Skip to main content

TransitiveDependencies

Get the full transitive dependency tree for software components, including both direct and indirect dependencies.
All components in a request must belong to the same ecosystem. Mixing ecosystems (e.g., npm and Maven) results in a validation error.

Request Format

  • depth (optional) — Maximum number of dependency levels to traverse
  • limit (optional) — Maximum number of dependencies returned

HTTP Request Example

curl -X POST 'https://api.scanoss.com/v2/dependencies/transitive/components' \
  -H 'Content-Type: application/json' \
  -H "X-Api-Key: $SC_API_KEY" \
  -d '{
    "depth": 3,
    "limit": 50,
    "components": [
      {"purl": "pkg:npm/express", "requirement": "4.18.0"},
      {"purl": "pkg:npm/lodash", "requirement": "4.17.0"}
    ]
  }' | jq

Response Format

Returns resolved transitive dependencies for the requested components.
  • dependencies: List of direct and transitive dependencies
  • status: Request outcome (success or failure)
Each dependency includes:
  • purl: Dependency Package URL
  • version: Resolved version
  • requirement: Version constraint that resolved the dependency

Response Examples

Complete Transitive Analysis

{
  "dependencies": [
    {
      "purl": "pkg:npm/express",
      "version": "4.18.2",
      "requirement": "4.18.0"
    },
    {
      "purl": "pkg:npm/body-parser",
      "version": "1.20.1",
      "requirement": "~1.20.1"
    },
    {
      "purl": "pkg:npm/cookie",
      "version": "0.5.0",
      "requirement": "0.5.0"
    },
    {
      "purl": "pkg:npm/lodash",
      "version": "4.17.21",
      "requirement": "4.17.0"
    }
  ],
  "status": {
    "status": "SUCCESS",
    "message": "Transitive dependencies successfully retrieved"
  }
}

Component with No Dependencies

{
  "dependencies": [],
  "status": {
    "status": "SUCCESS",
    "message": "Transitive dependencies successfully retrieved"
  }
}