # show dependency changes in HEAD
 git pkgs show abc123       # specific commit
 git pkgs show HEAD~5       # relative ref
+git pkgs show --stateless  # no database needed
 ```
 
 Like `git show` but for dependencies. Shows what was added, modified, or removed in a single commit.
@@ -324,7 +358,7 @@ Useful for understanding the [database structure](docs/schema.md) or generating
 
 ### CI usage
 
-You can run git-pkgs in CI to show dependency changes in pull requests:
+You can run git-pkgs in CI to show dependency changes in pull requests. Use `--stateless` to skip database initialization for faster runs:
 
 ```yaml
 # .github/workflows/deps.yml
@@ -343,8 +377,7 @@ jobs:
         with:
           ruby-version: '3.3'
       - run: gem install git-pkgs
-      - run: git pkgs init
-      - run: git pkgs diff --from=origin/${{ github.base_ref }} --to=HEAD
+      - run: git pkgs diff --from=origin/${{ github.base_ref }} --to=HEAD --stateless
 ```
 
 ### Diff driver
@@ -416,7 +449,7 @@ git config --add pkgs.ignoredFiles test/fixtures/package.json
 
 ## Performance
 
-Benchmarked on an M1 MacBook Pro analyzing [octobox](https://github.com/octobox/octobox) (5191 commits, 8 years of history): init takes about 18 seconds at roughly 300 commits/sec, producing an 8.3 MB database. About half the commits (2531) had dependency changes.
+Benchmarked on an M1 MacBook Pro analyzing [octobox](https://github.com/octobox/octobox) (5193 commits, 8 years of history): init takes about 5 seconds at roughly 1000 commits/sec, producing a 4.8 MB database. About half the commits (2439) had dependency changes.
 
 Optimizations:
 - Bulk inserts with transaction batching (500 commits per transaction)
@@ -429,10 +462,41 @@ Optimizations:
 
 git-pkgs uses [ecosystems-bibliothecary](https://github.com/ecosyste-ms/bibliothecary) for parsing, supporting:
 
-Actions, BentoML, Bower, Cargo, Carthage, Clojars, CocoaPods, Cog, Conda, CPAN, CRAN, Docker, Dub, DVC, Elm, Go, Hackage, Haxelib, Hex, Homebrew, Julia, Maven, Meteor, MLflow, npm, NuGet, Ollama, Packagist, Pub, PyPI, RubyGems, Shards, SwiftPM, Vcpkg
+Actions, BentoML, Bower, Cargo, Carthage, Clojars, CocoaPods, Cog, Conan, Conda, CPAN, CRAN, Deno, Docker, Dub, DVC, Elm, Go, Hackage, Haxelib, Hex, Homebrew, Julia, LuaRocks, Maven, Meteor, MLflow, Nimble, Nix, npm, NuGet, Ollama, Packagist, Pub, PyPI, RubyGems, Shards, SwiftPM, Vcpkg
 
 SBOM formats (CycloneDX, SPDX) are not supported as they duplicate information from the actual lockfiles.
 
+## Ruby API
+
+For embedding in other tools (like forges), git-pkgs provides a stateless parsing API that doesn't require initializing a database:
+
+```ruby
+require "git/pkgs"
+
+# Parse a single manifest file
+result = Git::Pkgs.parse_file("Gemfile", content)
+# => { platform: "rubygems", kind: "manifest", dependencies: [...] }
+
+# Parse multiple files at once
+results = Git::Pkgs.parse_files({
+  "Gemfile" => gemfile_content,
+  "package.json" => package_json_content
+})
+
+# Diff two versions of a manifest
+diff = Git::Pkgs.diff_file("Gemfile", old_content, new_content)
+# => { path: "Gemfile", platform: "rubygems", added: [...], modified: [...], removed: [...] }
+```
+
+The diff_file method returns modified dependencies with a `previous_requirement` field showing the old version.
+
+For database queries, connect to an existing database and use the Sequel models directly:
+
+```ruby
+Git::Pkgs::Database.connect(repo_git_dir)
+Git::Pkgs::Models::DependencyChange.where(name: "rails").all
+```
+
 ## Contributing
 
 Bug reports, feature requests, and pull requests are welcome. If you're unsure about a change, open an issue first to discuss it.

data/lib/git/pkgs/analyzer.rb

@@ -12,10 +12,10 @@ module Git
       QUICK_MANIFEST_PATTERNS = %w[
         Gemfile Gemfile.lock gems.rb gems.locked *.gemspec
         package.json package-lock.json yarn.lock npm-shrinkwrap.json pnpm-lock.yaml bun.lock npm-ls.json
-        setup.py req*.txt req*.pip requirements/*.txt requirements/*.pip requirements.frozen
-        Pipfile Pipfile.lock pyproject.toml poetry.lock uv.lock pylock.toml
+        setup.py req*.txt req*.pip requirements/*.txt requirements/*.pip requirements*.in requirements.frozen
+        Pipfile Pipfile.lock pyproject.toml poetry.lock uv.lock pylock.toml pdm.lock
         pip-resolved-dependencies.txt pip-dependency-graph.json
-        pom.xml ivy.xml build.gradle build.gradle.kts gradle-dependencies-q.txt
+        pom.xml ivy.xml build.gradle build.gradle.kts gradle-dependencies-q.txt gradle.lockfile verification-metadata.xml
         maven-resolved-dependencies.txt sbt-update-full.txt maven-dependency-tree.txt maven-dependency-tree.dot
         Cargo.toml Cargo.lock
         go.mod go.sum glide.yaml glide.lock Godeps Godeps/Godeps.json
@@ -23,22 +23,32 @@ module Git
         composer.json composer.lock
         Podfile Podfile.lock *.podspec *.podspec.json
         packages.config packages.lock.json Project.json Project.lock.json
-        *.nuspec paket.lock *.csproj project.assets.json
+        *.nuspec paket.lock *.csproj project.assets.json *.deps.json
         bower.json bentofile.yaml
-        META.json META.yml
+        META.json META.yml cpanfile cpanfile.snapshot Makefile.PL Build.PL
         environment.yml environment.yaml
-        cog.yaml versions.json MLmodel DESCRIPTION
+        cog.yaml versions.json MLmodel DESCRIPTION renv.lock
         pubspec.yaml pubspec.lock
         dub.json dub.sdl
-        REQUIRE
+        REQUIRE Project.toml Manifest.toml
         shard.yml shard.lock
         elm-package.json elm_dependencies.json elm-stuff/exact-dependencies.json
         haxelib.json
         action.yml action.yaml .github/workflows/*.yml .github/workflows/*.yaml
         Dockerfile docker-compose*.yml docker-compose*.yaml
-        dvc.yaml vcpkg.json
+        dvc.yaml vcpkg.json _generated-vcpkg-list.json
         Brewfile Brewfile.lock.json
         Modelfile
+        deno.json deno.jsonc deno.lock
+        conanfile.py conanfile.txt conan.lock
+        *.rockspec
+        *.nimble
+        *.cabal *cabal.config stack.yaml.lock cabal.project.freeze
+        Cartfile Cartfile.private Cartfile.resolved
+        project.clj
+        Package.swift Package.resolved
+        mix.exs mix.lock gleam.toml manifest.toml rebar.lock
+        flake.nix flake.lock nix/sources.json npins/sources.json
       ].freeze
 
       QUICK_MANIFEST_REGEX = Regexp.union(
@@ -58,6 +68,10 @@ module Git
         Config.configure_bibliothecary
       end
 
+      def generate_purl(ecosystem, name)
+        Ecosystems.generate_purl(ecosystem, name)
+      end
+
       # Quick check if any paths might be manifests (fast regex check)
       def might_have_manifests?(paths)
         paths.any? { |p| p.match?(QUICK_MANIFEST_REGEX) }
@@ -124,6 +138,7 @@ module Git
               ecosystem: result[:platform],
               kind: result[:kind],
               name: dep[:name],
+              purl: generate_purl(result[:platform], dep[:name]),
               change_type: "added",
               requirement: dep[:requirement],
               dependency_type: dep[:type]
@@ -133,6 +148,7 @@ module Git
             new_snapshot[key] = {
               ecosystem: result[:platform],
               kind: result[:kind],
+              purl: generate_purl(result[:platform], dep[:name]),
               requirement: dep[:requirement],
               dependency_type: dep[:type]
             }
@@ -160,6 +176,7 @@ module Git
               ecosystem: after_result[:platform],
               kind: after_result[:kind],
               name: name,
+              purl: generate_purl(after_result[:platform], name),
               change_type: "added",
               requirement: dep[:requirement],
               dependency_type: dep[:type]
@@ -169,6 +186,7 @@ module Git
             new_snapshot[key] = {
               ecosystem: after_result[:platform],
               kind: after_result[:kind],
+              purl: generate_purl(after_result[:platform], name),
               requirement: dep[:requirement],
               dependency_type: dep[:type]
             }
@@ -181,6 +199,7 @@ module Git
               ecosystem: before_result[:platform],
               kind: before_result[:kind],
               name: name,
+              purl: generate_purl(before_result[:platform], name),
               change_type: "removed",
               requirement: dep[:requirement],
               dependency_type: dep[:type]
@@ -200,6 +219,7 @@ module Git
                 ecosystem: after_result[:platform],
                 kind: after_result[:kind],
                 name: name,
+                purl: generate_purl(after_result[:platform], name),
                 change_type: "modified",
                 requirement: after_dep[:requirement],
                 previous_requirement: before_dep[:requirement],
@@ -210,6 +230,7 @@ module Git
               new_snapshot[key] = {
                 ecosystem: after_result[:platform],
                 kind: after_result[:kind],
+                purl: generate_purl(after_result[:platform], name),
                 requirement: after_dep[:requirement],
                 dependency_type: after_dep[:type]
               }
@@ -228,6 +249,7 @@ module Git
               ecosystem: result[:platform],
               kind: result[:kind],
               name: dep[:name],
+              purl: generate_purl(result[:platform], dep[:name]),
               change_type: "removed",
               requirement: dep[:requirement],
               dependency_type: dep[:type]
@@ -288,6 +310,116 @@ module Git
         @blob_cache[cache_key] = { result: result, hits: 0 }
         result
       end
+
+      # Parse all manifest files at a given commit (stateless)
+      def dependencies_at_commit(rugged_commit)
+        deps = []
+        manifest_paths = find_manifest_paths_in_tree(rugged_commit.tree)
+
+        manifest_paths.each do |path|
+          result = parse_manifest_at_commit(rugged_commit, path)
+          next unless result && result[:dependencies]
+
+          result[:dependencies].each do |dep|
+            deps << {
+              manifest_path: path,
+              manifest_kind: result[:kind],
+              name: dep[:name],
+              ecosystem: result[:platform],
+              kind: result[:kind],
+              purl: generate_purl(result[:platform], dep[:name]),
+              requirement: dep[:requirement],
+              dependency_type: dep[:type]
+            }
+          end
+        end
+
+        deps
+      end
+
+      # Compute changes between two commits (stateless)
+      def diff_commits(from_commit, to_commit)
+        from_deps = dependencies_at_commit(from_commit).group_by { |d| [d[:manifest_path], d[:name]] }
+        to_deps = dependencies_at_commit(to_commit).group_by { |d| [d[:manifest_path], d[:name]] }
+
+        added = []
+        modified = []
+        removed = []
+
+        # Find added and modified
+        to_deps.each do |key, to_list|
+          to_dep = to_list.first
+          if from_deps[key]
+            from_dep = from_deps[key].first
+            if from_dep[:requirement] != to_dep[:requirement]
+              modified << to_dep.merge(previous_requirement: from_dep[:requirement])
+            end
+          else
+            added << to_dep
+          end
+        end
+
+        # Find removed
+        from_deps.each do |key, from_list|
+          removed << from_list.first unless to_deps[key]
+        end
+
+        { added: added, modified: modified, removed: removed }
+      end
+
+      def find_manifest_paths_in_tree(tree, prefix = "")
+        paths = []
+
+        tree.each do |entry|
+          full_path = prefix.empty? ? entry[:name] : "#{prefix}/#{entry[:name]}"
+
+          if entry[:type] == :tree
+            subtree = repository.lookup(entry[:oid])
+            paths.concat(find_manifest_paths_in_tree(subtree, full_path))
+          elsif entry[:type] == :blob && full_path.match?(QUICK_MANIFEST_REGEX)
+            paths << full_path
+          end
+        end
+
+        identify_manifests_cached(paths)
+      end
+
+      def lookup(oid)
+        repository.lookup(oid)
+      end
+
+      # Pair manifest dependencies with their corresponding lockfile versions.
+      # Groups by directory + ecosystem + name, preferring lockfile over manifest.
+      # Can be called as instance method or class method.
+      def pair_manifests_with_lockfiles(deps)
+        self.class.pair_manifests_with_lockfiles(deps)
+      end
+
+      def self.pair_manifests_with_lockfiles(deps)
+        # Group by (directory, ecosystem, name)
+        groups = {}
+        deps.each do |dep|
+          dir = File.dirname(dep[:manifest_path])
+          dir = "" if dir == "."
+          key = [dir, dep[:ecosystem], dep[:name]]
+          groups[key] ||= []
+          groups[key] << dep
+        end
+
+        # For each group, pick the best entry (lockfile preferred)
+        groups.values.map do |group_deps|
+          lockfile_dep = group_deps.find { |d| d[:manifest_kind] == "lockfile" }
+          manifest_dep = group_deps.find { |d| d[:manifest_kind] == "manifest" }
+
+          # Prefer lockfile version, fall back to manifest
+          lockfile_dep || manifest_dep || group_deps.first
+        end.compact
+      end
+
+      # Filter to only lockfile dependencies
+      def self.lockfile_dependencies(deps)
+        deps.select { |d| d[:manifest_kind] == "lockfile" }
+      end
     end
   end
 end

data/lib/git/pkgs/cli.rb

@@ -34,6 +34,9 @@ module Git
         "Analysis" => {
           "stats" => "Show dependency statistics",
           "stale" => "Show dependencies that haven't been updated"
+        },
+        "Security" => {
+          "vulns" => "Scan for known vulnerabilities"
         }
       }.freeze
 
@@ -99,13 +102,20 @@ module Git
         command = ALIASES.fetch(command, command)
         # Convert kebab-case or snake_case to PascalCase
         class_name = command.split(/[-_]/).map(&:capitalize).join
-        command_class = Commands.const_get(class_name)
+
+        # Try with Command suffix first (e.g., VulnsCommand), then bare name
+        command_class = begin
+          Commands.const_get("#{class_name}Command")
+        rescue NameError
+          begin
+            Commands.const_get(class_name)
+          rescue NameError
+            $stderr.puts "Command '#{command}' not yet implemented"
+            exit 1
+          end
+        end
+
         command_class.new(@args).run
-      rescue NameError => e
-        # Only catch NameError for missing command class, not NoMethodError
-        raise unless e.is_a?(NameError) && !e.is_a?(NoMethodError)
-        $stderr.puts "Command '#{command}' not yet implemented"
-        exit 1
       end
 
       def print_help

data/lib/git/pkgs/commands/blame.rb

@@ -113,24 +113,6 @@ module Git
           end
         end
 
-        def best_author(commit)
-          authors = [commit.author_name] + parse_coauthors(commit.message)
-
-          # Prefer human authors over bots
-          human = authors.find { |a| !bot_author?(a) }
-          human || authors.first
-        end
-
-        def parse_coauthors(message)
-          return [] unless message
-
-          message.scan(/^Co-authored-by:([^<]+)<[^>]+>/i).flatten.map(&:strip)
-        end
-
-        def bot_author?(name)
-          name =~ /\[bot\]$|^dependabot|^renovate|^github-actions/i
-        end
-
         def parse_options
           options = {}