Get Revision Dependencies Post
https://app.fossa.com/api/revisions/{locator}/list-dependenciesRetrieve dependencies for a given revision using the V1 legacy API format. This is a POST version of the GET /api/revisions/:locator/dependencies endpoint that accepts parameters in the request body instead of query parameters. This allows for larger payloads that would exceed URI/header size limits when using query parameters (e.g., when filtering by a large list of locators). **Note**: This endpoint returns the V1 legacy format with streaming JSON array output. For new integrations, consider using the V2 API at GET /v2/revisions/{locator}/dependencies which returns a paginated response with a cleaner data structure. The endpoint returns a streaming JSON array of dependencies with detailed information including the DependencyLock, full license objects, issueTargets, and legacy metadata fields.
Path parameters
locatorstringrequiredThe URL-encoded locator of the revision
Request body · application/json
Query parameters for filtering and configuring the dependency response
limitintegerMaximum number of dependencies to return. The value is clamped server-side to the range 25–100: any value below 25 is treated as 25, and any value above 100 is treated as 100.
offsetintegerNumber of dependencies to skip for pagination
include_ignoredbooleanWhether to include ignored dependencies in the response
includeHashDatabooleanWhether to include hash and version data for dependencies
include_license_textbooleanWhether to include full license text in the license information
includeLocatorsstring[]Array of locators to filter dependencies. Only dependencies matching these locators will be returned
Responses
200A streaming JSON array of dependencies. Each dependency object contains detailed information including
the dependency lock, project metadata, licenses, and issues.
**Note**: Because the array is streamed, the `200` status is sent before the body is fully written. If an
error occurs partway through streaming, the response ends with an in-stream error object of the shape
`{ "error": string }` appended to the JSON output rather than a separate error status code.
Array of:
locobjectParsed components of the locator
fetcherstringpackagestringrevisionstringlocatorstringThe full locator string for this dependency
projectIdstringThe package identifier (fetcher+package)
resolvedbooleanWhether the dependency has been successfully resolved
unsupportedbooleanWhether the dependency fetcher/type is unsupported
latestRevisionScanIdintegerID of the latest revision scan (always null for dependencies)
DependencyLockobjectInformation about how this dependency is locked in the project
locatorstringunresolved_locatorsstring[]List of unresolved locators for this dependency
depthintegerDepth of this dependency in the dependency tree
typestringType of dependency (deprecated, always "MEDIATED")
tagsstring[]Tags for this dependency (deprecated, always empty)
is_submodulebooleanWhether this is a submodule (deprecated, always false)
rootstringThe root revision locator
origin_pathsstring[]Paths from the root to this dependency
manualbooleanWhether this dependency was manually added
projectobjectProject metadata for the dependency
locatorstringtitlestringdescriptionstringurlstringauthorsstring[]origin_pathsstring[]Paths from the root to this dependency
manualbooleanWhether this dependency was manually added
unresolved_locatorsstring[]List of unresolved locators
is_submodulebooleanWhether this is a submodule (deprecated, always false)
typestringType of dependency (deprecated, always "MEDIATED")
depthintegerDepth in the dependency tree
issueTargetsobject[]idintegerrevisionIdstringtypestringparentContextsobject[]issueIdintegerprojectIdstringstatusstringvulnerabilityobjectidstringlicensesobject[]revisionIdstringtextstringLicense text (included if include_license_text is true)
licenseIdstringlicenseGroupIdintegerignoredbooleancopyrightstringignoredbooleanWhether this dependency is ignored
downloadUrlstringDownload URL for the dependency package
hashstringHash of the dependency (included if includeHashData is true)
versionstringVersion of the dependency (included if includeHashData is true)
isGolangbooleanWhether this is a Go dependency (included if includeHashData is true)
layersobject[]Container layer information (only for container dependencies)
layerIndexinteger401UnauthorizeduuidstringUnique identifier associated with the error
codeintegerfossa specific error code
messagestringmessage associated with this error
namestringname of the error
httpStatusCodeintegerhttp status code number
404Revision not found. The response body is the plain-text string `Not Found` (sent via
`res.sendStatus(404)`), not a JSON object.
500Server ErroruuidstringUnique identifier associated with the error
codeintegerfossa specific error code
messagestringmessage associated with this error
namestringname of the error
httpStatusCodeintegerhttp status code number
Try this endpoint
Build a request and run it against app.fossa.com.
Stored in this browser for 24 hours. Try It uses a docs proxy for CORS and does not store tokens server-side.
POST https://app.fossa.com/api/revisions/custom%2B1234%2Fmy-project%24abcd1234/list-dependenciescurl --request POST \ --url 'https://app.fossa.com/api/revisions/custom%2B1234%2Fmy-project%24abcd1234/list-dependencies' \ --header 'accept: application/json' \ --header 'authorization: Bearer YOUR_API_TOKEN' \ --header 'content-type: application/json' \ --data '{ "limit": 50, "offset": 0}'Real request. Mutating methods can change data.
Path params
locatorstringrequiredThe URL-encoded locator of the revision