Difference between revisions of "Pacman/Tips and tricks"

From ArchWiki
Jump to navigation Jump to search
(Shortcuts: locks error for a reason, it's not something there should be an alias for)
(List available updates: clarify on temp dir)
Line 90: Line 90:
=== List available updates ===
=== List available updates ===
Pacman comes with a script, {{ic|checkupdates}}, which does not require root permissions.
Pacman comes with a script, {{ic|checkupdates}}, which does not require root permissions, and syncs to a temporary directory to prevent [[Pacman#Partial_upgrades_are_unsupported|partial upgrades]].
=== Identify files not owned by any package ===
=== Identify files not owned by any package ===

Revision as of 07:37, 20 September 2015

zh-cn:Pacman tips

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: Brimmed with dubious scripts (Discuss in Talk:Pacman/Tips and tricks#)

This is a collection of common tips for new pacman users. For general methods to improve the flexibility of the provided tips or pacman itself, see Core utilities and Bash.


Cosmetic and convenience

Color output

Pacman has a color option. Uncomment the "Color" line in /etc/pacman.conf.

Operations and Bash syntax

In addition to pacman's standard set of features, there are ways to extend its usability through rudimentary Bash commands/syntax.

  • To install a number of packages sharing similar patterns in their names -- not the entire group nor all matching packages; eg. kde[broken link: package not found]:
# pacman -S kde-{applets,theme,tools}
  • Of course, that is not limited and can be expanded to however many levels needed:
# pacman -S kde-{ui-{kde,kdemod},kdeartwork}
  • Sometimes, -s's builtin ERE can cause a lot of unwanted results, so it has to be limited to match the package name only; not the description nor any other field:
# pacman -Ss '^vim-'
  • pacman has the -q operand to hide the version column, so it is possible to query and reinstall packages with "compiz" as part of their name:
# pacman -S $(pacman -Qq | grep compiz)
  • Or install all packages available in a repository (kde-unstable for example):
# pacman -S $(pacman -Slq kde-unstable)

Graphical front-ends

  • Muon — A collection of package management tools for KDE, using PackageKit.
https://projects.kde.org/projects/kde/workspace/muon || muon
  • GNOME Software — Gnome Software App.
https://wiki.gnome.org/Apps/Software || gnome-software
  • pcurses — Package management in a curses frontend
https://github.com/schuay/pcurses || pcurses


House keeping, in the interest of keeping a clean system and following The Arch Way.

See also System maintenance.

Listing latest installed packages

Install expac and run expac --timefmt='%Y-%m-%d %T' '%l\t%n' | sort | tail -20 or expac --timefmt=%s '%l\t%n' | sort -n | tail -20

Listing installed packages with size

You may want to get the list of installed packages sorted by size, which may be useful when freeing space on your hard drive.

  • Install expac and run expac -s "%-30n %m" | sort -hk 2 | awk '{printf "%s %.0f MiB\n", $1, $2/1024/1024}' | column -t
  • Invoke pacgraph with the -c option to produce a list of all installed packages with their respective sizes on the system. pacgraph is available from [community].
  • List explicitly installed packages not in base or base-devel with size and description: expac -HM "%011m\t%-20n\t%10d" $( comm -23 <(pacman -Qqen|sort) <(pacman -Qqg base base-devel|sort) ) | sort -n

Listing files owned by a package with size

This one might come in handy if you have found that a specific package uses a huge amount of space and you want to find out which files make up the most of that.

$ pacman -Qlq package | grep -v '/$' | xargs du -h | sort -h

Listing installed packages with version

You may want to get the list of installed packages with their version, which is useful when reporting bugs or discussing installed packages.

  • List all explicitly installed packages: pacman -Qe .
  • List all foreign packages (typically manually downloaded and installed): pacman -Qm .
  • List all native packages (installed from the sync database(s)): pacman -Qn .
  • List packages by regex: pacman -Qs <regex> | awk 'BEGIN { RS="\n" ; FS="/" } { print $2 }' | awk '{ if(NF > 0) print $1, $2 }'
  • Install expac and run expac -s "%-30n %v"

List available updates

Pacman comes with a script, checkupdates, which does not require root permissions, and syncs to a temporary directory to prevent partial upgrades.

Identify files not owned by any package

Periodic checks for files outside of pacman database are recommended. These files are often some 3rd party applications installed using the usual procedure (e.g. ./configure && make && make install). Search the file-system for these files (or symlinks) using this simple script:



mkdir "$tmp"
trap 'rm -rf "$tmp"' EXIT

pacman -Qlq | sort -u > "$db"

find /etc /opt /usr ! -name lost+found \( -type d -printf '%p/\n' -o -print \) | sort > "$fs"

comm -23 "$fs" "$db"

To generate the list:

$ pacman-disowned > non-db.txt

Note that one should not delete all files listed in non-db.txt without confirming each entry. There could be various configuration files, logs, etc., so use this list responsibly and only proceed after extensively searching for cross-references using grep.

Here are some one-liner scripts that will be helpful.

Show dirs that do not belong to any package:

alias pacman-disowned-dirs="comm -23 <(sudo find / \( -path '/dev' -o -path '/sys' -o -path '/run' -o -path '/tmp' -o -path '/mnt' -o -path '/srv' -o -path '/proc' -o -path '/boot' -o -path '/home' -o -path '/root' -o -path '/media' -o -path '/var/lib/pacman' -o -path '/var/cache/pacman' \) -prune -o -type d -print | sed 's/\([^/]\)$/\1\//' | sort -u) <(pacman -Qlq | sort -u)"

Show files that do not belong to any package:

alias pacman-disowned-files="comm -23 <(sudo find / \( -path '/dev' -o -path '/sys' -o -path '/run' -o -path '/tmp' -o -path '/mnt' -o -path '/srv' -o -path '/proc' -o -path '/boot' -o -path '/home' -o -path '/root' -o -path '/media' -o -path '/var/lib/pacman' -o -path '/var/cache/pacman' \) -prune -o -type f -print | sort -u) <(pacman -Qlq | sort -u)"

The script in the lostfilesAUR package also excludes common user-created configuration files and directories created by software at runtime.

Removing orphaned packages

For recursively removing orphans and their configuration files:

# pacman -Rns $(pacman -Qtdq)

If no orphans were found, pacman errors with error: no targets specified. This is expected as no arguments were passed to pacman -Rns.

The following function is easily inserted into ~/.bashrc and removes orphans, if found:

orphans() {
  if [[ ! -n $(pacman -Qdt) ]]; then
    echo "No orphans to remove."
    sudo pacman -Rns $(pacman -Qdtq)
Note: Since pacman version 4.2.0 only true orphans are listed. To make pacman also list packages which are only optionally required by another package, pass the -t/--unrequired flag twice:
$ pacman -Qdttq
Use this carefully, as it is not taken into account whether the package is an optional dependency and therefore bears the risk to remove packages which actually are not real orphans.

Removing unused packages

Because a lighter system is easier to maintain, occasionally looking through explicitly installed packages and manually selecting unused packages to be removed can be helpful.

To list explicitly installed packages available in the official repositories:

$ pacman -Qen

To list explicitly installed packages not available in official repositories:

$ pacman -Qem

Removing everything but base group

If it is ever necessary to remove all packages except the base group, try this one liner:

# pacman -R $(comm -23 <(pacman -Qq|sort) <((for i in $(pacman -Qqg base); do pactree -ul $i; done)|sort -u|cut -d ' ' -f 1))

The one-liner was originally devised in this discussion, and later improved in this article.


  1. comm requires sorted input otherwise you get e.g. comm: file 1 is not in sorted order.
  2. pactree prints the package name followed by what it provides. For example:
$ pactree -lu logrotate
dcron cron

The dcron cron line seems to cause problems, that is why cut -d ' ' -f 1 is needed - to keep just the package name.

Listing official installed packages only

$ pacman -Qqn

This list packages that are found in the sync database(s). If the user has unofficial repositories configured, it will list packages from such repositories too.

Getting the dependencies list of several packages

Dependencies are alphabetically sorted and doubles are removed. Note that you can use pacman -Qi to improve response time a little. But you will not be able to query as many packages. Unfound packages are simply skipped (hence the 2>/dev/null). You can get dependencies of AUR packages as well if you use yaourt -Si, but it will slow down the queries.

$ pacman -Si $@ 2>/dev/null | awk -F ": " -v filter="^Depends" \ '$0 ~ filter {gsub(/[>=<][^ ]*/,"",$2) ; gsub(/ +/,"\n",$2) ; print $2}' | sort -u

Alternatively, you can use expac: expac -l '\n' %E -S $@ | sort -u.

Getting the size of several packages

$ expac -S -H K '%k %n' packages

Leave packages blank to list the download size of all packages.

Listing changed configuration files

If you want to backup your system configuration files you could copy all files in /etc/, but usually you are only interested in the files that you have changed. In this case you want to list those changed configuration files, we can do this with the following command:

# pacman -Qii | awk '/^MODIFIED/ {print $2}'

The following script does the same. You need to run it as root or with sudo.

for package in /var/lib/pacman/local/*; do
	sed '/^%BACKUP%$/,/^%/!d' $package/files | tail -n+2 | grep -v '^$' | while read file hash; do
		[ "$(md5sum /$file | (read hash file; echo $hash))" != "$hash" ] && echo $(basename $package) /$file
Tip: See #Listing all changed files from packages to list all changed files pacman knows, not only configuration files.

Listing all packages that nothing else depends on

If you want to generate a list of all installed packages that nothing else depends on, you can use the following script. This is very helpful if you are trying to free hard drive space and have installed a lot of packages that you may not remember. You can browse through the output to find packages which you no longer need.

Note: This script will show all packages that nothing else depends on, including those explicitly installed. To get a list of packages installed as dependencies but no longer required by any installed package, see #Removing orphaned packages.

# This script is designed to help you clean your computer from unneeded
# packages. The script will find all packages that no other installed package
# depends on. It will output this list of packages excluding any you have
# placed in the ignore list. You may browse through the script's output and
# remove any packages you do not need.

# Enter groups and packages here which you know you wish to keep. They will
# not be included in the list of unrequired packages later.
ignoregrp="base base-devel"

comm -23 <(pacman -Qqt | sort) <(echo $ignorepkg | tr ' ' '\n' | cat <(pacman -Sqg $ignoregrp) - | sort -u)

For list with descriptions for packages:

expac -HM "%-20n\t%10d" $( comm -23 <(pacman -Qqt|sort) <(pacman -Qqg base base-devel|sort) )

Backing up Local database with systemd

systemd can take snapshots of the pacman local database, each time it is modified.

Tip: For a more configurable version, use: pakbak-gitAUR

Use the following scripts, changing the value of $pakbak for the backup location accordingly. The pakbak.service can also automaticall be enabled on boot:


declare -r pakbak="/pakbak.tar.xz";  ## set backup location
tar -cJf "$pakbak" "/var/lib/pacman/local";  ## compress & store pacman local database in $pakbak
Description=Back up pacman database

ExecStart=/bin/bash /usr/lib/systemd/scripts/pakbak_script
Description=Back up pacman database



Installation and recovery

Alternative ways of getting and restoring packages.

Installing packages from a CD/DVD or USB stick

To download packages, or groups of packages:

# cd ~/Packages
# pacman -Syw base base-devel grub-bios xorg gimp --cachedir .
# repo-add ./custom.db.tar.gz ./*

Then you can burn the "Packages" folder to a CD/DVD or transfer it to a USB stick, external HDD, etc.

To install:

1. Mount the media:

# mkdir /mnt/repo
# mount /dev/sr0 /mnt/repo    #For a CD/DVD.
# mount /dev/sdxY /mnt/repo   #For a USB stick.

2. Edit pacman.conf and add this repository before the other ones (e.g. extra, core, etc.). This is important. Do not just uncomment the one on the bottom. This way it ensures that the files from the CD/DVD/USB take precedence over those in the standard repositories:

SigLevel = PackageRequired
Server = file:///mnt/repo/Packages

3. Finally, synchronize the pacman database to be able to use the new repository:

# pacman -Sy

Custom local repository

Use the repo-add script included with Pacman to generate a database for a personal repository. Use repo-add --help for more details on its usage. Simply store all of the built packages to be included in the repository in one directory, and execute the following command (where repo is the name of the custom repository):

$ repo-add /path/to/repo.db.tar.gz /path/to/*.pkg.tar.xz
Note: A package database is a tar file, optionally compressed. Valid extensions are “.db” or “.files” followed by an archive extension of “.tar”, “.tar.gz”, “.tar.bz2”, “.tar.xz”, or “.tar.Z”. The file does not need to exist, but all parent directories must exist. Furthermore when using repo-add keep in mind that the database and the packages do not need to be in the same directory. But when using pacman with that database, they should be together.

To add a new package to the database, or to replace the old version of an existing package in the database, run:

$ repo-add /path/to/repo.db.tar.gz /path/to/packagetoadd-1.0-1-i686.pkg.tar.xz

repo-remove is used in the exact same manner as repo-add, except that the packages listed on the command line are removed from the repository database.

Once the local repository database has been created, add the repository to pacman.conf for each system that is to use the repository. An example of a custom repository is in pacman.conf. The repository's name is the database filename with the file extension omitted. In the case of the example above the repository's name would simply be repo. Reference the repository's location using a file:// url, or via FTP using ftp://localhost/path/to/directory.

If willing, add the custom repository to the list of unofficial user repositories, so that the community can benefit from it.

Network shared pacman cache

Read-only cache

If you are looking for a quick and dirty solution, you can simply run a standalone webserver which other computers can use as a first mirror: darkhttpd /var/cache/pacman/pkg. Just add this server at the top of your mirror list. Be aware that you might get a lot of 404 errors, due to cache misses, depending on what you do, but pacman will try the next (real) mirrors when that happens.

Read-write cache

Tip: See pacserve for an alternative (and probably simpler) solution than what follows.

In order to share packages between multiple computers, simply share /var/cache/pacman/ using any network-based mount protocol. This section shows how to use shfs or sshfs to share a package cache plus the related library-directories between multiple computers on the same local network. Keep in mind that a network shared cache can be slow depending on the file-system choice, among other factors.

First, install any network-supporting filesystem; for example sshfs, shfs, ftpfs, smbfs or nfs.

Tip: To use sshfs or shfs, consider reading Using SSH Keys.

Then, to share the actual packages, mount /var/cache/pacman/pkg from the server to /var/cache/pacman/pkg on every client machine.

Synchronize pacman package cache using BitTorrent Sync

BitTorrent Sync is a new way of synchronizing folder via network (it works in LAN and over the internet). It is peer-to-peer so you do not need to set up a server: follow the link for more information. How to share a pacman cache using BitTorrent Sync:

  • First install the btsyncAUR package from the AUR on the machines you want to sync
  • Follow the installation instructions of the AUR package or on the BitTorrent Sync wiki page
    • set up BitTorrent Sync to work for the root account. This process requires read/write to the pacman package cache.
    • make sure to set a good password on btsync's web UI
    • start the systemd daemon for btsync.
    • in the btsync Web GUI add a new synchronized folder on the first machine and generate a new Secret. Point the folder to /var/cache/pacman/pkg
    • Add the folder on all the other machines using the same Secret to share the cached packages between all systems. Or, to set the first system as a master and the others as slaves, use the Read Only Secret. Be sure to point it to /var/cache/pacman/pkg

Now the machines should connect and start synchronizing their cache. Pacman works as expected even during synchronization. The process of syncing is entirely automatic.

Preventing unwanted cache purges

By default, pacman -Sc removes package tarballs from the cache that correspond to packages that are not installed on the machine the command was issued on. Because pacman cannot predict what packages are installed on all machines that share the cache, it will end up deleting files that should not be.

To clean up the cache so that only outdated tarballs are deleted, add this entry in the [options] section of /etc/pacman.conf:

CleanMethod = KeepCurrent

Recreate a package from the file system

To recreate a package from the file system, use bacman (included with pacman). Files from the system are taken as they are, hence any modifications will be present in the assembled package. Distributing the recreated package is therefore discouraged; see ABS and Arch Rollback Machine for alternatives.

Tip: bacman honours the PACKAGER, PKGDEST and PKGEXT options from makepkg.conf. Custom options for the compression tools can be configured by exporting the relevant environment variable, for example XZ_OPT="-T 0" will enable parallel compression for xz.

An alternative tool would be fakepkgAUR. It supports parallelization through parallel and can handle multiple input packages in one command, which bacman both does not support.

Backing up and retrieving a list of installed packages

Tip: You may want to use pacbackupAUR or bacpac to automatise the below tasks.

It is good practice to keep periodic backups of all pacman-installed packages. In the event of a system crash which is unrecoverable by other means, pacman can then easily reinstall the very same packages onto a new installation.

  • First, backup the current list of non-local packages: $ pacman -Qqen > pkglist.txt
  • Store the pkglist.txt on a USB key or other convenient medium or gist.github.com or Evernote, Dropbox, etc.
  • Copy the pkglist.txt file to the new installation, and navigate to the directory containing it.
  • Issue the following command to install from the backup list: # pacman -S $(< pkglist.txt)

In the case you have a list which was not generated like mentioned above, there may be foreign packages in it (i.e. packages not belonging to any repos you have configured, or packages from the AUR).

In such a case, you may still want to install all available packages from that list:

# pacman -S --needed $(comm -12 <(pacman -Slq|sort) <(sort badpkdlist) )


  • pacman -Slq lists all available softwares, but the list is sorted by repository first, hence the sort command.
  • Sorted files are required in order to make the comm command work.
  • The -12 parameter display lines common to both entries.
  • The --needed switch is used to skip already installed packages.

You may also try to install all unavailable packages (those not in the repos) from the AUR using yaourt (not recommended unless you know exactly what you are doing):

$ yaourt -S --needed $(comm -13 <(pacman -Slq|sort) <(sort badpkdlist) )

Finally, you may want to remove all the packages on your system that are not mentioned in the list.

Warning: Use this command wisely, and always check the result prompted by pacman.
# pacman -Rsu $(comm -23 <(pacman -Qq|sort) <(sort pkglist))

List installed packages that are not in a specified group or repository

The following command will list any installed packages that are not in either base or base-devel, and as such were likely installed manually by the user:

$ comm -23 <(pacman -Qeq | sort) <(pacman -Qgq base base-devel | sort)

List all installed packages that are not in specified repository (repo_name in example):

$ comm -23 <(pacman -Qtq | sort) <(pacman -Slq repo_name | sort)

List all installed packages that are in the repo_name repository:

$ comm -12 <(pacman -Qtq | sort) <(pacman -Slq repo_name | sort)

Listing all changed files from packages

If you are suspecting file corruption (e.g. by software / hardware failure), but don't know for sure whether / which files really got corrupted, you might want to compare with the hash sums in the packages. This can be done with the following script.

The script depends on the accuracy of pacman's database in /var/lib/pacman/local/ and the used programs such as bash, grep and so on. For recovery of the database see #Restore pacman's local database. The mtree files can also be extracted as .MTREE from the respective package files.

  • This should not be used as is when suspecting malicious changes! In this case security precautions such as using a live medium and an independent source for the hash sums are advised.
  • This could take a long time, depending on the hardware and installed packages.
#!/bin/bash -e

# Select the hash algorithm. Currently available (see mtree files and mtree(5)):
# md5, sha256

for package in /var/lib/pacman/local/*; do
    [ "$package" = "/var/lib/pacman/local/ALPM_DB_VERSION" ] && continue

    # get files and hash sums
    zgrep " ${algo}digest=" "$package/mtree" | grep -Ev '^\./\.[A-Z]+' | \
        sed 's/^\([^ ]*\).*'"${algo}"'digest=\([a-f0-9]*\).*/\1 \2/' | \
        while read -r file hash
        # expand "\nnn" (in mtree) / "\0nnn" (for echo) escapes of ASCII
        # characters (octal representation)
        for ascii in $(grep -Eo '\\[0-9]{1,3}' <<< "$file"); do
            file="$(sed "s/\\$ascii/$(echo -e "\0${ascii:1}")/" <<< "$file")"

        # check file hash
        if [ "$("${algo}sum" /"$file" | awk '{ print $1; }')" != "$hash" ]; then
            echo "$(basename "$package")" /"$file"

Reinstalling all packages

To reinstall all native packages, use:

# pacman -Qenq | pacman -S -

Foreign (AUR) packages must be reinstalled separately; you can list them with pacman -Qemq.

Pacman preserves the installation reason by default.

Restore pacman's local database

Signs that pacman needs a local database restoration:

  • pacman -Q gives absolutely no output, and pacman -Syu erroneously reports that the system is up to date.
  • When trying to install a package using pacman -S package, and it outputs a list of already satisfied dependencies.
  • When testdb (part of pacman) reports database inconsistency.

Most likely, pacman's database of installed software, /var/lib/pacman/local, has been corrupted or deleted. While this is a serious problem, it can be restored by following the instructions below.

Firstly, make sure pacman's log file is present:

$ ls /var/log/pacman.log

If it does not exist, it is not possible to continue with this method. You may be able to use Xyne's package detection script to recreate the database. If not, then the likely solution is to re-install the entire system.

Log filter script

#!/bin/bash -e

. /etc/makepkg.conf

PKGCACHE=$((grep -m 1 '^CacheDir' /etc/pacman.conf || echo 'CacheDir = /var/cache/pacman/pkg') | sed 's/CacheDir = //')

pkgdirs=("$@" "$PKGDEST" "$PKGCACHE")

while read -r -a parampart; do
  for pkgdir in ${pkgdirs[@]}; do
    [ -f $pkgpath ] && { echo $pkgpath; break; };
  done || echo ${parampart[0]} 1>&2

Make the script executable:

$ chmod +x pacrecover

Generating the package recovery list

Warning: If for some reason your pacman cache or makepkg package destination contain packages for other architectures, remove them before continuation.

Run the script (optionally passing additional directories with packages as parameters):

$ paclog-pkglist /var/log/pacman.log | ./pacrecover >files.list 2>pkglist.orig

This way two files will be created: files.list with package files, still present on machine and pkglist.orig, packages from which should be downloaded. Later operation may result in mismatch between files of older versions of package, still present on machine, and files, found in new version. Such mismatches will have to be fixed manually.

Here is a way to automatically restrict second list to packages available in a repository:

$ { cat pkglist.orig; pacman -Slq; } | sort | uniq -d > pkglist

Check if some important base package are missing, and add them to the list:

$ comm -23 <(pacman -Sgq base) pkglist.orig >> pkglist

Proceed once the contents of both lists are satisfactory, since they will be used to restore pacman's installed package database; /var/lib/pacman/local/.

Performing the recovery

Define bash alias for recovery purposes:

# recovery-pacman() {
    pacman "$@"       \
    --log /dev/null   \
    --noscriptlet     \
    --dbonly          \
    --force           \
    --nodeps          \
    --needed          \

--log /dev/null allows to avoid needless pollution of pacman log, --needed will save some time by skipping packages, already present in database, --nodeps will allow installation of cached packages, even if packages being installed depend on newer versions. Rest of options will allow pacman to operate without reading/writing filesystem.

Populate the sync database:

# pacman -Sy

Start database generation by installing locally available package files from files.list:

# recovery-pacman -U $(< files.list)

Install the rest from pkglist:

# recovery-pacman -S $(< pkglist)

Update the local database so that packages that are not required by any other package are marked as explicitly installed and the other as dependences. You will need be extra careful in the future when removing packages, but with the original database lost is the best we can do.

# pacman -D --asdeps $(pacman -Qq)
# pacman -D --asexplicit $(pacman -Qtq)

Optionally check all installed packages for corruption:

# pacman -Qk

Optionally #Identify files not owned by any package.

Update all packages:

# pacman -Su

Recovering a USB key from existing install

If you have Arch installed on a USB key and manage to mess it up (e.g. removing it while it is still being written to), then it is possible to re-install all the packages and hopefully get it back up and working again (assuming USB key is mounted in /newarch)

# pacman -S $(pacman -Qq --dbpath /newarch/var/lib/pacman) --root /newarch --dbpath /newarch/var/lib/pacman

Extracting contents of a .pkg file

The .pkg files ending in .xz are simply tar'ed archives that can be decompressed with:

$ tar xvf package.tar.xz

If you want to extract a couple of files out of a .pkg file, this would be a way to do it.

Viewing a single file inside a .pkg file

For example, if you want to see the contents of /etc/systemd/logind.conf supplied within the systemd package:

$ tar -xOf /var/cache/pacman/pkg/systemd-204-3-x86_64.pkg.tar.xz etc/systemd/logind.conf

Or you can use vim, then browse the archive:

$ vim /var/cache/pacman/pkg/systemd-204-3-x86_64.pkg.tar.xz

Find applications that use libraries from older packages

Even if you installed a package the existing long-running programs (like daemons and servers) still keep using code from old package libraries. And it is a bad idea to let these programs running if the old library contains a security bug.

Here is a way how to find all the programs that use old packages code:

# lsof +c 0 | grep -w DEL | awk '1 { print $1 ": " $NF }' | sort -u

It will print running program name and old library that was removed or replaced with newer content.