Closed vasumv closed 1 year ago
Popular packages can have hundreds of thousands of dependents (example), which makes them tricky to serve via the API, at least as currently designed. This is also why we only show a precomputed sample of the dependents on the deps.dev website.
You can however use our BigQuery dataset to compute all dependents of a given package version, with a query similar to this one: https://docs.deps.dev/bigquery/v1/#dependent-count
I'll be glad to get via API at least the Security Advisories of the sub-dependencies of a package, as we can get from the website.
For example, if I use version 2.72.3 of serverless
package, I can see here the Security Advisories of the sub-dependencies as well (simple-git
in this case, although it’s not a direct sub-dependency).
How can I get this data via the API?
@agmond
GetDependencies
call for the package version you're interested in.GetVersion
call, and inspect the advisoryKeys
field in the returned objects.Thanks, @adg.
It would be helpful to have this ability with a single API call, because for a package with thousands of (sub-)dependencies one should call the GetVersion
API thousands of times
Hi @agmond! I filed #16 to discuss including advisories (and other things, such as licenses), and will close this issue, as the original question about dependents has been answered.
Would it be possible to query the dependents of a particular package using the API? The info is available on the deps.dev website (e.g. https://deps.dev/maven/org.apache.logging.log4j%3Alog4j-core/2.20.0/dependents ). Currently, it seems like the API has support for fetching the dependency graph, but I'm wondering if the dependent data could also be exposed.
Thanks!