Safeguard
Tag

transitive-dependencies

Safeguard articles tagged "transitive-dependencies" — guides, analysis, and best practices for software supply chain and application security.

18 articles

Vulnerability Analysis

Log4Shell Five Years Later: What CVE-2021-44228 Taught Us About Transitive Risk

Five years after Log4Shell, the technical details still matter, but the lasting lessons are about transitive dependencies, SBOM accuracy, and the long tail of unpatched internal tooling.

Jan 9, 20265 min read
Software Supply Chain Security

Untracked Dependencies in the Software Supply Chain

Most teams can name their direct dependencies but not the hundreds of transitive packages actually running underneath. Here's why that gap is where real supply chain attacks live.

Nov 3, 20257 min read
Open Source Security

How Snyk calculates direct versus transitive dependency v...

Snyk splits vulnerability exposure into direct and transitive dependencies using lockfile graphs, CVE version-range matching, and path-level reachability analysis.

Aug 27, 20257 min read
Open Source Security

How Snyk handles vulnerability remediation for indirect (...

How does Snyk fix vulnerabilities buried in transitive dependencies you never directly installed? A look at dependency graphs, upgrade paths, and pinning.

Aug 23, 20256 min read
Open Source Security

Why Transitive Dependencies Are the Blind Spot in Most Vu...

Most vulnerability scans stop at direct dependencies, missing the 70-80% of your codebase that arrives transitively — where Log4Shell and other major CVEs actually hid.

Aug 13, 20257 min read
Software Supply Chain

Dependency Graph Analysis: Finding Hidden Transitive Risks

Your project has 50 direct dependencies. It actually depends on 1,200 packages. Transitive dependency analysis is how you find the risks hiding three layers deep.

Dec 1, 20228 min read
transitive-dependencies (Page 2) — Safeguard Blog