The Hidden Risk in Your Software: Understanding Transitive Dependencies
Transitive dependencies are the invisible majority of your applications. Failure to properly understand them increases your risk.
Parth Patel
April 15, 2025
Modern software has changed dramatically over the past decade. The days when developers wrote most of their code from scratch are long gone. According to Linux Foundation research, today's applications are assembled more than they're written, with custom code representing just 10-20% of most enterprise applications.
The rest? A complex web of dependencies — packages and libraries that provide ready-made functionality so developers don't have to reinvent the wheel. However, within this web lies a critical security challenge many organizations struggle to address: transitive dependencies. Kusari can help your organization manage transitive dependencies with context-aware assessment and proactive risk reduction.
What are transitive dependencies?
When your development team builds an application, they deliberately choose specific packages to include; these are your direct dependencies. For example, they might choose a popular framework like React for building user interfaces.
But React itself needs other packages to function correctly. Those packages might need additional packages, which might need even more packages...and so on. This cascade of indirect dependencies that enter your application through your direct dependencies are called transitive dependencies.
To visualize this:
Your Application
|── React (direct dependency)
| |── prop-types (transitive dependency)
| | \── react-is (deeper transitive dependency)
| |── loose-envify (transitive dependency)
| \── scheduler (transitive dependency)
\── Express (direct dependency)
|── accepts (transitive dependency)
| |── mime-types (deeper transitive dependency)
| \── negotiator (deeper transitive dependency)
\── (dozens more packages with their own dependencies)Most development teams have good visibility into their direct dependencies — after all, they chose them. But the transitive dependencies often remain invisible, despite comprising 80-90% of a typical application's third-party code.
Real-world impact
When transitive dependencies attack
In December 2021, the software world was rocked by the discovery of a critical vulnerability in Log4j, a Java logging utility. This component was rarely directly used by developers, but it was embedded as a transitive dependency in thousands of applications, including major platforms like Minecraft, iCloud, and Amazon AWS.
The aftermath was chaotic. Security teams scrambled to determine if they were affected, often without tools to identify where Log4j might be hiding in their software. Some organizations spent weeks manually examining their applications, while others faced successful exploits before they could patch. The estimated cost of remediation reached billions globally.
This wasn't an isolated incident. In 2022, a researcher intentionally corrupted popular npm packages color.js and faker.js, breaking thousands of applications that relied on them as transitive dependencies. The SolarWinds breach that affected multiple government agencies exploited the software supply chain, demonstrating how vulnerabilities in dependencies can have cascading security impacts.
These incidents share a common thread: organizations couldn't protect against vulnerabilities in components they didn't know they were using.
Beyond security: the business impact
The consequences of poorly managed transitive dependencies extend beyond security vulnerabilities.
Development velocity
When emergency remediation is required for vulnerable dependencies, planned development work gets derailed. One of our enterprise customers estimated they lost over 2,000 developer hours in a single quarter to emergency dependency remediation — time that should have been spent building new features.
Compliance risks
Regulatory frameworks like the EU Cyber Resilience Act and requirements from the US Executive Order on Cybersecurity now explicitly require software providers to maintain accurate inventory of all components in their applications — including transitive dependencies. Organizations without this visibility face increasing compliance risks.
License violations
Transitive dependencies can introduce license terms that conflict with your organization's policies or business model. We've seen companies discover GPL-licensed code in their commercial products through deeply nested dependencies, creating significant legal exposure.
What to do about transitive dependencies
You can see why transitive dependency management is a critical part of software supply chain security. In a future post, you’ll see how to manage your transitive dependencies.
Eager to hear more? Schedule time with a founder to see how the Kusari Platform is unique in finding and fixing the transitive dependencies in your software ecosystem.
Like what you read? Share it with others.
.webp)
.webp)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.jpg)
Previous
No older posts
Next
No newer posts
Want to learn more about Kusari?