What Is a Transitive Dependency?
A transitive dependency is a package your project relies on indirectly: you depend on A, and A depends on B, so B is a transitive dependency of yours. Modern projects often have far more transitive dependencies than direct ones. They are still part of your software and your attack surface, even though you never named them.
Why it matters
Most supply-chain vulnerabilities arrive through transitive dependencies you never chose explicitly. Lockfiles pin them, SBOMs inventory them, and scanners flag them, which is why managing only your direct dependencies leaves the majority of your code unaccounted for.
Related concepts
- Captured and pinned by lockfiles
- Listed in a complete SBOM
- A common vector for supply-chain attacks
Related guides
What Is a Lockfile?A lockfile records the exact resolved versions and hashes of every dependency, so installs are deterministic…
What Is an SBOM (Software Bill of Materials)?A software bill of materials (SBOM) is a complete inventory of the components and dependencies that make up a…
What Is Dependency Pinning?Dependency pinning fixes dependencies to exact versions (or hashes) instead of ranges, so builds are predicta…