Automic VaultAutomic Vault

brew

Install git-pkgs with Homebrew, Nix, scoop

Track package dependencies across git history. Version 0.17.0 via Homebrew; verified 2026-06-29.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install git-pkgs

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#git-pkgs

nixpkgs package indexes · pkgs/by-name/gi/git-pkgs/package.nix · source: api.github.com

Windows

Scoopverified · 92%
scoop install main/git-pkgs

Scoop official bucket manifest trees · bucket/git-pkgs.json · source: api.github.com

overview

Package summary

Track package dependencies across git history

Commands and aliases

  • git-pkgs

history

Project history and usage

git-pkgs is a Git subcommand for indexing dependency changes across repository history into SQLite, so teams can ask when packages were added, changed, removed, or linked to vulnerability and license events.

Project history

The project began as a Ruby implementation by Andrew Nesbitt and was later rewritten in Go under the git-pkgs organization. Both READMEs describe the same core idea: lockfiles and manifests show dependency state, but a queryable Git-history database explains how that state came to exist.

The Go repository began in January 2026 and kept the Git-subcommand interface while broadening the command set around vulnerability history, SBOM export, licenses, package-manager operations, changelog lookup, plugin support, structured help output, and CI actions.

Adoption history

git-pkgs fits the supply-chain tooling ecosystem around OSV, Package URLs, CycloneDX, SPDX, and ecosyste.ms. Its package-manager coverage in the input includes Homebrew, Nix, and Scoop, and the README documents GitHub Actions workflows for dependency diffs, vulnerability reports, and license checks in pull requests.

How it is used

Practitioners run git pkgs init inside a repository to build .git/pkgs.sqlite3, then use subcommands such as list, history, blame, diff, stale, vulns, licenses, sbom, and changelog. The tool is designed to work offline for Git-history queries and to use external services only for enrichment such as vulnerabilities, registry metadata, and changelogs.

Security and platform teams use it to explain who introduced a dependency or vulnerability, compare branches semantically instead of reading lockfile noise, generate SBOMs, and add CI checks that focus reviewers on dependency changes.

Why package nerds care

git-pkgs is notable because it treats dependency manifests as historical data rather than only static files. Its support for many package managers, Package URLs, OSV, ecosyste.ms, and SBOM formats makes it a package-nerd tool for answering provenance and maintenance questions across language ecosystems from inside ordinary Git workflows.

Timeline

  • 2026: Original Ruby repository tagged v0.1.0.
  • 2026: Go rewrite repository began under github.com/git-pkgs/git-pkgs.
  • 2026: v0.9.0 tag published for the Go implementation.
  • 2026: v0.17.0 tag published after additions around package-management and supply-chain workflows.

Related projects

  • The original Ruby repository is github.com/andrew/git-pkgs.
  • git-pkgs/actions provides reusable GitHub Actions for CI use.
  • ecosyste.ms and OSV provide registry and vulnerability data used by enrichment commands.

security posture

No protected-tool coverage found yet

No matching local secret-handling manifest was found for git-pkgs. Nucleus package metadata is still published here so future coverage has a stable package URL.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
git-pkgscliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.17.0
manager updated2026-06-29
local dataok
upstreamcurrent
latest detectedv0.17.0

https://github.com/git-pkgs/git-pkgs

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:git-pkgs
Version0.17.0
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/git-pkgs
Homepagehttps://git-pkgs.dev
Repositoryhttps://github.com/git-pkgs/git-pkgs
Upstream docshttps://github.com/git-pkgs/git-pkgs#readme
LicenseMIT
Source archivehttps://github.com/git-pkgs/git-pkgs/archive/refs/tags/v0.17.0.tar.gz
Last updated2026-06-29T15:49:54Z
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namegit-pkgs
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

git-pkgs

nix profile install nixpkgs#git-pkgs
  • normalized package name match
  • Matched by: Git Pkgs
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/gi/git-pkgs/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
Scoop95%

main/git-pkgs

scoop install main/git-pkgs
  • normalized package name match
  • Matched by: Git Pkgs
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/git-pkgs.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment