Get Revision Dependencies Post

posthttps://app.fossa.com/api/revisions/{locator}/list-dependencies

Retrieve dependencies for a given revision using the V1 legacy API format. This is a POST version of the GET /api/revisions/:locator/dependencies endpoint that accepts parameters in the request body instead of query parameters. This allows for larger payloads that would exceed URI/header size limits when using query parameters (e.g., when filtering by a large list of locators). **Note**: This endpoint returns the V1 legacy format with streaming JSON array output. For new integrations, consider using the V2 API at GET /v2/revisions/{locator}/dependencies which returns a paginated response with a cleaner data structure. The endpoint returns a streaming JSON array of dependencies with detailed information including the DependencyLock, full license objects, issueTargets, and legacy metadata fields.

Path parameters

locatorstringrequired

The URL-encoded locator of the revision

Request body · application/json

Query parameters for filtering and configuring the dependency response

limitinteger

Maximum number of dependencies to return. The value is clamped server-side to the range 25–100: any value below 25 is treated as 25, and any value above 100 is treated as 100.

offsetinteger

Number of dependencies to skip for pagination

include_ignoredboolean

Whether to include ignored dependencies in the response

includeHashDataboolean

Whether to include hash and version data for dependencies

include_license_textboolean

Whether to include full license text in the license information

includeLocatorsstring[]

Array of locators to filter dependencies. Only dependencies matching these locators will be returned

Responses

200A streaming JSON array of dependencies. Each dependency object contains detailed information including the dependency lock, project metadata, licenses, and issues. **Note**: Because the array is streamed, the `200` status is sent before the body is fully written. If an error occurs partway through streaming, the response ends with an in-stream error object of the shape `{ "error": string }` appended to the JSON output rather than a separate error status code.

Array of:

locobject

Parsed components of the locator

fetcherstring
packagestring
revisionstring
locatorstring

The full locator string for this dependency

projectIdstring

The package identifier (fetcher+package)

resolvedboolean

Whether the dependency has been successfully resolved

unsupportedboolean

Whether the dependency fetcher/type is unsupported

latestRevisionScanIdinteger

ID of the latest revision scan (always null for dependencies)

DependencyLockobject

Information about how this dependency is locked in the project

locatorstring
unresolved_locatorsstring[]

List of unresolved locators for this dependency

depthinteger

Depth of this dependency in the dependency tree

typestring

Type of dependency (deprecated, always "MEDIATED")

tagsstring[]

Tags for this dependency (deprecated, always empty)

is_submoduleboolean

Whether this is a submodule (deprecated, always false)

rootstring

The root revision locator

origin_pathsstring[]

Paths from the root to this dependency

manualboolean

Whether this dependency was manually added

projectobject

Project metadata for the dependency

locatorstring
titlestring
descriptionstring
urlstring
authorsstring[]
origin_pathsstring[]

Paths from the root to this dependency

manualboolean

Whether this dependency was manually added

unresolved_locatorsstring[]

List of unresolved locators

is_submoduleboolean

Whether this is a submodule (deprecated, always false)

typestring

Type of dependency (deprecated, always "MEDIATED")

depthinteger

Depth in the dependency tree

issueTargetsobject[]
idinteger
revisionIdstring
typestring
parentContextsobject[]
issueIdinteger
projectIdstring
statusstring
vulnerabilityobject
idstring
licensesobject[]
revisionIdstring
textstring

License text (included if include_license_text is true)

licenseIdstring
licenseGroupIdinteger
ignoredboolean
copyrightstring
ignoredboolean

Whether this dependency is ignored

downloadUrlstring

Download URL for the dependency package

hashstring

Hash of the dependency (included if includeHashData is true)

versionstring

Version of the dependency (included if includeHashData is true)

isGolangboolean

Whether this is a Go dependency (included if includeHashData is true)

layersobject[]

Container layer information (only for container dependencies)

layerIndexinteger
401Unauthorized
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

404Revision not found. The response body is the plain-text string `Not Found` (sent via `res.sendStatus(404)`), not a JSON object.
string
500Server Error
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

Try this endpoint

Build a request and run it against app.fossa.com.

Bearer

Stored in this browser for 24 hours. Try It uses a docs proxy for CORS and does not store tokens server-side.

POST https://app.fossa.com/api/revisions/custom%2B1234%2Fmy-project%24abcd1234/list-dependencies
curl --request POST \  --url 'https://app.fossa.com/api/revisions/custom%2B1234%2Fmy-project%24abcd1234/list-dependencies' \  --header 'accept: application/json' \  --header 'authorization: Bearer YOUR_API_TOKEN' \  --header 'content-type: application/json' \  --data '{  "limit": 50,  "offset": 0}'

Real request. Mutating methods can change data.

Click Try It to run a request and see the response here.
Enter a Bearer token before running this request.

Path params

locatorstringrequired

The URL-encoded locator of the revision

application/json