Applications may introduce known vulnerabilities either through direct or transitive dependencies.
A direct dependency is a package explicitly included in a project. A transitive dependency is not included directly in the project, but it is called by another dependency.
For example, in the following illustration, [email protected]is included directly in the project. At this time, it does not contain vulnerabilities itself. However, it references the package [email protected], which does contain vulnerabilities.