About dependencies
Applications may introduce known vulnerabilities either through direct or transitive dependencies.
A direct dependency is a package explicitly included in a project. A transitive dependency is not included directly in the project, but it is called by another dependency.
For example, in the following illustration, [email protected] is included directly in the project. At this time, it does not contain vulnerabilities itself. However, it references the package [email protected], which does contain vulnerabilities.
Sample transitive dependency in dependency tree
Copy link