Dependencies

Querying Dependencies

List, group, and trace a project's dependencies with xgrep deps — flat inventory, per-manifest tree, and go-mod-why-style usage.

Querying Dependencies

xgrep deps answers questions about a project's dependencies, built on the same offline SBOM as xgrep sbom plus the package-aware code graph. It has three subcommands:

  • deps list — a flat, scope-tagged inventory.
  • deps tree — each manifest's root, direct, and transitive sets.
  • deps why — which dependencies your code actually imports, and where.

All queries are offline (file parsing plus graph queries, no network).

xgrep deps — a scope-tagged dependency inventory, then deps why tracing each package back to the first-party files that import it: flask via app/server.py, requests via app/http_client.py

deps list

List every dependency as a flat inventory, each tagged direct or transitive:

xgrep deps list .
xgrep deps list --scope direct .       # only direct dependencies
xgrep deps list --scope transitive .   # only transitive
direct      go       github.com/spf13/cobra@v1.10.2
direct      npm      react@18.3.1
transitive  npm      scheduler@0.23.2

3 dependencies

A package declared direct by any manifest is reported as direct (direct-wins dedup). Add --json for machine-readable output, --ecosystem to restrict, and --ref to read from a git ref.

deps tree

Show each discovered manifest grouped as Root → Direct → Transitive. In a monorepo, each module's manifest gets its own tree (no cross-manifest dedup):

xgrep deps tree .
my-service@1.2.0  [go.mod]
  direct (2):
    github.com/spf13/cobra@v1.10.2
    go.mondoo.com/mql@v13.0.0
  transitive (1):
    github.com/inconshreveable/mousetrap@v1.1.0

This is two-level, not a fully nested tree: parsed manifests expose no package→package edges to nest by. For the complete transitive set, use deps list --scope transitive.

deps why

Trace the relationship between your first-party code and a dependency. It works in both directions.

Forward — which dependency packages does the code under a path import directly, and from which files:

xgrep deps why ./cmd
./cmd directly imports 1 package(s):
  github.com/spf13/cobra@v1.10.2 [go]
    via cmd/xgrep/main.go

Reverse (--package) — which first-party files directly import a given package (by name or purl). This answers "is this dependency actually used by our code, and where?":

xgrep deps why --package github.com/spf13/cobra
github.com/spf13/cobra@v1.10.2 [go] is directly imported by 13 file(s):
  cmd/xgrep/ci.go
  cmd/xgrep/deps.go
  cmd/xgrep/main.go

If a package is in the SBOM but no first-party file imports it directly, deps why --package says so — a hint that it's pulled in transitively.

Direct usage only. deps why reports direct code→package imports. Multi-hop import chains and dependency-tree transitivity ("A pulls in B") are not yet tracked. Use deps list --scope transitive for the full transitive inventory.

On this page