opensource-observer
Differentiate `direct` and `transitive` npm dependencies
What is it?
GitHub now differentiates dependency types for npm packages.
https://github.blog/changelog/2025-03-04-easily-distinguish-between-direct-and-transitive-dependencies-for-npm-packages/
Previously, devs were mildly frustrated about lots of transitive dependencies showing up in their dependency tree (eg, in Deep Funding).
We should update our SBOM fetcher to include the new relationship field. We can then update our SBOM models to ignore transitive dependencies.
![linear[bot] avatar](https://avatars.githubusercontent.com/in/20150?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @Jabolol
I have materialized the new model for the first time. It appears that this is NOT the endpoint we need to pull from, as it does not the contain the relationship field we care about, nor is that data otherwise available in the results.
Here is the relevant API documentation for the DependencyGraphDependency endpoint. It contains the same information we currently get from our SBOM model, with the addition of the relationship field. Critically, the relationship field has three possible values: direct, transitive, or unknown.
The endpoint you are pulling from has a different schema and the relationship_type field has different values. Here's an example:
[{
"artifact_namespace": "OlympusDAO",
"artifact_name": "bonds-subgraph",
"artifact_source": "GITHUB",
"relationship_type": "DEPENDS_ON",
"spdx_element_id": "SPDXRef-npm-request-2.88.2-0413b6",
"related_spdx_element": "SPDXRef-npm-json-stringify-safe-5.0.1-999a6f",
"snapshot_at": "2025-05-30 18:48:02.000000 UTC",
"_dlt_load_id": "1748708784.4025903",
"_dlt_id": "OQBMtLKBYI40Ow"
}]
I've reopened the issue so we can look into this again. Thanks!