git-pkgs 0.6.2 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ec8cddb19542e0519e69be68a3f0b65424c940718ba3bd5304ed93f457078ec7
-  data.tar.gz: bce2b1006ad63c0f2269d9321948acfa9cde600e8f8e41b3e606768c8f8b6178
+  metadata.gz: 0f9ff177f3dd7cbb4f5591a0c0f2b936d5fb98629329294dae9f57380a69709e
+  data.tar.gz: e8760e948aea3b7252176fc6a0b4bb0d74432ad05e4fa20693468b9440b126bd
 SHA512:
-  metadata.gz: 1488be447b21af773fc7aa6309d8981bb78b45134a755f56bff38f0cac3c92d861f867fb62c70201c1eec9c1f4b40f042a6804f416f64c952bc008678c756831
-  data.tar.gz: 998ca9734325cef27dcd3e09a1c7e68acf212a6974f0bd61adb3257322d92881e1c1cb8995be3935b32253f02a94b15f3e531bc40bf4cd1111933b24cc863275
+  metadata.gz: a670a1b046b7d0953aefe8bd57a6a03fa69624eb3bdb4e8867a647521a88c936e559973b6470989cca45714e79de19c0f6d2a2c85fa7340c3b677e07923cb97a
+  data.tar.gz: dcbb08683dfe053e70801ae36fe74f3d1f33ce0a6f74a7df3b6cb1a6d5df70d5a7c5db9ca9c7fc8efb6ee94463fbc96a68ef7e09f20808fd6b41b1c2d2e6b873

data/.gitattributes

@@ -0,0 +1,28 @@
+# git-pkgs textconv for lockfiles
+Brewfile.lock.json diff=pkgs
+Cargo.lock diff=pkgs
+Cartfile.resolved diff=pkgs
+Gemfile.lock diff=pkgs
+Gopkg.lock diff=pkgs
+Package.resolved diff=pkgs
+Pipfile.lock diff=pkgs
+Podfile.lock diff=pkgs
+Project.lock.json diff=pkgs
+bun.lock diff=pkgs
+composer.lock diff=pkgs
+gems.locked diff=pkgs
+glide.lock diff=pkgs
+go.mod diff=pkgs
+mix.lock diff=pkgs
+npm-shrinkwrap.json diff=pkgs
+package-lock.json diff=pkgs
+packages.lock.json diff=pkgs
+paket.lock diff=pkgs
+pnpm-lock.yaml diff=pkgs
+poetry.lock diff=pkgs
+project.assets.json diff=pkgs
+pubspec.lock diff=pkgs
+pylock.toml diff=pkgs
+shard.lock diff=pkgs
+uv.lock diff=pkgs
+yarn.lock diff=pkgs

data/.ruby-version

@@ -0,0 +1 @@
+4.0.0

data/CHANGELOG.md

@@ -1,5 +1,20 @@
 ## [Unreleased]
 
+## [0.7.0] - 2026-01-09
+
+- `git pkgs vulns` subcommand for vulnerability scanning via OSV API
+- `git pkgs vulns scan` to scan dependencies for known vulnerabilities
+- `git pkgs vulns show` to display details for a specific vulnerability
+- `git pkgs vulns sync` to prefetch vulnerability data for all packages
+- `git pkgs vulns exposure` to analyze vulnerability exposure over time
+- `git pkgs vulns praise` to show resolved vulnerabilities with attribution
+- SARIF output format for CI integration (`--format=sarif`)
+- Docker container support for running git-pkgs without local Ruby installation
+- `list` command now shows locked versions and manifest kind
+- `--stateless` flag for `list`, `show`, and `diff` commands (auto-enabled when no database exists)
+- Update ecosystems-bibliothecary to ~> 15.2
+- Fix `-f` flag conflict in `diff` command (was defined for both `--from` and `--format`)
+
 ## [0.6.2] - 2026-01-06
 
 - `--format=json` support for `diff`, `tree`, `stale`, and `why` commands

data/Dockerfile

@@ -0,0 +1,18 @@
+FROM ruby:4.0-alpine
+
+RUN apk add --no-cache \
+    build-base \
+    git \
+    libgit2-dev \
+    cmake
+
+RUN gem install git-pkgs
+
+# The git repository (the mounted directory) has different ownership that the root user of the container.
+# Due to an update in git, a different user cannot perform git operations on the mounted directory.
+# This command allows the any user to perform git operations on the mounted directory.
+RUN git config --system --add safe.directory /mnt
+
+WORKDIR /mnt
+
+ENTRYPOINT ["git", "pkgs"]

data/Formula/git-pkgs.rb

@@ -0,0 +1,28 @@
+class GitPkgs < Formula
+  desc "Track package dependencies across git history"
+  homepage "https://github.com/andrew/git-pkgs"
+  url "https://github.com/andrew/git-pkgs/archive/refs/tags/v0.6.2.tar.gz"
+  sha256 "ccd7a8a5b9cb21c52cc488923ed1318387a9fefa4baff2057bd96b27591577aa"
+  license "AGPL-3.0"
+
+  depends_on "cmake" => :build
+  depends_on "pkg-config" => :build
+  depends_on "libgit2"
+  depends_on "ruby"
+
+  def install
+    ENV["GEM_HOME"] = libexec
+
+    system "git", "init"
+    system "git", "add", "."
+
+    system "gem", "build", "git-pkgs.gemspec"
+    system "gem", "install", "--no-document", "git-pkgs-#{version}.gem"
+    bin.install libexec/"bin/git-pkgs"
+    bin.env_script_all_files(libexec/"bin", GEM_HOME: ENV.fetch("GEM_HOME", nil))
+  end
+
+  test do
+    system bin/"git-pkgs", "--version"
+  end
+end

data/README.md

@@ -2,18 +2,36 @@
 
 A git subcommand for tracking package dependencies across git history. Analyzes your repository to show when dependencies were added, modified, or removed, who made those changes, and why.
 
+[Installation](#installation) · [Quick start](#quick-start) · [Commands](#commands) · [Configuration](#configuration) · [Ruby API](#ruby-api) · [Contributing](#contributing)
+
 ## Why this exists
 
 Your lockfile shows what dependencies you have, but it doesn't show how you got here, and `git log Gemfile.lock` is useless noise. git-pkgs indexes your dependency history into a queryable database so you can ask questions like: when did we add this? who added it? what changed between these two releases? has anyone touched this in the last year?
 
+For best results, commit your lockfiles. Manifests show version ranges but lockfiles show what actually got installed, including transitive dependencies.
+
 It works across many ecosystems (Gemfile, package.json, Dockerfile, GitHub Actions workflows) giving you one unified history instead of separate tools per ecosystem. Everything runs locally and offline with no external services or network calls, and the database lives in your `.git` directory where you can use it in CI to catch dependency changes in pull requests.
 
 ## Installation
 
+```bash
+brew tap andrew/git-pkgs https://github.com/andrew/git-pkgs
+brew install git-pkgs
+```
+
+Or with RubyGems:
+
 ```bash
 gem install git-pkgs
 ```
 
+Or using Docker:
+
+```bash
+docker build -t git-pkgs .
+docker run -it --rm -v $(pwd):/mnt git-pkgs <subcommand>
+```
+
 ## Quick start
 
 ```bash
@@ -96,6 +114,7 @@ git pkgs list
 git pkgs list --commit=abc123
 git pkgs list --ecosystem=rubygems
 git pkgs list --manifest=Gemfile
+git pkgs list --stateless           # parse manifests directly, no database needed
 ```
 
 Example output:
@@ -240,11 +259,24 @@ git pkgs outdated               # alias for stale
 
 Shows dependencies sorted by how long since they were last changed in your repo. Useful for finding packages that may have been forgotten or need review.
 
+### Vulnerability scanning
+
+```bash
+git pkgs vulns                  # scan current dependencies for known CVEs
+git pkgs vulns -s high          # only critical and high severity
+git pkgs vulns blame            # who introduced each vulnerability
+git pkgs vulns praise           # who fixed vulnerabilities
+git pkgs vulns exposure --all-time --summary  # remediation metrics
+```
+
+Uses the [OSV database](https://osv.dev) to check your dependencies against known security advisories. Because git-pkgs tracks the full history, it can show who introduced and fixed each vulnerability. See [docs/vulns.md](docs/vulns.md) for full documentation.
+
 ### Diff between commits
 
 ```bash
 git pkgs diff --from=abc123 --to=def456
 git pkgs diff --from=HEAD~10
+git pkgs diff main..feature --stateless  # no database needed
 ```
 
 This shows added, removed, and modified packages with version info.
@@ -255,6 +287,7 @@ This shows added, removed, and modified packages with version info.
 git pkgs show              # show dependency changes in HEAD
 git pkgs show abc123       # specific commit
 git pkgs show HEAD~5       # relative ref
+git pkgs show --stateless  # no database needed
 ```
 
 Like `git show` but for dependencies. Shows what was added, modified, or removed in a single commit.
@@ -325,7 +358,7 @@ Useful for understanding the [database structure](docs/schema.md) or generating
 
 ### CI usage
 
-You can run git-pkgs in CI to show dependency changes in pull requests:
+You can run git-pkgs in CI to show dependency changes in pull requests. Use `--stateless` to skip database initialization for faster runs:
 
 ```yaml
 # .github/workflows/deps.yml
@@ -344,8 +377,7 @@ jobs:
         with:
           ruby-version: '3.3'
       - run: gem install git-pkgs
-      - run: git pkgs init
-      - run: git pkgs diff --from=origin/${{ github.base_ref }} --to=HEAD
+      - run: git pkgs diff --from=origin/${{ github.base_ref }} --to=HEAD --stateless
 ```
 
 ### Diff driver
@@ -430,7 +462,7 @@ Optimizations:
 
 git-pkgs uses [ecosystems-bibliothecary](https://github.com/ecosyste-ms/bibliothecary) for parsing, supporting:
 
-Actions, BentoML, Bower, Cargo, Carthage, Clojars, CocoaPods, Cog, Conda, CPAN, CRAN, Docker, Dub, DVC, Elm, Go, Hackage, Haxelib, Hex, Homebrew, Julia, Maven, Meteor, MLflow, npm, NuGet, Ollama, Packagist, Pub, PyPI, RubyGems, Shards, SwiftPM, Vcpkg
+Actions, BentoML, Bower, Cargo, Carthage, Clojars, CocoaPods, Cog, Conan, Conda, CPAN, CRAN, Deno, Docker, Dub, DVC, Elm, Go, Hackage, Haxelib, Hex, Homebrew, Julia, LuaRocks, Maven, Meteor, MLflow, Nimble, Nix, npm, NuGet, Ollama, Packagist, Pub, PyPI, RubyGems, Shards, SwiftPM, Vcpkg
 
 SBOM formats (CycloneDX, SPDX) are not supported as they duplicate information from the actual lockfiles.
 

data/lib/git/pkgs/analyzer.rb

@@ -12,33 +12,43 @@ module Git
       QUICK_MANIFEST_PATTERNS = %w[
         Gemfile Gemfile.lock gems.rb gems.locked *.gemspec
         package.json package-lock.json yarn.lock npm-shrinkwrap.json pnpm-lock.yaml bun.lock npm-ls.json
-        setup.py req*.txt req*.pip requirements/*.txt requirements/*.pip requirements.frozen
-        Pipfile Pipfile.lock pyproject.toml poetry.lock uv.lock pylock.toml
+        setup.py req*.txt req*.pip requirements/*.txt requirements/*.pip requirements*.in requirements.frozen
+        Pipfile Pipfile.lock pyproject.toml poetry.lock uv.lock pylock.toml pdm.lock
         pip-resolved-dependencies.txt pip-dependency-graph.json
-        pom.xml ivy.xml build.gradle build.gradle.kts gradle-dependencies-q.txt
+        pom.xml ivy.xml build.gradle build.gradle.kts gradle-dependencies-q.txt gradle.lockfile verification-metadata.xml
         maven-resolved-dependencies.txt sbt-update-full.txt maven-dependency-tree.txt maven-dependency-tree.dot
         Cargo.toml Cargo.lock
-        go.mod glide.yaml glide.lock Godeps Godeps/Godeps.json
+        go.mod go.sum glide.yaml glide.lock Godeps Godeps/Godeps.json
         vendor/manifest vendor/vendor.json Gopkg.toml Gopkg.lock go-resolved-dependencies.json
         composer.json composer.lock
         Podfile Podfile.lock *.podspec *.podspec.json
         packages.config packages.lock.json Project.json Project.lock.json
-        *.nuspec paket.lock *.csproj project.assets.json
+        *.nuspec paket.lock *.csproj project.assets.json *.deps.json
         bower.json bentofile.yaml
-        META.json META.yml
+        META.json META.yml cpanfile cpanfile.snapshot Makefile.PL Build.PL
         environment.yml environment.yaml
-        cog.yaml versions.json MLmodel DESCRIPTION
+        cog.yaml versions.json MLmodel DESCRIPTION renv.lock
         pubspec.yaml pubspec.lock
         dub.json dub.sdl
-        REQUIRE
+        REQUIRE Project.toml Manifest.toml
         shard.yml shard.lock
         elm-package.json elm_dependencies.json elm-stuff/exact-dependencies.json
         haxelib.json
         action.yml action.yaml .github/workflows/*.yml .github/workflows/*.yaml
         Dockerfile docker-compose*.yml docker-compose*.yaml
-        dvc.yaml vcpkg.json
+        dvc.yaml vcpkg.json _generated-vcpkg-list.json
         Brewfile Brewfile.lock.json
         Modelfile
+        deno.json deno.jsonc deno.lock
+        conanfile.py conanfile.txt conan.lock
+        *.rockspec
+        *.nimble
+        *.cabal *cabal.config stack.yaml.lock cabal.project.freeze
+        Cartfile Cartfile.private Cartfile.resolved
+        project.clj
+        Package.swift Package.resolved
+        mix.exs mix.lock gleam.toml manifest.toml rebar.lock
+        flake.nix flake.lock nix/sources.json npins/sources.json
       ].freeze
 
       QUICK_MANIFEST_REGEX = Regexp.union(
@@ -58,6 +68,10 @@ module Git
         Config.configure_bibliothecary
       end
 
+      def generate_purl(ecosystem, name)
+        Ecosystems.generate_purl(ecosystem, name)
+      end
+
       # Quick check if any paths might be manifests (fast regex check)
       def might_have_manifests?(paths)
         paths.any? { |p| p.match?(QUICK_MANIFEST_REGEX) }
@@ -124,6 +138,7 @@ module Git
               ecosystem: result[:platform],
               kind: result[:kind],
               name: dep[:name],
+              purl: generate_purl(result[:platform], dep[:name]),
               change_type: "added",
               requirement: dep[:requirement],
               dependency_type: dep[:type]
@@ -133,6 +148,7 @@ module Git
             new_snapshot[key] = {
               ecosystem: result[:platform],
               kind: result[:kind],
+              purl: generate_purl(result[:platform], dep[:name]),
               requirement: dep[:requirement],
               dependency_type: dep[:type]
             }
@@ -160,6 +176,7 @@ module Git
               ecosystem: after_result[:platform],
               kind: after_result[:kind],
               name: name,
+              purl: generate_purl(after_result[:platform], name),
               change_type: "added",
               requirement: dep[:requirement],
               dependency_type: dep[:type]
@@ -169,6 +186,7 @@ module Git
             new_snapshot[key] = {
               ecosystem: after_result[:platform],
               kind: after_result[:kind],
+              purl: generate_purl(after_result[:platform], name),
               requirement: dep[:requirement],
               dependency_type: dep[:type]
             }
@@ -181,6 +199,7 @@ module Git
               ecosystem: before_result[:platform],
               kind: before_result[:kind],
               name: name,
+              purl: generate_purl(before_result[:platform], name),
               change_type: "removed",
               requirement: dep[:requirement],
               dependency_type: dep[:type]
@@ -200,6 +219,7 @@ module Git
                 ecosystem: after_result[:platform],
                 kind: after_result[:kind],
                 name: name,
+                purl: generate_purl(after_result[:platform], name),
                 change_type: "modified",
                 requirement: after_dep[:requirement],
                 previous_requirement: before_dep[:requirement],
@@ -210,6 +230,7 @@ module Git
               new_snapshot[key] = {
                 ecosystem: after_result[:platform],
                 kind: after_result[:kind],
+                purl: generate_purl(after_result[:platform], name),
                 requirement: after_dep[:requirement],
                 dependency_type: after_dep[:type]
               }
@@ -228,6 +249,7 @@ module Git
               ecosystem: result[:platform],
               kind: result[:kind],
               name: dep[:name],
+              purl: generate_purl(result[:platform], dep[:name]),
               change_type: "removed",
               requirement: dep[:requirement],
               dependency_type: dep[:type]
@@ -288,6 +310,116 @@ module Git
         @blob_cache[cache_key] = { result: result, hits: 0 }
         result
       end
+
+      # Parse all manifest files at a given commit (stateless)
+      def dependencies_at_commit(rugged_commit)
+        deps = []
+        manifest_paths = find_manifest_paths_in_tree(rugged_commit.tree)
+
+        manifest_paths.each do |path|
+          result = parse_manifest_at_commit(rugged_commit, path)
+          next unless result && result[:dependencies]
+
+          result[:dependencies].each do |dep|
+            deps << {
+              manifest_path: path,
+              manifest_kind: result[:kind],
+              name: dep[:name],
+              ecosystem: result[:platform],
+              kind: result[:kind],
+              purl: generate_purl(result[:platform], dep[:name]),
+              requirement: dep[:requirement],
+              dependency_type: dep[:type]
+            }
+          end
+        end
+
+        deps
+      end
+
+      # Compute changes between two commits (stateless)
+      def diff_commits(from_commit, to_commit)
+        from_deps = dependencies_at_commit(from_commit).group_by { |d| [d[:manifest_path], d[:name]] }
+        to_deps = dependencies_at_commit(to_commit).group_by { |d| [d[:manifest_path], d[:name]] }
+
+        added = []
+        modified = []
+        removed = []
+
+        # Find added and modified
+        to_deps.each do |key, to_list|
+          to_dep = to_list.first
+          if from_deps[key]
+            from_dep = from_deps[key].first
+            if from_dep[:requirement] != to_dep[:requirement]
+              modified << to_dep.merge(previous_requirement: from_dep[:requirement])
+            end
+          else
+            added << to_dep
+          end
+        end
+
+        # Find removed
+        from_deps.each do |key, from_list|
+          removed << from_list.first unless to_deps[key]
+        end
+
+        { added: added, modified: modified, removed: removed }
+      end
+
+      def find_manifest_paths_in_tree(tree, prefix = "")
+        paths = []
+
+        tree.each do |entry|
+          full_path = prefix.empty? ? entry[:name] : "#{prefix}/#{entry[:name]}"
+
+          if entry[:type] == :tree
+            subtree = repository.lookup(entry[:oid])
+            paths.concat(find_manifest_paths_in_tree(subtree, full_path))
+          elsif entry[:type] == :blob && full_path.match?(QUICK_MANIFEST_REGEX)
+            paths << full_path
+          end
+        end
+
+        identify_manifests_cached(paths)
+      end
+
+      def lookup(oid)
+        repository.lookup(oid)
+      end
+
+      # Pair manifest dependencies with their corresponding lockfile versions.
+      # Groups by directory + ecosystem + name, preferring lockfile over manifest.
+      # Can be called as instance method or class method.
+      def pair_manifests_with_lockfiles(deps)
+        self.class.pair_manifests_with_lockfiles(deps)
+      end
+
+      def self.pair_manifests_with_lockfiles(deps)
+        # Group by (directory, ecosystem, name)
+        groups = {}
+        deps.each do |dep|
+          dir = File.dirname(dep[:manifest_path])
+          dir = "" if dir == "."
+          key = [dir, dep[:ecosystem], dep[:name]]
+          groups[key] ||= []
+          groups[key] << dep
+        end
+
+        # For each group, pick the best entry (lockfile preferred)
+        groups.values.map do |group_deps|
+          lockfile_dep = group_deps.find { |d| d[:manifest_kind] == "lockfile" }
+          manifest_dep = group_deps.find { |d| d[:manifest_kind] == "manifest" }
+
+          # Prefer lockfile version, fall back to manifest
+          lockfile_dep || manifest_dep || group_deps.first
+        end.compact
+      end
+
+      # Filter to only lockfile dependencies
+      def self.lockfile_dependencies(deps)
+        deps.select { |d| d[:manifest_kind] == "lockfile" }
+      end
     end
   end
 end

data/lib/git/pkgs/cli.rb

@@ -34,6 +34,9 @@ module Git
         "Analysis" => {
           "stats" => "Show dependency statistics",
           "stale" => "Show dependencies that haven't been updated"
+        },
+        "Security" => {
+          "vulns" => "Scan for known vulnerabilities"
         }
       }.freeze
 
@@ -99,13 +102,20 @@ module Git
         command = ALIASES.fetch(command, command)
         # Convert kebab-case or snake_case to PascalCase
         class_name = command.split(/[-_]/).map(&:capitalize).join
-        command_class = Commands.const_get(class_name)
+
+        # Try with Command suffix first (e.g., VulnsCommand), then bare name
+        command_class = begin
+          Commands.const_get("#{class_name}Command")
+        rescue NameError
+          begin
+            Commands.const_get(class_name)
+          rescue NameError
+            $stderr.puts "Command '#{command}' not yet implemented"
+            exit 1
+          end
+        end
+
         command_class.new(@args).run
-      rescue NameError => e
-        # Only catch NameError for missing command class, not NoMethodError
-        raise unless e.is_a?(NameError) && !e.is_a?(NoMethodError)
-        $stderr.puts "Command '#{command}' not yet implemented"
-        exit 1
       end
 
       def print_help

data/lib/git/pkgs/commands/blame.rb

@@ -113,24 +113,6 @@ module Git
           end
         end
 
-        def best_author(commit)
-          authors = [commit.author_name] + parse_coauthors(commit.message)
-
-          # Prefer human authors over bots
-          human = authors.find { |a| !bot_author?(a) }
-          human || authors.first
-        end
-
-        def parse_coauthors(message)
-          return [] unless message
-
-          message.scan(/^Co-authored-by:([^<]+)<[^>]+>/i).flatten.map(&:strip)
-        end
-
-        def bot_author?(name)
-          name =~ /\[bot\]$|^dependabot|^renovate|^github-actions/i
-        end
-
         def parse_options
           options = {}
 

data/lib/git/pkgs/commands/diff.rb

@@ -13,9 +13,7 @@ module Git
 
         def run
           repo = Repository.new
-          require_database(repo)
-
-          Database.connect(repo.git_dir)
+          use_stateless = @options[:stateless] || !Database.exists?(repo.git_dir)
 
           from_ref, to_ref = parse_range_argument
           from_ref ||= @options[:from]
@@ -30,6 +28,46 @@ module Git
           error "Could not resolve '#{from_ref}'. Check that the ref exists." unless from_sha
           error "Could not resolve '#{to_ref}'. Check that the ref exists." unless to_sha
 
+          if use_stateless
+            run_stateless(repo, from_sha, to_sha)
+          else
+            run_with_database(repo, from_sha, to_sha)
+          end
+        end
+
+        def run_stateless(repo, from_sha, to_sha)
+          from_commit = repo.lookup(from_sha)
+          to_commit = repo.lookup(to_sha)
+
+          analyzer = Analyzer.new(repo)
+          diff = analyzer.diff_commits(from_commit, to_commit)
+
+          if @options[:ecosystem]
+            diff[:added] = diff[:added].select { |d| d[:ecosystem] == @options[:ecosystem] }
+            diff[:modified] = diff[:modified].select { |d| d[:ecosystem] == @options[:ecosystem] }
+            diff[:removed] = diff[:removed].select { |d| d[:ecosystem] == @options[:ecosystem] }
+          end
+
+          if diff[:added].empty? && diff[:modified].empty? && diff[:removed].empty?
+            if @options[:format] == "json"
+              require "json"
+              puts JSON.pretty_generate({ from: from_sha[0..7], to: to_sha[0..7], added: [], modified: [], removed: [] })
+            else
+              empty_result "No dependency changes between #{from_sha[0..7]} and #{to_sha[0..7]}"
+            end
+            return
+          end
+
+          if @options[:format] == "json"
+            output_json_stateless(from_sha, to_sha, diff)
+          else
+            paginate { output_text_stateless(from_sha, to_sha, diff) }
+          end
+        end
+
+        def run_with_database(repo, from_sha, to_sha)
+          Database.connect(repo.git_dir)
+
           from_commit = Models::Commit.find_or_create_from_repo(repo, from_sha)
           to_commit = Models::Commit.find_or_create_from_repo(repo, to_sha)
 
@@ -154,6 +192,81 @@ module Git
           puts JSON.pretty_generate(data)
         end
 
+        def output_text_stateless(from_sha, to_sha, diff)
+          puts "Dependency changes from #{from_sha[0..7]} to #{to_sha[0..7]}:"
+          puts
+
+          if diff[:added].any?
+            puts Color.green("Added:")
+            diff[:added].group_by { |d| d[:name] }.each do |name, pkg_changes|
+              latest = pkg_changes.last
+              puts Color.green("  + #{name} #{latest[:requirement]} (#{latest[:manifest_path]})")
+            end
+            puts
+          end
+
+          if diff[:modified].any?
+            puts Color.yellow("Modified:")
+            diff[:modified].group_by { |d| d[:name] }.each do |name, pkg_changes|
+              latest = pkg_changes.last
+              puts Color.yellow("  ~ #{name} #{latest[:previous_requirement]} -> #{latest[:requirement]}")
+            end
+            puts
+          end
+
+          if diff[:removed].any?
+            puts Color.red("Removed:")
+            diff[:removed].group_by { |d| d[:name] }.each do |name, pkg_changes|
+              latest = pkg_changes.last
+              puts Color.red("  - #{name} (was #{latest[:requirement]})")
+            end
+            puts
+          end
+
+          added_count = Color.green("+#{diff[:added].map { |d| d[:name] }.uniq.count}")
+          removed_count = Color.red("-#{diff[:removed].map { |d| d[:name] }.uniq.count}")
+          modified_count = Color.yellow("~#{diff[:modified].map { |d| d[:name] }.uniq.count}")
+          puts "Summary: #{added_count} #{removed_count} #{modified_count}"
+        end
+
+        def output_json_stateless(from_sha, to_sha, diff)
+          require "json"
+
+          format_change = lambda do |change|
+            {
+              name: change[:name],
+              ecosystem: change[:ecosystem],
+              requirement: change[:requirement],
+              manifest: change[:manifest_path]
+            }
+          end
+
+          format_modified = lambda do |change|
+            {
+              name: change[:name],
+              ecosystem: change[:ecosystem],
+              previous_requirement: change[:previous_requirement],
+              requirement: change[:requirement],
+              manifest: change[:manifest_path]
+            }
+          end
+
+          data = {
+            from: from_sha[0..7],
+            to: to_sha[0..7],
+            added: diff[:added].map { |c| format_change.call(c) },
+            modified: diff[:modified].map { |c| format_modified.call(c) },
+            removed: diff[:removed].map { |c| format_change.call(c) },
+            summary: {
+              added: diff[:added].map { |d| d[:name] }.uniq.count,
+              modified: diff[:modified].map { |d| d[:name] }.uniq.count,
+              removed: diff[:removed].map { |d| d[:name] }.uniq.count
+            }
+          }
+
+          puts JSON.pretty_generate(data)
+        end
+
         def parse_range_argument
           return [nil, nil] if @args.empty?
 
@@ -183,11 +296,11 @@ module Git
             opts.separator "  git pkgs diff --from=v1.0 --to=v2.0"
             opts.separator ""
 
-            opts.on("-f", "--from=REF", "Start commit") do |v|
+            opts.on("--from=REF", "Start commit") do |v|
               options[:from] = v
             end
 
-            opts.on("-t", "--to=REF", "End commit (default: HEAD)") do |v|
+            opts.on("--to=REF", "End commit (default: HEAD)") do |v|
               options[:to] = v
             end
 
@@ -203,6 +316,10 @@ module Git
               options[:no_pager] = true
             end
 
+            opts.on("--stateless", "Parse manifests directly without database") do
+              options[:stateless] = true
+            end
+
             opts.on("-h", "--help", "Show this help") do
               puts opts
               exit