---
id: code-dependency-graphs-and-vulnerability-advisories
title: 'Code Dependency Graphs and Vulnerability Advisories'
schema_type: TechArticle
category: computer-science
language: en
confidence: medium
last_verified: '2026-06-02'
created_date: '2026-06-02'
generation_method: ai_structured
derived_from_human_seed: true
conflict_of_interest: none_declared
is_live_document: false
data_period: static
atomic_facts:
  - id: fact-cs-code-dependency-graphs-and-vulnerability-advisories-1
    statement: >-
      The deps.dev API documentation describes an API for accessing Open Source Insights data.
    source_title: deps.dev API
    source_url: https://docs.deps.dev/api/v3/
    confidence: medium
  - id: fact-cs-code-dependency-graphs-and-vulnerability-advisories-2
    statement: >-
      npm documentation describes npm audit as submitting a dependency description and
      returning a report of known vulnerabilities.
    source_title: npm audit
    source_url: https://docs.npmjs.com/cli/v11/commands/npm-audit
    confidence: medium
  - id: fact-cs-code-dependency-graphs-and-vulnerability-advisories-3
    statement: >-
      OSV API documentation describes the POST /v1/query endpoint for querying vulnerabilities
      for a package.
    source_title: OSV Query API
    source_url: https://google.github.io/osv.dev/post-v1-query/
    confidence: medium
completeness: 0.83
known_gaps:
  - Vulnerability analysis depends on package ecosystem, transitive dependencies, lockfile freshness, reachability, exploitability, patched versions, advisory quality, and deployment exposure.
disputed_statements: []
primary_sources:
  - title: deps.dev API
    type: documentation
    year: 2026
    url: https://docs.deps.dev/api/v3/
    institution: Google
  - title: npm audit
    type: documentation
    year: 2026
    url: https://docs.npmjs.com/cli/v11/commands/npm-audit
    institution: npm
  - title: OSV Query API
    type: documentation
    year: 2026
    url: https://google.github.io/osv.dev/post-v1-query/
    institution: Google
secondary_sources: []
updated: '2026-06-02'
ai_models:
  - gpt-5-codex
---

## TL;DR

Dependency graphs and vulnerability advisories help agents connect package manifests to known security risk and upgrade paths.

## Core Explanation

Agents doing code intelligence should inspect manifest files, lockfiles, transitive dependencies, package ecosystems, and advisory sources. A vulnerable package name alone is not enough; the agent needs the affected version range, whether the vulnerable code is reachable, and the recommended patched version.

Dependency graphs are also useful outside security. They reveal ownership boundaries, build impact, package duplication, and upgrade blast radius. Vulnerability advisories add a risk dimension to that graph.

## Source-Mapped Facts

- The deps.dev API documentation describes an API for accessing Open Source Insights data. ([source](https://docs.deps.dev/api/v3/))
- npm documentation describes npm audit as submitting a dependency description and returning a report of known vulnerabilities. ([source](https://docs.npmjs.com/cli/v11/commands/npm-audit))
- OSV API documentation describes the POST /v1/query endpoint for querying vulnerabilities for a package. ([source](https://google.github.io/osv.dev/post-v1-query/))

## Further Reading

- [deps.dev API](https://docs.deps.dev/api/v3/)
- [npm audit](https://docs.npmjs.com/cli/v11/commands/npm-audit)
- [OSV Query API](https://google.github.io/osv.dev/post-v1-query/)