git-pkgs 0.6.2 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ec8cddb19542e0519e69be68a3f0b65424c940718ba3bd5304ed93f457078ec7
-  data.tar.gz: bce2b1006ad63c0f2269d9321948acfa9cde600e8f8e41b3e606768c8f8b6178
+  metadata.gz: e23d09227a873e67670fa403a6c81c4f93a301cfda036f62d8b02d4d7f1e0ce5
+  data.tar.gz: ae4c878fa0cca631cb5d0485ab4a5caa999300ba1afc564c6d23461527a487cf
 SHA512:
-  metadata.gz: 1488be447b21af773fc7aa6309d8981bb78b45134a755f56bff38f0cac3c92d861f867fb62c70201c1eec9c1f4b40f042a6804f416f64c952bc008678c756831
-  data.tar.gz: 998ca9734325cef27dcd3e09a1c7e68acf212a6974f0bd61adb3257322d92881e1c1cb8995be3935b32253f02a94b15f3e531bc40bf4cd1111933b24cc863275
+  metadata.gz: 5a675b67669d345dc39419219adfe51d2c36b1167be446b7f1b937eab42b92c0d935ebd8102e534585760c5944de6059ac722818558090c504758fc4ca7d9388
+  data.tar.gz: 7cb84ae314e29ed3cbf0c360ddcd79f43174ce153fca35af476693a6f37a98c84e297b8b3bf3543150e546df2459e69fbcae371959cd4dac04d2aa7d139f1969

data/.gitattributes

@@ -0,0 +1,28 @@
+# git-pkgs textconv for lockfiles
+Brewfile.lock.json diff=pkgs
+Cargo.lock diff=pkgs
+Cartfile.resolved diff=pkgs
+Gemfile.lock diff=pkgs
+Gopkg.lock diff=pkgs
+Package.resolved diff=pkgs
+Pipfile.lock diff=pkgs
+Podfile.lock diff=pkgs
+Project.lock.json diff=pkgs
+bun.lock diff=pkgs
+composer.lock diff=pkgs
+gems.locked diff=pkgs
+glide.lock diff=pkgs
+go.mod diff=pkgs
+mix.lock diff=pkgs
+npm-shrinkwrap.json diff=pkgs
+package-lock.json diff=pkgs
+packages.lock.json diff=pkgs
+paket.lock diff=pkgs
+pnpm-lock.yaml diff=pkgs
+poetry.lock diff=pkgs
+project.assets.json diff=pkgs
+pubspec.lock diff=pkgs
+pylock.toml diff=pkgs
+shard.lock diff=pkgs
+uv.lock diff=pkgs
+yarn.lock diff=pkgs

data/.ruby-version

@@ -0,0 +1 @@
+4.0.0

data/CHANGELOG.md

@@ -1,5 +1,30 @@
 ## [Unreleased]
 
+## [0.8.0] - 2026-01-14
+
+- `git pkgs outdated` command to find dependencies with newer versions available in registries
+- `git pkgs licenses` command to check dependency licenses with compliance options (--permissive, --allow, --deny)
+- ecosyste.ms client for fetching package metadata (latest versions, licenses)
+- Package and Version models for storing enrichment data
+- Spinner utility for progress feedback during network operations
+- PURL helper for standardized package URLs
+- `outdated` is no longer an alias for `stale` (now a separate command)
+
+## [0.7.0] - 2026-01-09
+
+- `git pkgs vulns` subcommand for vulnerability scanning via OSV API
+- `git pkgs vulns scan` to scan dependencies for known vulnerabilities
+- `git pkgs vulns show` to display details for a specific vulnerability
+- `git pkgs vulns sync` to prefetch vulnerability data for all packages
+- `git pkgs vulns exposure` to analyze vulnerability exposure over time
+- `git pkgs vulns praise` to show resolved vulnerabilities with attribution
+- SARIF output format for CI integration (`--format=sarif`)
+- Docker container support for running git-pkgs without local Ruby installation
+- `list` command now shows locked versions and manifest kind
+- `--stateless` flag for `list`, `show`, and `diff` commands (auto-enabled when no database exists)
+- Update ecosystems-bibliothecary to ~> 15.2
+- Fix `-f` flag conflict in `diff` command (was defined for both `--from` and `--format`)
+
 ## [0.6.2] - 2026-01-06
 
 - `--format=json` support for `diff`, `tree`, `stale`, and `why` commands

data/Dockerfile

@@ -0,0 +1,18 @@
+FROM ruby:4.0-alpine
+
+RUN apk add --no-cache \
+    build-base \
+    git \
+    libgit2-dev \
+    cmake
+
+RUN gem install git-pkgs
+
+# The git repository (the mounted directory) has different ownership that the root user of the container.
+# Due to an update in git, a different user cannot perform git operations on the mounted directory.
+# This command allows the any user to perform git operations on the mounted directory.
+RUN git config --system --add safe.directory /mnt
+
+WORKDIR /mnt
+
+ENTRYPOINT ["git", "pkgs"]

data/Formula/git-pkgs.rb

@@ -0,0 +1,28 @@
+class GitPkgs < Formula
+  desc "Track package dependencies across git history"
+  homepage "https://github.com/andrew/git-pkgs"
+  url "https://github.com/andrew/git-pkgs/archive/refs/tags/v0.7.0.tar.gz"
+  sha256 "5c5aebf75e9570945b324777e5fa33cd5e35d31f6172c2415a4bd91db02477cc"
+  license "AGPL-3.0"
+
+  depends_on "cmake" => :build
+  depends_on "pkg-config" => :build
+  depends_on "libgit2"
+  depends_on "ruby"
+
+  def install
+    ENV["GEM_HOME"] = libexec
+
+    system "git", "init"
+    system "git", "add", "."
+
+    system "gem", "build", "git-pkgs.gemspec"
+    system "gem", "install", "--no-document", "git-pkgs-#{version}.gem"
+    bin.install libexec/"bin/git-pkgs"
+    bin.env_script_all_files(libexec/"bin", GEM_HOME: ENV.fetch("GEM_HOME", nil))
+  end
+
+  test do
+    system bin/"git-pkgs", "--version"
+  end
+end

data/README.md

@@ -2,18 +2,38 @@
 
 A git subcommand for tracking package dependencies across git history. Analyzes your repository to show when dependencies were added, modified, or removed, who made those changes, and why.
 
+[Installation](#installation) · [Quick start](#quick-start) · [Commands](#commands) · [Configuration](#configuration) · [Ruby API](#ruby-api) · [Contributing](#contributing)
+
 ## Why this exists
 
 Your lockfile shows what dependencies you have, but it doesn't show how you got here, and `git log Gemfile.lock` is useless noise. git-pkgs indexes your dependency history into a queryable database so you can ask questions like: when did we add this? who added it? what changed between these two releases? has anyone touched this in the last year?
 
-It works across many ecosystems (Gemfile, package.json, Dockerfile, GitHub Actions workflows) giving you one unified history instead of separate tools per ecosystem. Everything runs locally and offline with no external services or network calls, and the database lives in your `.git` directory where you can use it in CI to catch dependency changes in pull requests.
+For best results, commit your lockfiles. Manifests show version ranges but lockfiles show what actually got installed, including transitive dependencies.
+
+It works across many ecosystems (Gemfile, package.json, Dockerfile, GitHub Actions workflows) giving you one unified history instead of separate tools per ecosystem. The database lives in your `.git` directory where you can use it in CI to catch dependency changes in pull requests.
+
+The core commands (`list`, `history`, `blame`, `diff`, `stale`, etc.) work entirely from your git history with no network access. Additional commands fetch external data: `vulns` checks [OSV](https://osv.dev) for known CVEs, while `outdated` and `licenses` query [ecosyste.ms](https://packages.ecosyste.ms/) for registry metadata. See [docs/enrichment.md](docs/enrichment.md) for details on external data.
 
 ## Installation
 
+```bash
+brew tap andrew/git-pkgs https://github.com/andrew/git-pkgs
+brew install git-pkgs
+```
+
+Or with RubyGems:
+
 ```bash
 gem install git-pkgs
 ```
 
+Or using Docker:
+
+```bash
+docker build -t git-pkgs .
+docker run -it --rm -v $(pwd):/mnt git-pkgs <subcommand>
+```
+
 ## Quick start
 
 ```bash
@@ -27,6 +47,8 @@ git pkgs history rails  # track a specific package
 git pkgs why rails      # why was this added?
 git pkgs diff --from=HEAD~10  # what changed recently?
 git pkgs diff --from=main --to=feature  # compare branches
+git pkgs vulns          # scan for known CVEs
+git pkgs vulns blame    # who introduced each vulnerability
 ```
 
 ## Commands
@@ -96,6 +118,7 @@ git pkgs list
 git pkgs list --commit=abc123
 git pkgs list --ecosystem=rubygems
 git pkgs list --manifest=Gemfile
+git pkgs list --stateless           # parse manifests directly, no database needed
 ```
 
 Example output:
@@ -235,16 +258,76 @@ This shows dependencies grouped by type (runtime, development, etc).
 git pkgs stale                  # list deps by how long since last touched
 git pkgs stale --days=365       # only show deps untouched for a year
 git pkgs stale --ecosystem=npm  # filter by ecosystem
-git pkgs outdated               # alias for stale
 ```
 
 Shows dependencies sorted by how long since they were last changed in your repo. Useful for finding packages that may have been forgotten or need review.
 
+### Find outdated dependencies
+
+```bash
+git pkgs outdated               # show packages with newer versions available
+git pkgs outdated --major       # only major version updates
+git pkgs outdated --minor       # minor and major updates (skip patch)
+git pkgs outdated --stateless   # no database needed
+```
+
+Checks package registries (via [ecosyste.ms](https://packages.ecosyste.ms/)) to find dependencies with newer versions available. Major updates are shown in red, minor in yellow, patch in cyan.
+
+### Check licenses
+
+```bash
+git pkgs licenses               # show license for each dependency
+git pkgs licenses --permissive  # flag copyleft licenses
+git pkgs licenses --allow=MIT,Apache-2.0  # explicit allow list
+git pkgs licenses --group       # group output by license
+git pkgs licenses --stateless   # no database needed
+```
+
+Fetches license information from package registries. Exits with code 1 if violations are found, making it suitable for CI. See [docs/enrichment.md](docs/enrichment.md) for all options.
+
+### Vulnerability scanning
+
+Scan dependencies for known CVEs using the [OSV database](https://osv.dev). Because git-pkgs tracks the full history of every dependency change, it provides context that static scanners can't: who introduced a vulnerability, when it was fixed, and how long you were exposed.
+
+```bash
+git pkgs vulns                  # scan current dependencies
+git pkgs vulns v1.0.0           # scan at a tag, branch, or commit
+git pkgs vulns -s high          # only critical and high severity
+git pkgs vulns -e npm           # filter by ecosystem
+git pkgs vulns -f sarif         # output for GitHub code scanning
+```
+
+Subcommands for historical analysis:
+
+```bash
+git pkgs vulns blame            # who introduced each vulnerability
+git pkgs vulns blame --all-time # include fixed vulnerabilities
+git pkgs vulns praise           # who fixed vulnerabilities
+git pkgs vulns praise --summary # author leaderboard
+git pkgs vulns exposure         # remediation metrics (CRA compliance)
+git pkgs vulns diff main feature # compare vulnerability state between refs
+git pkgs vulns log              # commits that introduced or fixed vulns
+git pkgs vulns history lodash   # vulnerability timeline for a package
+git pkgs vulns show CVE-2024-1234  # details about a specific CVE
+```
+
+Output formats: `text` (default), `json`, and `sarif`. SARIF integrates with GitHub Advanced Security:
+
+```yaml
+- run: git pkgs vulns --stateless -f sarif > results.sarif
+- uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: results.sarif
+```
+
+Vulnerability data is cached locally and refreshed automatically when stale (>24h). Use `git pkgs vulns sync --refresh` to force an update. See [docs/vulns.md](docs/vulns.md) for full documentation.
+
 ### Diff between commits
 
 ```bash
 git pkgs diff --from=abc123 --to=def456
 git pkgs diff --from=HEAD~10
+git pkgs diff main..feature --stateless  # no database needed
 ```
 
 This shows added, removed, and modified packages with version info.
@@ -255,6 +338,7 @@ This shows added, removed, and modified packages with version info.
 git pkgs show              # show dependency changes in HEAD
 git pkgs show abc123       # specific commit
 git pkgs show HEAD~5       # relative ref
+git pkgs show --stateless  # no database needed
 ```
 
 Like `git show` but for dependencies. Shows what was added, modified, or removed in a single commit.
@@ -325,7 +409,7 @@ Useful for understanding the [database structure](docs/schema.md) or generating
 
 ### CI usage
 
-You can run git-pkgs in CI to show dependency changes in pull requests:
+You can run git-pkgs in CI to show dependency changes in pull requests. Use `--stateless` to skip database initialization for faster runs:
 
 ```yaml
 # .github/workflows/deps.yml
@@ -344,8 +428,7 @@ jobs:
         with:
           ruby-version: '3.3'
       - run: gem install git-pkgs
-      - run: git pkgs init
-      - run: git pkgs diff --from=origin/${{ github.base_ref }} --to=HEAD
+      - run: git pkgs diff --from=origin/${{ github.base_ref }} --to=HEAD --stateless
 ```
 
 ### Diff driver
@@ -430,7 +513,7 @@ Optimizations:
 
 git-pkgs uses [ecosystems-bibliothecary](https://github.com/ecosyste-ms/bibliothecary) for parsing, supporting:
 
-Actions, BentoML, Bower, Cargo, Carthage, Clojars, CocoaPods, Cog, Conda, CPAN, CRAN, Docker, Dub, DVC, Elm, Go, Hackage, Haxelib, Hex, Homebrew, Julia, Maven, Meteor, MLflow, npm, NuGet, Ollama, Packagist, Pub, PyPI, RubyGems, Shards, SwiftPM, Vcpkg
+Actions, BentoML, Bower, Cargo, Carthage, Clojars, CocoaPods, Cog, Conan, Conda, CPAN, CRAN, Deno, Docker, Dub, DVC, Elm, Go, Hackage, Haxelib, Hex, Homebrew, Julia, LuaRocks, Maven, Meteor, MLflow, Nimble, Nix, npm, NuGet, Ollama, Packagist, Pub, PyPI, RubyGems, Shards, SwiftPM, Vcpkg
 
 SBOM formats (CycloneDX, SPDX) are not supported as they duplicate information from the actual lockfiles.
 
@@ -465,6 +548,7 @@ Git::Pkgs::Database.connect(repo_git_dir)
 Git::Pkgs::Models::DependencyChange.where(name: "rails").all
 ```
 
+
 ## Contributing
 
 Bug reports, feature requests, and pull requests are welcome. If you're unsure about a change, open an issue first to discuss it.

data/lib/git/pkgs/analyzer.rb

@@ -12,33 +12,43 @@ module Git
       QUICK_MANIFEST_PATTERNS = %w[
         Gemfile Gemfile.lock gems.rb gems.locked *.gemspec
         package.json package-lock.json yarn.lock npm-shrinkwrap.json pnpm-lock.yaml bun.lock npm-ls.json
-        setup.py req*.txt req*.pip requirements/*.txt requirements/*.pip requirements.frozen
-        Pipfile Pipfile.lock pyproject.toml poetry.lock uv.lock pylock.toml
+        setup.py req*.txt req*.pip requirements/*.txt requirements/*.pip requirements*.in requirements.frozen
+        Pipfile Pipfile.lock pyproject.toml poetry.lock uv.lock pylock.toml pdm.lock
         pip-resolved-dependencies.txt pip-dependency-graph.json
-        pom.xml ivy.xml build.gradle build.gradle.kts gradle-dependencies-q.txt
+        pom.xml ivy.xml build.gradle build.gradle.kts gradle-dependencies-q.txt gradle.lockfile verification-metadata.xml
         maven-resolved-dependencies.txt sbt-update-full.txt maven-dependency-tree.txt maven-dependency-tree.dot
         Cargo.toml Cargo.lock
-        go.mod glide.yaml glide.lock Godeps Godeps/Godeps.json
+        go.mod go.sum glide.yaml glide.lock Godeps Godeps/Godeps.json
         vendor/manifest vendor/vendor.json Gopkg.toml Gopkg.lock go-resolved-dependencies.json
         composer.json composer.lock
         Podfile Podfile.lock *.podspec *.podspec.json
         packages.config packages.lock.json Project.json Project.lock.json
-        *.nuspec paket.lock *.csproj project.assets.json
+        *.nuspec paket.lock *.csproj project.assets.json *.deps.json
         bower.json bentofile.yaml
-        META.json META.yml
+        META.json META.yml cpanfile cpanfile.snapshot Makefile.PL Build.PL
         environment.yml environment.yaml
-        cog.yaml versions.json MLmodel DESCRIPTION
+        cog.yaml versions.json MLmodel DESCRIPTION renv.lock
         pubspec.yaml pubspec.lock
         dub.json dub.sdl
-        REQUIRE
+        REQUIRE Project.toml Manifest.toml
         shard.yml shard.lock
         elm-package.json elm_dependencies.json elm-stuff/exact-dependencies.json
-        haxelib.json
+        haxelib.json stack.yaml stack.yaml.lock
         action.yml action.yaml .github/workflows/*.yml .github/workflows/*.yaml
         Dockerfile docker-compose*.yml docker-compose*.yaml
-        dvc.yaml vcpkg.json
+        dvc.yaml vcpkg.json _generated-vcpkg-list.json
         Brewfile Brewfile.lock.json
         Modelfile
+        deno.json deno.jsonc deno.lock
+        conanfile.py conanfile.txt conan.lock
+        *.rockspec
+        *.nimble
+        *.cabal *cabal.config stack.yaml.lock cabal.project.freeze
+        Cartfile Cartfile.private Cartfile.resolved
+        project.clj
+        Package.swift Package.resolved
+        mix.exs mix.lock gleam.toml manifest.toml rebar.lock
+        flake.nix flake.lock nix/sources.json npins/sources.json
       ].freeze
 
       QUICK_MANIFEST_REGEX = Regexp.union(
@@ -58,6 +68,10 @@ module Git
         Config.configure_bibliothecary
       end
 
+      def generate_purl(ecosystem, name)
+        Ecosystems.generate_purl(ecosystem, name)
+      end
+
       # Quick check if any paths might be manifests (fast regex check)
       def might_have_manifests?(paths)
         paths.any? { |p| p.match?(QUICK_MANIFEST_REGEX) }
@@ -124,6 +138,7 @@ module Git
               ecosystem: result[:platform],
               kind: result[:kind],
               name: dep[:name],
+              purl: generate_purl(result[:platform], dep[:name]),
               change_type: "added",
               requirement: dep[:requirement],
               dependency_type: dep[:type]
@@ -133,6 +148,7 @@ module Git
             new_snapshot[key] = {
               ecosystem: result[:platform],
               kind: result[:kind],
+              purl: generate_purl(result[:platform], dep[:name]),
               requirement: dep[:requirement],
               dependency_type: dep[:type]
             }
@@ -160,6 +176,7 @@ module Git
               ecosystem: after_result[:platform],
               kind: after_result[:kind],
               name: name,
+              purl: generate_purl(after_result[:platform], name),
               change_type: "added",
               requirement: dep[:requirement],
               dependency_type: dep[:type]
@@ -169,6 +186,7 @@ module Git
             new_snapshot[key] = {
               ecosystem: after_result[:platform],
               kind: after_result[:kind],
+              purl: generate_purl(after_result[:platform], name),
               requirement: dep[:requirement],
               dependency_type: dep[:type]
             }
@@ -181,6 +199,7 @@ module Git
               ecosystem: before_result[:platform],
               kind: before_result[:kind],
               name: name,
+              purl: generate_purl(before_result[:platform], name),
               change_type: "removed",
               requirement: dep[:requirement],
               dependency_type: dep[:type]
@@ -200,6 +219,7 @@ module Git
                 ecosystem: after_result[:platform],
                 kind: after_result[:kind],
                 name: name,
+                purl: generate_purl(after_result[:platform], name),
                 change_type: "modified",
                 requirement: after_dep[:requirement],
                 previous_requirement: before_dep[:requirement],
@@ -210,6 +230,7 @@ module Git
               new_snapshot[key] = {
                 ecosystem: after_result[:platform],
                 kind: after_result[:kind],
+                purl: generate_purl(after_result[:platform], name),
                 requirement: after_dep[:requirement],
                 dependency_type: after_dep[:type]
               }
@@ -228,6 +249,7 @@ module Git
               ecosystem: result[:platform],
               kind: result[:kind],
               name: dep[:name],
+              purl: generate_purl(result[:platform], dep[:name]),
               change_type: "removed",
               requirement: dep[:requirement],
               dependency_type: dep[:type]
@@ -288,6 +310,116 @@ module Git
         @blob_cache[cache_key] = { result: result, hits: 0 }
         result
       end
+
+      # Parse all manifest files at a given commit (stateless)
+      def dependencies_at_commit(rugged_commit)
+        deps = []
+        manifest_paths = find_manifest_paths_in_tree(rugged_commit.tree)
+
+        manifest_paths.each do |path|
+          result = parse_manifest_at_commit(rugged_commit, path)
+          next unless result && result[:dependencies]
+
+          result[:dependencies].each do |dep|
+            deps << {
+              manifest_path: path,
+              manifest_kind: result[:kind],
+              name: dep[:name],
+              ecosystem: result[:platform],
+              kind: result[:kind],
+              purl: generate_purl(result[:platform], dep[:name]),
+              requirement: dep[:requirement],
+              dependency_type: dep[:type]
+            }
+          end
+        end
+
+        deps
+      end
+
+      # Compute changes between two commits (stateless)
+      def diff_commits(from_commit, to_commit)
+        from_deps = dependencies_at_commit(from_commit).group_by { |d| [d[:manifest_path], d[:name]] }
+        to_deps = dependencies_at_commit(to_commit).group_by { |d| [d[:manifest_path], d[:name]] }
+
+        added = []
+        modified = []
+        removed = []
+
+        # Find added and modified
+        to_deps.each do |key, to_list|
+          to_dep = to_list.first
+          if from_deps[key]
+            from_dep = from_deps[key].first
+            if from_dep[:requirement] != to_dep[:requirement]
+              modified << to_dep.merge(previous_requirement: from_dep[:requirement])
+            end
+          else
+            added << to_dep
+          end
+        end
+
+        # Find removed
+        from_deps.each do |key, from_list|
+          removed << from_list.first unless to_deps[key]
+        end
+
+        { added: added, modified: modified, removed: removed }
+      end
+
+      def find_manifest_paths_in_tree(tree, prefix = "")
+        paths = []
+
+        tree.each do |entry|
+          full_path = prefix.empty? ? entry[:name] : "#{prefix}/#{entry[:name]}"
+
+          if entry[:type] == :tree
+            subtree = repository.lookup(entry[:oid])
+            paths.concat(find_manifest_paths_in_tree(subtree, full_path))
+          elsif entry[:type] == :blob && full_path.match?(QUICK_MANIFEST_REGEX)
+            paths << full_path
+          end
+        end
+
+        identify_manifests_cached(paths)
+      end
+
+      def lookup(oid)
+        repository.lookup(oid)
+      end
+
+      # Pair manifest dependencies with their corresponding lockfile versions.
+      # Groups by directory + ecosystem + name, preferring lockfile over manifest.
+      # Can be called as instance method or class method.
+      def pair_manifests_with_lockfiles(deps)
+        self.class.pair_manifests_with_lockfiles(deps)
+      end
+
+      def self.pair_manifests_with_lockfiles(deps)
+        # Group by (directory, ecosystem, name)
+        groups = {}
+        deps.each do |dep|
+          dir = File.dirname(dep[:manifest_path])
+          dir = "" if dir == "."
+          key = [dir, dep[:ecosystem], dep[:name]]
+          groups[key] ||= []
+          groups[key] << dep
+        end
+
+        # For each group, pick the best entry (lockfile preferred)
+        groups.values.map do |group_deps|
+          lockfile_dep = group_deps.find { |d| d[:manifest_kind] == "lockfile" }
+          manifest_dep = group_deps.find { |d| d[:manifest_kind] == "manifest" }
+
+          # Prefer lockfile version, fall back to manifest
+          lockfile_dep || manifest_dep || group_deps.first
+        end.compact
+      end
+
+      # Filter to only lockfile dependencies
+      def self.lockfile_dependencies(deps)
+        deps.select { |d| d[:manifest_kind] == "lockfile" }
+      end
     end
   end
 end

data/lib/git/pkgs/cli.rb

@@ -33,13 +33,18 @@ module Git
         },
         "Analysis" => {
           "stats" => "Show dependency statistics",
-          "stale" => "Show dependencies that haven't been updated"
+          "stale" => "Show dependencies that haven't been updated",
+          "outdated" => "Show packages with newer versions available",
+          "licenses" => "Show licenses for dependencies"
+        },
+        "Security" => {
+          "vulns" => "Scan for known vulnerabilities"
         }
       }.freeze
 
       COMMANDS = COMMAND_GROUPS.values.flat_map(&:keys).freeze
       COMMAND_DESCRIPTIONS = COMMAND_GROUPS.values.reduce({}, :merge).freeze
-      ALIASES = { "praise" => "blame", "outdated" => "stale" }.freeze
+      ALIASES = { "praise" => "blame" }.freeze
 
       def self.run(args)
         new(args).run
@@ -99,13 +104,20 @@ module Git
         command = ALIASES.fetch(command, command)
         # Convert kebab-case or snake_case to PascalCase
         class_name = command.split(/[-_]/).map(&:capitalize).join
-        command_class = Commands.const_get(class_name)
+
+        # Try with Command suffix first (e.g., VulnsCommand), then bare name
+        command_class = begin
+          Commands.const_get("#{class_name}Command")
+        rescue NameError
+          begin
+            Commands.const_get(class_name)
+          rescue NameError
+            $stderr.puts "Command '#{command}' not yet implemented"
+            exit 1
+          end
+        end
+
         command_class.new(@args).run
-      rescue NameError => e
-        # Only catch NameError for missing command class, not NoMethodError
-        raise unless e.is_a?(NameError) && !e.is_a?(NoMethodError)
-        $stderr.puts "Command '#{command}' not yet implemented"
-        exit 1
       end
 
       def print_help

data/lib/git/pkgs/commands/blame.rb

@@ -113,24 +113,6 @@ module Git
           end
         end
 
-        def best_author(commit)
-          authors = [commit.author_name] + parse_coauthors(commit.message)
-
-          # Prefer human authors over bots
-          human = authors.find { |a| !bot_author?(a) }
-          human || authors.first
-        end
-
-        def parse_coauthors(message)
-          return [] unless message
-
-          message.scan(/^Co-authored-by:([^<]+)<[^>]+>/i).flatten.map(&:strip)
-        end
-
-        def bot_author?(name)
-          name =~ /\[bot\]$|^dependabot|^renovate|^github-actions/i
-        end
-
         def parse_options
           options = {}