Add dependency locations GraphQL to GroupType (!237674) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Introduce a new GraphQL endpoint for fetching dependency locations. This will be used by the Group's dependency list page to populate the location dropdown, replacing the REST endpoint.

Here's the related spike that informed the key decisions behind this MR: #600254 (comment 3373373106)

GraphQL (this MR)	Reference only (replaces the REST endpoint)

query dependenciesGetLocations {
  group(fullPath: "secure-ex") {
    dependencyLocations(
      componentVersionId: "gid://gitlab/Sbom::ComponentVersion/49"
      first: 50
    ) {
      nodes {
        occurrenceId
        location {
          blobPath
          path
          topLevel
        }
        hasDependencyPaths
        project {
          name
          fullPath
        }
      }
    }
  }
}

Query Plan

a. Existing REST

Demo: https://gitlab.com/groups/gitlab-org/govern/threat-insights-demos/frontend/-/dependencies

This migration doesn't change the query, it's the same as the REST version:

SELECT "sbom_occurrences".*,
  EXISTS (
    (SELECT 1 FROM "sbom_graph_paths"
     WHERE "sbom_graph_paths"."descendant_id" = "sbom_occurrences"."id"
     LIMIT 1)
  ) AS has_dependency_paths
FROM "sbom_occurrences"
WHERE (sbom_occurrences.traversal_ids >= '{9970,11787569,60126506,60216328}'
  AND '{9970,11787569,60126506,60216329}' > sbom_occurrences.traversal_ids)
  AND "sbom_occurrences"."component_version_id" = 2099137
LIMIT 50

https://console.postgres.ai/gitlab/gitlab-production-sec/sessions/51967/commands/153130

a. This MR (GraphQL)

🤖 Note: The GraphQL query includes an additional ORDER BY id DESC and LIMIT 51 (instead of 50) compared to the REST query. This is standard connection type behavior — ORDER BY ensures stable cursor pagination, and the extra +1 record is used to determine hasNextPage in pageInfo.

SELECT "sbom_occurrences".*,
  EXISTS (
    (SELECT 1 FROM "sbom_graph_paths"
     WHERE "sbom_graph_paths"."descendant_id" = "sbom_occurrences"."id"
     LIMIT 1)
  ) AS has_dependency_paths
FROM "sbom_occurrences"
WHERE (sbom_occurrences.traversal_ids >= '{95}'
  AND '{96}' > sbom_occurrences.traversal_ids)
  AND "sbom_occurrences"."component_version_id" = 49
ORDER BY "sbom_occurrences"."id" DESC
LIMIT 51

https://console.postgres.ai/gitlab/gitlab-production-sec/sessions/51967/commands/153131

I tried to mimic production behavior by running this MR's query against production data, using the same project as the REST endpoint test.

References

Screenshots or screen recordings

Before	After

How to set up and validate locally

Open graphql-explorer
Paste the graphql query
It renders the response

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #600883 (closed)

Edited May 26, 2026 by Samantha Ming

Add dependency locations GraphQL to GroupType