transitive-dependencies
Safeguard articles tagged "transitive-dependencies" — guides, analysis, and best practices for software supply chain and application security.
18 articles
Log4Shell Five Years Later: What CVE-2021-44228 Taught Us About Transitive Risk
Five years after Log4Shell, the technical details still matter, but the lasting lessons are about transitive dependencies, SBOM accuracy, and the long tail of unpatched internal tooling.
Untracked Dependencies in the Software Supply Chain
Most teams can name their direct dependencies but not the hundreds of transitive packages actually running underneath. Here's why that gap is where real supply chain attacks live.
How Snyk calculates direct versus transitive dependency v...
Snyk splits vulnerability exposure into direct and transitive dependencies using lockfile graphs, CVE version-range matching, and path-level reachability analysis.
How Snyk handles vulnerability remediation for indirect (...
How does Snyk fix vulnerabilities buried in transitive dependencies you never directly installed? A look at dependency graphs, upgrade paths, and pinning.
Why Transitive Dependencies Are the Blind Spot in Most Vu...
Most vulnerability scans stop at direct dependencies, missing the 70-80% of your codebase that arrives transitively — where Log4Shell and other major CVEs actually hid.
Dependency Graph Analysis: Finding Hidden Transitive Risks
Your project has 50 direct dependencies. It actually depends on 1,200 packages. Transitive dependency analysis is how you find the risks hiding three layers deep.