transitive-dependencies
Safeguard articles tagged "transitive-dependencies" — guides, analysis, and best practices for software supply chain and application security.
18 articles
Managing Transitive Dependencies: The Vulnerabilities You Didn't Choose
Most dependency risk lives in packages you never installed directly. Here is how transitive dependencies work across ecosystems and how to audit and control them.
The Moq NuGet incident: how a mocking library harvested developer emails
In August 2023, Moq v4.20.0 quietly ran git config at build time and phoned home 10,356 times before anyone pulled it — via a dependency nobody vetted.
How to Remediate Transitive Dependency Vulnerabilities
Fix vulnerabilities in the nested packages you never installed directly — trace the import chain, choose between upgrading the parent or overriding the child, and verify the fix without breaking builds.
Transitive Dependency Risk Explained: The Code You Never Chose
Transitive dependencies are the packages your dependencies pull in, and they make up most of your codebase. Here is why they are risky and how to manage them.
event-stream npm package backdoor incident
How a routine maintainer handoff let attackers slip a Bitcoin-stealing backdoor into event-stream, hitting millions of npm installs for ten weeks.
Dependency Management: Frequently Asked Questions
A practical FAQ on managing software dependencies in 2026 — direct vs transitive, lockfiles, semantic versioning, safe updates, dependency confusion, and keeping trees clean.
Lessons from Log4Shell: How One Logging Call Became the Internet's Worst Weekend
CVE-2021-44228 let an unauthenticated attacker run code by getting a single string logged. Here is how Log4Shell worked, why it was everywhere, and what actually contained it.
Understanding Dependency Trees
The libraries you install are only the tip of the iceberg. Each one pulls in its own dependencies, which pull in more, forming a tree that can run hundreds of packages deep. Understanding that tree is the first step to securing it.
Transitive dependency vulnerabilities explained
A vulnerability three layers deep in your dependency graph is still your problem. Here's how transitive flaws like Log4Shell hide, spread, and get fixed.
What Are Transitive Dependencies
Transitive dependencies are the packages your code never directly imports but inherits anyway — and where 84% of open source CVEs actually live.
Top 10 Riskiest Transitive Dependencies 2026
The Safeguard Research team built a risk index for transitive dependencies and ranked the ten categories that concentrate the most risk in modern stacks.
Log4Shell (CVE-2021-44228) and the supply chain lessons o...
A Log4Shell CVE-2021-44228 analysis covering the JNDI lookup flaw, CVSS 10.0 severity, KEV status, patch timeline, remediation steps, and the transitive dependency lessons it taught.