REST API endpoints for dependency review

Use the REST API to interact with dependency changes.

About dependency review

You can use the REST API to view dependency changes, and the security impact of these changes, before you add them to your environment. You can view the diff of dependencies between two commits of a repository, including vulnerability data for any version updates with known vulnerabilities. For more information about dependency review, see About dependency review.

Get a diff of the dependencies between commits

Gets the diff of the dependency changes between two commits of a repository, based on the changes to the dependency manifests made in those commits.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Contents" repository permissions (read)

allows_public_read_access

Parameters for "Get a diff of the dependencies between commits"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`owner` string Required The account owner of the repository. The name is not case sensitive.
`repo` string Required The name of the repository without the `.git` extension. The name is not case sensitive.
`basehead` string Required The base and head Git revisions to compare. The Git revisions will be resolved to commit SHAs. Named revisions will be resolved to their corresponding HEAD commits, and an appropriate merge base will be determined. This parameter expects the format `{base}...{head}`.

Query parameters
Name, Type, Description
`name` string The full path, relative to the repository root, of the dependency manifest file.

http_status_code

status_code	Description
`200`	OK
`403`	Response for a private repository when GitHub Advanced Security is not enabled, or if used against a fork
`404`	Resource not found

code_samples

data_residency_notice

request_example

get/repos/{owner}/{repo}/dependency-graph/compare/{basehead}

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/dependency-graph/compare/BASEHEAD

Response

Status: 200

[
  {
    "change_type": "removed",
    "manifest": "package.json",
    "ecosystem": "npm",
    "name": "helmet",
    "version": "4.6.0",
    "package_url": "pkg:npm/[email protected]",
    "license": "MIT",
    "source_repository_url": "https://github.com/helmetjs/helmet",
    "vulnerabilities": []
  },
  {
    "change_type": "added",
    "manifest": "package.json",
    "ecosystem": "npm",
    "name": "helmet",
    "version": "5.0.0",
    "package_url": "pkg:npm/[email protected]",
    "license": "MIT",
    "source_repository_url": "https://github.com/helmetjs/helmet",
    "vulnerabilities": []
  },
  {
    "change_type": "added",
    "manifest": "Gemfile",
    "ecosystem": "rubygems",
    "name": "ruby-openid",
    "version": "2.7.0",
    "package_url": "pkg:gem/[email protected]",
    "license": null,
    "source_repository_url": "https://github.com/openid/ruby-openid",
    "vulnerabilities": [
      {
        "severity": "critical",
        "advisory_ghsa_id": "GHSA-fqfj-cmh6-hj49",
        "advisory_summary": "Ruby OpenID",
        "advisory_url": "https://github.com/advisories/GHSA-fqfj-cmh6-hj49"
      }
    ]
  }
]