git-pkgs 0.7.0 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0f9ff177f3dd7cbb4f5591a0c0f2b936d5fb98629329294dae9f57380a69709e
-  data.tar.gz: e8760e948aea3b7252176fc6a0b4bb0d74432ad05e4fa20693468b9440b126bd
+  metadata.gz: e23d09227a873e67670fa403a6c81c4f93a301cfda036f62d8b02d4d7f1e0ce5
+  data.tar.gz: ae4c878fa0cca631cb5d0485ab4a5caa999300ba1afc564c6d23461527a487cf
 SHA512:
-  metadata.gz: a670a1b046b7d0953aefe8bd57a6a03fa69624eb3bdb4e8867a647521a88c936e559973b6470989cca45714e79de19c0f6d2a2c85fa7340c3b677e07923cb97a
-  data.tar.gz: dcbb08683dfe053e70801ae36fe74f3d1f33ce0a6f74a7df3b6cb1a6d5df70d5a7c5db9ca9c7fc8efb6ee94463fbc96a68ef7e09f20808fd6b41b1c2d2e6b873
+  metadata.gz: 5a675b67669d345dc39419219adfe51d2c36b1167be446b7f1b937eab42b92c0d935ebd8102e534585760c5944de6059ac722818558090c504758fc4ca7d9388
+  data.tar.gz: 7cb84ae314e29ed3cbf0c360ddcd79f43174ce153fca35af476693a6f37a98c84e297b8b3bf3543150e546df2459e69fbcae371959cd4dac04d2aa7d139f1969

data/CHANGELOG.md

@@ -1,5 +1,15 @@
 ## [Unreleased]
 
+## [0.8.0] - 2026-01-14
+
+- `git pkgs outdated` command to find dependencies with newer versions available in registries
+- `git pkgs licenses` command to check dependency licenses with compliance options (--permissive, --allow, --deny)
+- ecosyste.ms client for fetching package metadata (latest versions, licenses)
+- Package and Version models for storing enrichment data
+- Spinner utility for progress feedback during network operations
+- PURL helper for standardized package URLs
+- `outdated` is no longer an alias for `stale` (now a separate command)
+
 ## [0.7.0] - 2026-01-09
 
 - `git pkgs vulns` subcommand for vulnerability scanning via OSV API

data/Formula/git-pkgs.rb

@@ -1,8 +1,8 @@
 class GitPkgs < Formula
   desc "Track package dependencies across git history"
   homepage "https://github.com/andrew/git-pkgs"
-  url "https://github.com/andrew/git-pkgs/archive/refs/tags/v0.6.2.tar.gz"
-  sha256 "ccd7a8a5b9cb21c52cc488923ed1318387a9fefa4baff2057bd96b27591577aa"
+  url "https://github.com/andrew/git-pkgs/archive/refs/tags/v0.7.0.tar.gz"
+  sha256 "5c5aebf75e9570945b324777e5fa33cd5e35d31f6172c2415a4bd91db02477cc"
   license "AGPL-3.0"
 
   depends_on "cmake" => :build

data/README.md

@@ -10,7 +10,9 @@ Your lockfile shows what dependencies you have, but it doesn't show how you got
 
 For best results, commit your lockfiles. Manifests show version ranges but lockfiles show what actually got installed, including transitive dependencies.
 
-It works across many ecosystems (Gemfile, package.json, Dockerfile, GitHub Actions workflows) giving you one unified history instead of separate tools per ecosystem. Everything runs locally and offline with no external services or network calls, and the database lives in your `.git` directory where you can use it in CI to catch dependency changes in pull requests.
+It works across many ecosystems (Gemfile, package.json, Dockerfile, GitHub Actions workflows) giving you one unified history instead of separate tools per ecosystem. The database lives in your `.git` directory where you can use it in CI to catch dependency changes in pull requests.
+
+The core commands (`list`, `history`, `blame`, `diff`, `stale`, etc.) work entirely from your git history with no network access. Additional commands fetch external data: `vulns` checks [OSV](https://osv.dev) for known CVEs, while `outdated` and `licenses` query [ecosyste.ms](https://packages.ecosyste.ms/) for registry metadata. See [docs/enrichment.md](docs/enrichment.md) for details on external data.
 
 ## Installation
 
@@ -45,6 +47,8 @@ git pkgs history rails  # track a specific package
 git pkgs why rails      # why was this added?
 git pkgs diff --from=HEAD~10  # what changed recently?
 git pkgs diff --from=main --to=feature  # compare branches
+git pkgs vulns          # scan for known CVEs
+git pkgs vulns blame    # who introduced each vulnerability
 ```
 
 ## Commands
@@ -254,22 +258,69 @@ This shows dependencies grouped by type (runtime, development, etc).
 git pkgs stale                  # list deps by how long since last touched
 git pkgs stale --days=365       # only show deps untouched for a year
 git pkgs stale --ecosystem=npm  # filter by ecosystem
-git pkgs outdated               # alias for stale
 ```
 
 Shows dependencies sorted by how long since they were last changed in your repo. Useful for finding packages that may have been forgotten or need review.
 
+### Find outdated dependencies
+
+```bash
+git pkgs outdated               # show packages with newer versions available
+git pkgs outdated --major       # only major version updates
+git pkgs outdated --minor       # minor and major updates (skip patch)
+git pkgs outdated --stateless   # no database needed
+```
+
+Checks package registries (via [ecosyste.ms](https://packages.ecosyste.ms/)) to find dependencies with newer versions available. Major updates are shown in red, minor in yellow, patch in cyan.
+
+### Check licenses
+
+```bash
+git pkgs licenses               # show license for each dependency
+git pkgs licenses --permissive  # flag copyleft licenses
+git pkgs licenses --allow=MIT,Apache-2.0  # explicit allow list
+git pkgs licenses --group       # group output by license
+git pkgs licenses --stateless   # no database needed
+```
+
+Fetches license information from package registries. Exits with code 1 if violations are found, making it suitable for CI. See [docs/enrichment.md](docs/enrichment.md) for all options.
+
 ### Vulnerability scanning
 
+Scan dependencies for known CVEs using the [OSV database](https://osv.dev). Because git-pkgs tracks the full history of every dependency change, it provides context that static scanners can't: who introduced a vulnerability, when it was fixed, and how long you were exposed.
+
 ```bash
-git pkgs vulns                  # scan current dependencies for known CVEs
+git pkgs vulns                  # scan current dependencies
+git pkgs vulns v1.0.0           # scan at a tag, branch, or commit
 git pkgs vulns -s high          # only critical and high severity
+git pkgs vulns -e npm           # filter by ecosystem
+git pkgs vulns -f sarif         # output for GitHub code scanning
+```
+
+Subcommands for historical analysis:
+
+```bash
 git pkgs vulns blame            # who introduced each vulnerability
+git pkgs vulns blame --all-time # include fixed vulnerabilities
 git pkgs vulns praise           # who fixed vulnerabilities
-git pkgs vulns exposure --all-time --summary  # remediation metrics
+git pkgs vulns praise --summary # author leaderboard
+git pkgs vulns exposure         # remediation metrics (CRA compliance)
+git pkgs vulns diff main feature # compare vulnerability state between refs
+git pkgs vulns log              # commits that introduced or fixed vulns
+git pkgs vulns history lodash   # vulnerability timeline for a package
+git pkgs vulns show CVE-2024-1234  # details about a specific CVE
 ```
 
-Uses the [OSV database](https://osv.dev) to check your dependencies against known security advisories. Because git-pkgs tracks the full history, it can show who introduced and fixed each vulnerability. See [docs/vulns.md](docs/vulns.md) for full documentation.
+Output formats: `text` (default), `json`, and `sarif`. SARIF integrates with GitHub Advanced Security:
+
+```yaml
+- run: git pkgs vulns --stateless -f sarif > results.sarif
+- uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: results.sarif
+```
+
+Vulnerability data is cached locally and refreshed automatically when stale (>24h). Use `git pkgs vulns sync --refresh` to force an update. See [docs/vulns.md](docs/vulns.md) for full documentation.
 
 ### Diff between commits
 
@@ -497,6 +548,7 @@ Git::Pkgs::Database.connect(repo_git_dir)
 Git::Pkgs::Models::DependencyChange.where(name: "rails").all
 ```
 
+
 ## Contributing
 
 Bug reports, feature requests, and pull requests are welcome. If you're unsure about a change, open an issue first to discuss it.

data/lib/git/pkgs/analyzer.rb

@@ -33,7 +33,7 @@ module Git
         REQUIRE Project.toml Manifest.toml
         shard.yml shard.lock
         elm-package.json elm_dependencies.json elm-stuff/exact-dependencies.json
-        haxelib.json
+        haxelib.json stack.yaml stack.yaml.lock
         action.yml action.yaml .github/workflows/*.yml .github/workflows/*.yaml
         Dockerfile docker-compose*.yml docker-compose*.yaml
         dvc.yaml vcpkg.json _generated-vcpkg-list.json

data/lib/git/pkgs/cli.rb

@@ -33,7 +33,9 @@ module Git
         },
         "Analysis" => {
           "stats" => "Show dependency statistics",
-          "stale" => "Show dependencies that haven't been updated"
+          "stale" => "Show dependencies that haven't been updated",
+          "outdated" => "Show packages with newer versions available",
+          "licenses" => "Show licenses for dependencies"
         },
         "Security" => {
           "vulns" => "Scan for known vulnerabilities"
@@ -42,7 +44,7 @@ module Git
 
       COMMANDS = COMMAND_GROUPS.values.flat_map(&:keys).freeze
       COMMAND_DESCRIPTIONS = COMMAND_GROUPS.values.reduce({}, :merge).freeze
-      ALIASES = { "praise" => "blame", "outdated" => "stale" }.freeze
+      ALIASES = { "praise" => "blame" }.freeze
 
       def self.run(args)
         new(args).run

data/lib/git/pkgs/commands/diff_driver.rb

@@ -24,18 +24,24 @@ module Git
           gems.locked
           glide.lock
           go.mod
+          go.sum
+          gradle.lockfile
           mix.lock
           npm-shrinkwrap.json
           package-lock.json
           packages.lock.json
           paket.lock
+          pdm.lock
           pnpm-lock.yaml
           poetry.lock
           project.assets.json
           pubspec.lock
           pylock.toml
+          renv.lock
           shard.lock
+          stack.yaml.lock
           uv.lock
+          verification-metadata.xml
           yarn.lock
         ].freeze
 

data/lib/git/pkgs/commands/licenses.rb

@@ -0,0 +1,378 @@
+# frozen_string_literal: true
+
+require "optparse"
+
+module Git
+  module Pkgs
+    module Commands
+      class Licenses
+        include Output
+
+        PERMISSIVE = %w[
+          MIT Apache-2.0 BSD-2-Clause BSD-3-Clause ISC Unlicense CC0-1.0
+          0BSD WTFPL Zlib BSL-1.0
+        ].freeze
+
+        COPYLEFT = %w[
+          GPL-2.0 GPL-3.0 LGPL-2.1 LGPL-3.0 AGPL-3.0 MPL-2.0
+          GPL-2.0-only GPL-2.0-or-later GPL-3.0-only GPL-3.0-or-later
+          LGPL-2.1-only LGPL-2.1-or-later LGPL-3.0-only LGPL-3.0-or-later
+          AGPL-3.0-only AGPL-3.0-or-later
+        ].freeze
+
+        def self.description
+          "Show licenses for dependencies"
+        end
+
+        def initialize(args)
+          @args = args.dup
+          @options = parse_options
+        end
+
+        def parse_options
+          options = { allow: [], deny: [] }
+
+          parser = OptionParser.new do |opts|
+            opts.banner = "Usage: git pkgs licenses [options]"
+            opts.separator ""
+            opts.separator "Show licenses for dependencies with optional compliance checks."
+            opts.separator ""
+            opts.separator "Options:"
+
+            opts.on("-e", "--ecosystem=NAME", "Filter by ecosystem") do |v|
+              options[:ecosystem] = v
+            end
+
+            opts.on("-r", "--ref=REF", "Git ref to check (default: HEAD)") do |v|
+              options[:ref] = v
+            end
+
+            opts.on("-f", "--format=FORMAT", "Output format (text, json, csv)") do |v|
+              options[:format] = v
+            end
+
+            opts.on("--allow=LICENSES", "Comma-separated list of allowed licenses") do |v|
+              options[:allow] = v.split(",").map(&:strip)
+            end
+
+            opts.on("--deny=LICENSES", "Comma-separated list of denied licenses") do |v|
+              options[:deny] = v.split(",").map(&:strip)
+            end
+
+            opts.on("--permissive", "Only allow permissive licenses (MIT, Apache, BSD, etc.)") do
+              options[:permissive] = true
+            end
+
+            opts.on("--copyleft", "Flag copyleft licenses (GPL, AGPL, etc.)") do
+              options[:copyleft] = true
+            end
+
+            opts.on("--unknown", "Flag packages with unknown/missing licenses") do
+              options[:unknown] = true
+            end
+
+            opts.on("--group", "Group output by license") do
+              options[:group] = true
+            end
+
+            opts.on("--stateless", "Parse manifests directly without database") do
+              options[:stateless] = true
+            end
+
+            opts.on("-h", "--help", "Show this help") do
+              puts opts
+              exit
+            end
+          end
+
+          parser.parse!(@args)
+          options
+        end
+
+        def run
+          repo = Repository.new
+          use_stateless = @options[:stateless] || !Database.exists?(repo.git_dir)
+
+          if use_stateless
+            Database.connect_memory
+            deps = get_dependencies_stateless(repo)
+          else
+            Database.connect(repo.git_dir)
+            deps = get_dependencies_with_database(repo)
+          end
+
+          if deps.empty?
+            empty_result "No dependencies found"
+            return
+          end
+
+          if @options[:ecosystem]
+            deps = deps.select { |d| d[:ecosystem].downcase == @options[:ecosystem].downcase }
+          end
+
+          deps = Analyzer.pair_manifests_with_lockfiles(deps)
+
+          if deps.empty?
+            empty_result "No dependencies found"
+            return
+          end
+
+          packages = deps.map do |dep|
+            purl = PurlHelper.build_purl(ecosystem: dep[:ecosystem], name: dep[:name]).to_s
+            {
+              purl: purl,
+              name: dep[:name],
+              ecosystem: dep[:ecosystem],
+              version: dep[:requirement],
+              manifest_path: dep[:manifest_path]
+            }
+          end.uniq { |p| p[:purl] }
+
+          enrich_packages(packages.map { |p| p[:purl] })
+
+          packages.each do |pkg|
+            db_pkg = Models::Package.first(purl: pkg[:purl])
+            pkg[:license] = db_pkg&.license
+            pkg[:violation] = check_violation(pkg[:license])
+          end
+
+          violations = packages.select { |p| p[:violation] }
+
+          case @options[:format]
+          when "json"
+            output_json(packages, violations)
+          when "csv"
+            output_csv(packages)
+          else
+            if @options[:group]
+              output_grouped(packages, violations)
+            else
+              output_text(packages, violations)
+            end
+          end
+
+          exit 1 if violations.any?
+        end
+
+        def check_violation(license)
+          return "unknown" if @options[:unknown] && (license.nil? || license.empty?)
+
+          return nil if license.nil? || license.empty?
+
+          if @options[:permissive]
+            return "copyleft" if COPYLEFT.any? { |l| license_matches?(license, l) }
+            return "not-permissive" unless PERMISSIVE.any? { |l| license_matches?(license, l) }
+          end
+
+          if @options[:copyleft]
+            return "copyleft" if COPYLEFT.any? { |l| license_matches?(license, l) }
+          end
+
+          if @options[:allow].any?
+            return "not-allowed" unless @options[:allow].any? { |l| license_matches?(license, l) }
+          end
+
+          if @options[:deny].any?
+            return "denied" if @options[:deny].any? { |l| license_matches?(license, l) }
+          end
+
+          nil
+        end
+
+        def license_matches?(license, pattern)
+          license.downcase.include?(pattern.downcase)
+        end
+
+        def enrich_packages(purls)
+          packages_by_purl = {}
+          purls.each do |purl|
+            parsed = Purl::PackageURL.parse(purl)
+            ecosystem = PurlHelper::ECOSYSTEM_TO_PURL_TYPE.invert[parsed.type] || parsed.type
+            pkg = Models::Package.find_or_create_by_purl(
+              purl: purl,
+              ecosystem: ecosystem,
+              name: parsed.name
+            )
+            packages_by_purl[purl] = pkg
+          end
+
+          stale_purls = packages_by_purl.select { |_, pkg| pkg.needs_enrichment? }.keys
+          return if stale_purls.empty?
+
+          client = EcosystemsClient.new
+          begin
+            results = Spinner.with_spinner("Fetching package metadata...") do
+              client.bulk_lookup(stale_purls)
+            end
+            results.each do |purl, data|
+              packages_by_purl[purl]&.enrich_from_api(data)
+            end
+          rescue EcosystemsClient::ApiError => e
+            $stderr.puts "Warning: Could not fetch package data: #{e.message}" unless Git::Pkgs.quiet
+          end
+        end
+
+        def output_text(packages, violations)
+          max_name = packages.map { |p| p[:name].length }.max || 20
+          max_license = packages.map { |p| (p[:license] || "").length }.max || 10
+          max_license = [max_license, 20].min
+
+          packages.sort_by { |p| [p[:license] || "zzz", p[:name]] }.each do |pkg|
+            name = pkg[:name].ljust(max_name)
+            license = (pkg[:license] || "unknown").ljust(max_license)[0, max_license]
+            ecosystem = pkg[:ecosystem]
+
+            line = "#{name}  #{license}  (#{ecosystem})"
+
+            colored = if pkg[:violation]
+                        Color.red("#{line}  [#{pkg[:violation]}]")
+                      else
+                        line
+                      end
+
+            puts colored
+          end
+
+          output_summary(packages, violations)
+        end
+
+        def output_grouped(packages, violations)
+          by_license = packages.group_by { |p| p[:license] || "unknown" }
+
+          by_license.sort_by { |license, _| license.downcase }.each do |license, pkgs|
+            has_violation = pkgs.any? { |p| p[:violation] }
+            header = "#{license} (#{pkgs.size})"
+            puts has_violation ? Color.red(header) : Color.bold(header)
+
+            pkgs.sort_by { |p| p[:name] }.each do |pkg|
+              puts "  #{pkg[:name]}"
+            end
+            puts ""
+          end
+
+          output_summary(packages, violations)
+        end
+
+        def output_summary(packages, violations)
+          return unless violations.any?
+
+          puts ""
+          puts Color.red("#{violations.size} license violation#{"s" if violations.size != 1} found")
+        end
+
+        def output_json(packages, violations)
+          require "json"
+          puts JSON.pretty_generate({
+            packages: packages,
+            summary: {
+              total: packages.size,
+              violations: violations.size,
+              by_license: packages.group_by { |p| p[:license] || "unknown" }.transform_values(&:size)
+            }
+          })
+        end
+
+        def output_csv(packages)
+          puts "name,ecosystem,version,license,violation"
+          packages.sort_by { |p| p[:name] }.each do |pkg|
+            puts [
+              pkg[:name],
+              pkg[:ecosystem],
+              pkg[:version],
+              pkg[:license] || "",
+              pkg[:violation] || ""
+            ].map { |v| csv_escape(v) }.join(",")
+          end
+        end
+
+        def csv_escape(value)
+          if value.to_s.include?(",") || value.to_s.include?('"')
+            "\"#{value.to_s.gsub('"', '""')}\""
+          else
+            value.to_s
+          end
+        end
+
+        def get_dependencies_stateless(repo)
+          ref = @options[:ref] || "HEAD"
+          commit_sha = repo.rev_parse(ref)
+          rugged_commit = repo.lookup(commit_sha)
+
+          error "Could not resolve '#{ref}'" unless rugged_commit
+
+          analyzer = Analyzer.new(repo)
+          analyzer.dependencies_at_commit(rugged_commit)
+        end
+
+        def get_dependencies_with_database(repo)
+          ref = @options[:ref] || "HEAD"
+          commit_sha = repo.rev_parse(ref)
+          target_commit = Models::Commit.first(sha: commit_sha)
+
+          return get_dependencies_stateless(repo) unless target_commit
+
+          branch_name = repo.default_branch
+          branch = Models::Branch.first(name: branch_name)
+          return [] unless branch
+
+          compute_dependencies_at_commit(target_commit, branch)
+        end
+
+        def compute_dependencies_at_commit(target_commit, branch)
+          snapshot_commit = branch.commits_dataset
+            .join(:dependency_snapshots, commit_id: :id)
+            .where { Sequel[:commits][:committed_at] <= target_commit.committed_at }
+            .order(Sequel.desc(Sequel[:commits][:committed_at]))
+            .distinct
+            .first
+
+          deps = {}
+          if snapshot_commit
+            snapshot_commit.dependency_snapshots.each do |s|
+              key = [s.manifest.path, s.name]
+              deps[key] = {
+                manifest_path: s.manifest.path,
+                manifest_kind: s.manifest.kind,
+                name: s.name,
+                ecosystem: s.ecosystem,
+                requirement: s.requirement,
+                dependency_type: s.dependency_type
+              }
+            end
+          end
+
+          if snapshot_commit && snapshot_commit.id != target_commit.id
+            commit_ids = branch.commits_dataset.select_map(Sequel[:commits][:id])
+            changes = Models::DependencyChange
+              .join(:commits, id: :commit_id)
+              .where(Sequel[:commits][:id] => commit_ids)
+              .where { Sequel[:commits][:committed_at] > snapshot_commit.committed_at }
+              .where { Sequel[:commits][:committed_at] <= target_commit.committed_at }
+              .order(Sequel[:commits][:committed_at])
+              .eager(:manifest)
+              .all
+
+            changes.each do |change|
+              key = [change.manifest.path, change.name]
+              case change.change_type
+              when "added", "modified"
+                deps[key] = {
+                  manifest_path: change.manifest.path,
+                  manifest_kind: change.manifest.kind,
+                  name: change.name,
+                  ecosystem: change.ecosystem,
+                  requirement: change.requirement,
+                  dependency_type: change.dependency_type
+                }
+              when "removed"
+                deps.delete(key)
+              end
+            end
+          end
+
+          deps.values
+        end
+      end
+    end
+  end
+end