git blame for your dependencies

Name: git blame for your dependencies
Start: 2026-01-31T14:40:00
End: 2026-01-31T14:40:00
Location: H.2215 (Ferrer)

H.2215 (Ferrer) | Day 2 | 14:40 - 14:55 | Speakers: Andrew Nesbitt

Copy link

Copy link

Open in browser

Get involved in the conversation!Join the chat

Notes

Abstract

Your lockfile shows what dependencies you have but not how you got there. git log on a lockfile is useless noise. Who added left-pad? When did we pick up that transitive dependency? Why do we have three JSON libraries?

git-pkgs is a git subcommand that indexes your dependency history into a SQLite database. It parses manifests across 30+ ecosystems (Gemfile, package.json, Dockerfile, GitHub Actions etc) and tracks every add, update, and removal with full commit attribution. Query when any dependency arrived, who added it, and what the commit message said. You can even diff dependencies across branches.

I'll demo the tool and show how a simple schema lets you answer questions your package manager can't.

Attachments

Slides

Speakers

Andrew Nesbitt

Andrew Nesbitt is a package manager researcher who builds tools and datasets for understanding open source software at scale. He created ecosyste.ms, an open data platform indexing package metadata, repository data, and CI configurations across crates.io, PyPI, npm, and dozens of other ecosystems.

He maps the infrastructure that supports open source: package managers, dependency graphs, and the security properties of software supply chains. ecosyste.ms tracks over 6.5 million Dependabot pull requests, extracts SBOMs from hundreds of thousands of Docker images, and provides open APIs for researchers and maintainers working on ecosystem health.

Andrew shares this work through talks at FOSDEM, PackagingCon, Open Source Summit, and Ruby conferences. He organises the Package Management devroom at FOSDEM.

Previously he created Libraries.io, one of the first large-scale dependency tracking platforms for open source.

External Links

Notice: The placeholder video image is licensed under CC BY-SA 4.0. The original image can be found hereChanges made to the image are: Cropped the image to a new ratio, part of the image was cut off.