On my system guix refresh --list-transitive icecat | grep -Eo '[^ ]*freetype[^ ]*'
yields freetype@2.13.0 Then guix edit freetype@2.13.0 allows me to see exactly where the source is fetched from, and its hash. The manual is: https://guix.gnu.org/manual/devel/en/guix.html#Invoking-guix-refresh but if you don't know what terms to look for, the feature is hard to find. I did not remember "transitive", and found it by looking for "--list-dependant" which I remembered. You may be interested in guix graph, also. Cheers, Edouard. via <help-guix@gnu.org> writes: > How do I know which version of libfreetype6 Icecat is using? My debian > system has been updated with a fix to the vulnerability. But Icecat, > being installed with guix, carries with it I think its own version of > this library, as it is not a dynamic executable. > > https://security-tracker.debian.org/tracker/CVE-2025-27363
