Skip to content
Latchkey

What Is a Transitive Dependency?

A transitive dependency is a package your project relies on indirectly: you depend on A, and A depends on B, so B is a transitive dependency of yours. Modern projects often have far more transitive dependencies than direct ones. They are still part of your software and your attack surface, even though you never named them.

Why it matters

Most supply-chain vulnerabilities arrive through transitive dependencies you never chose explicitly. Lockfiles pin them, SBOMs inventory them, and scanners flag them, which is why managing only your direct dependencies leaves the majority of your code unaccounted for.

Related concepts

  • Captured and pinned by lockfiles
  • Listed in a complete SBOM
  • A common vector for supply-chain attacks

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →