After reading about the recently discovered xz Utils backdoor vulnerability, I checked Homebrew to see if I had xz Utils installed on my computer. I did have it installed, but luckily it wasn’t the affected version. Since I didn’t install it directly, it was a dependency of something else. So how do I figure out what is using it? I found the answer on Stack Overflow.
The brew info command will show a list of dependencies for a package:
brew info phpBut the problem is that brew info doesn’t show the dependencies of those dependencies. The brew deps command will show a complete dependency tree of all installed packages:
brew deps --tree --installedAdd a package name at the end of the command to show the dependency tree of a single package:
brew deps --tree --installed phpYou can also list all installed packages that have a specified dependency by using the brew uses command:
brew uses --installed xzThe brew uses command is probably the most useful when trying to find everything that uses a specific package, which is exactly what I needed in this situation.