Your lockfile shows what dependencies you have but not how you got there. git log on a lockfile is useless noise. Who added left-pad? When did we pick up that transitive dependency? Why do we have three JSON libraries?

git-pkgs is a git subcommand that indexes your dependency history into a SQLite database. It parses manifests across 30+ ecosystems (Gemfile, package.json, Dockerfile, GitHub Actions etc) and tracks every add, update, and removal with full commit attribution. Query when any dependency arrived, who added it, and what the commit message said. You can even diff dependencies across branches.

I'll demo the tool and show how a simple schema lets you answer questions your package manager can't.