Include advisories and licenses in dependency graphs?

[sarnesjo]

(Originally requested by @agmond in #3.)

Currently, to get a list of the advisories that affect a package version or one of its dependencies, a client:

1. Calls GetDependencies.
2. For each node in the response, calls GetVersion, ideally making many requests concurrently as in the package_lock_licenses example.

If the response from GetDependencies included advisories, only a single call would be needed. The same applies to licenses.

The downside is that the response would be larger (and slower to serve) for all clients, regardless of whether they are interested in advisories (or licenses).

[agmond]

Regarding the downside mentioned above, it can be solved by adding a query param for including the additional data (or by adding a new API call that returns all the data in a single call, keeping the current API unchanged).

[adg]

The extra data parameter is something we did in previous (internal) iterations of the API and it works pretty well, but we may end up just including all the data in the responses always (it's not a huge amount of extra information, and the cost server-side is not significant). This is on our roadmap.

[sgustafsson]

I was also looking for such a single API call to get package and dependency information (especially licensing information in my case) via a single API call. The website seems to do it via https://deps.dev/_/s/maven/p/org.everrest:everrest-core/v/1.15.0/dependencies . @adg mentioned a roadmap for such a single API call, any news on this one?