Closed vasumv closed 1 year ago
sarnesjo
commented
1 year ago Popular packages can have hundreds of thousands of dependents (example), which makes them tricky to serve via the API, at least as currently designed. This is also why we only show a precomputed sample of the dependents on the deps.dev website.
You can however use our BigQuery dataset to compute all dependents of a given package version, with a query similar to this one: https://docs.deps.dev/bigquery/v1/#dependent-count
agmond
commented
1 year ago I'll be glad to get via API at least the Security Advisories of the sub-dependencies of a package, as we can get from the website.
For example, if I use version 2.72.3 of serverless package, I can see here the Security Advisories of the sub-dependencies as well (simple-git in this case, although it’s not a direct sub-dependency).
How can I get this data via the API?
adg
commented
1 year ago @agmond
GetDependencies call for the package version you're interested in.GetVersion call, and inspect the advisoryKeys field in the returned objects.agmond
commented
1 year ago Thanks, @adg.
It would be helpful to have this ability with a single API call, because for a package with thousands of (sub-)dependencies one should call the GetVersion API thousands of times
sarnesjo
commented
1 year ago Hi @agmond! I filed #16 to discuss including advisories (and other things, such as licenses), and will close this issue, as the original question about dependents has been answered.
Would it be possible to query the dependents of a particular package using the API? The info is available on the deps.dev website (e.g. https://deps.dev/maven/org.apache.logging.log4j%3Alog4j-core/2.20.0/dependents ). Currently, it seems like the API has support for fetching the dependency graph, but I'm wondering if the dependent data could also be exposed.
Thanks!