Code Dependency Graphs and Vulnerability Advisories

Status: public · Confidence: medium (0.725) · Basis: verified_sources

## TL;DR

Dependency graphs and vulnerability advisories help agents connect package manifests to known security risk and upgrade paths.

## Core Explanation

Agents doing code intelligence should inspect manifest files, lockfiles, transitive dependencies, package ecosystems, and advisory sources. A vulnerable package name alone is not enough; the agent needs the affected version range, whether the vulnerable code is reachable, and the recommended patched version.

Dependency graphs are also useful outside security. They reveal ownership boundaries, build impact, package duplication, and upgrade blast radius. Vulnerability advisories add a risk dimension to that graph.

## Source-Mapped Facts

- The deps.dev API documentation describes an API for accessing Open Source Insights data. ([source](https://docs.deps.dev/api/v3/))
- npm documentation describes npm audit as submitting a dependency description and returning a report of known vulnerabilities. ([source](https://docs.npmjs.com/cli/v11/commands/npm-audit))
- OSV API documentation describes the POST /v1/query endpoint for querying vulnerabilities for a package. ([source](https://google.github.io/osv.dev/post-v1-query/))

## Further Reading

- [deps.dev API](https://docs.deps.dev/api/v3/)
- [npm audit](https://docs.npmjs.com/cli/v11/commands/npm-audit)
- [OSV Query API](https://google.github.io/osv.dev/post-v1-query/)