September Livestream - Vulnerabilities: Gone in 30 Days
Register Now
Back to all topics

Learning Center

Transitive Dependencies

What are transitive dependencies?

Transitive dependencies are indirect dependencies that a software project inherits from its direct dependencies. In other words, when a package (A) depends on another package (B), and package B, in turn, depends on package C, package C is a transitive dependency of package A.

For example:

  • Your project depends on Library A (direct dependency)
  • Library A depends on Library B (transitive dependency)
  • Library B depends on Library C (another transitive dependency)

While you may explicitly include on Library A in your project, you are also pulling in Library B and Library C, often without director control or visibility over them.

While minimizing dependencies is generally good practice, completely avoiding transitive dependencies isn't feasible in modern development. The efficiency gains from using established libraries far outweigh the alternative of writing everything from scratch. The key is managing these dependencies effectively rather than trying to eliminate them. Organizations need to actively map, monitor, and manage these dependencies to reduce vulnerabilities and enhance software security.

Why are transitive dependencies matter for security and uniquely challenging?

Transitive dependencies represent a significant portion of your software supply chain - often making up 80-90% of your application's code. Most enterprise applications contain hundreds to thousands of transitive dependencies. We've seen applications with as few as 200 and as many as 20,000+ dependencies, with transitive dependencies typically accounting for more than 90% of that total. They are especially difficult to manage because the scale continues to grow, many tools do not provide the visibility needed and updating them is not something you can control. In speaking with customers, we often learn that security teams are only scanning for direct dependencies  -  this is often a single digit percentage of the attack surface. According to research from the Linux Foundation, the typical enterprise application may only contain 10-20% custom code, with the rest coming from open source and third-party dependencies.

This dependency tree creates several important security and operational challenges:

1. Expanded attack surface

Each transitive dependency increases your application's attack surface. A single vulnerable component deep in your dependency tree can compromise your entire application, as attackers focus on finding the weakest link in the supply chain.

2. Limited visibility

Traditional dependency management tools often focus only on direct dependencies or display flat lists that hide the crucial relationships between components. This leaves security teams with blind spots:

  • Which of your applications use a vulnerable component?
  • Through which path does that component enter your application?
  • Is the vulnerable code actually reachable in your specific implementation?

Without these insights, teams can't effectively manage dependencies and waste resources fixing theoretical issues while missing exposure.

3. Version conflicts and compatibility issues

Transitive dependencies can introduce complex dependency resolution problems. When a vulnerability is discovered in a transitive dependency, updating isn't always straightforward. Different direct dependencies might require different versions of the same transitive dependency. Plus, you typically can't update the transitive dependency directly  -  you need to update the direct dependency that pulls it in.

But what if:

  • Multiple direct dependencies pull in different versions of the same component?
  • The direct dependency hasn't been updated to use the fixed version?
  • Updating the direct dependency breaks compatibility with other components?

These scenarios create "dependency hell" situations like breaking builds or causing runtime issues that can paralyze development teams.

4. License compliance risks

Open source components come with license obligations. Transitive dependencies might introduce incompatible licenses into your software, potentially creating legal liability if not properly managed and disclosed.

5. Supply chain vulnerability propagation

When a security vulnerability is discovered in a widely-used transitive dependency (like Log4Shell in Log4j), the impact can cascade throughout the entire software ecosystem, affecting thousands of applications simultaneously.

Why you should care about transitive dependencies

The implications of unmanaged transitive dependencies extend beyond technical concerns to directly impact your business:

Security breaches can be catastrophic

The SolarWinds attack in 2020 demonstrated how compromised dependencies can lead to massive security breaches. The attackers inserted malicious code into a trusted component that was then distributed to thousands of organizations through normal update channels.

Compliance requirements are increasing

Regulations like the EU Cyber Resilience Act and US Executive Order 14028 increasingly mandate software supply chain transparency. Organizations must account for all components in their software, including transitive dependencies, to meet these requirements.

Development velocity and application performance suffers

When security vulnerabilities or compatibility issues in transitive dependencies cause production incidents, developer time gets diverted from feature development to emergency remediation. Proactive management reduces these disruptive events. Beyond security implications, excessive or duplicated dependencies can impact application size, startup time, and runtime performance. Proper dependency management helps identify opportunities to optimize your dependency tree, potentially improving application performance.

Reputation damage is real

Customers and partners are increasingly aware of software supply chain risks. Security incidents stemming from unmanaged dependencies can damage your reputation and erode trust in your products.

The problem is growing exponentially

As software continues to be built on layers of abstraction, the number of transitive dependencies in typical applications continues to grow. What was once a manageable problem has become a complex challenge requiring dedicated attention.

The recursive nature of the problem

Securing transitive dependencies is particularly challenging because of their recursive nature. Consider this common scenario:

  • Your application depends on 10 direct dependencies
  • Each direct dependency has an average of 15 dependencies
  • Each of those dependencies has another 15 dependencies

This creates a dependency tree with potentially thousands of packages, all of which could introduce vulnerabilities, license issues, or compatibility problems.

Many organizations struggle with:

  • Depth of analysis: Most tools only scan dependencies one or two levels deep
  • Update challenges: Fixing a vulnerability might require updating multiple dependencies in sequence
  • Compatibility testing: Ensuring updates don't break functionality across complex dependency chains
  • Maintenance overhead: Tracking security advisories across hundreds or thousands of dependencies

Why Kusari is different

Kusari takes a fundamentally different approach to managing transitive dependencies within your software supply chain:

Complete dependency visualization

Unlike solutions that provide flat lists or limited dependency views, Kusari creates a comprehensive visualization of your entire dependency graph - including all transitive dependencies - giving you complete visibility across your software ecosystem.

Intelligent dependency analysis

Kusari doesn't just identify dependencies; it analyzes them in context. Our platform evaluates:

  • The true reachability of vulnerabilities within your specific application
  • The actual usage patterns of each component
  • The risk profile based on both the severity of vulnerabilities and the likelihood of exploitation

Proactive risk reduction

Kusari helps you address transitive dependency risks before they become problems:

  • Identifying abandoned or poorly maintained dependencies that pose future risk
  • Flagging license compliance issues hidden in your dependency tree
  • Recommending safer alternatives when high-risk dependencies are detected
  • Providing actionable remediation paths with minimal impact to your application

Continuous monitoring and alerts

Software dependencies change constantly. Kusari continuously monitors your dependency ecosystem to:

  • Alert you to newly discovered vulnerabilities in your dependency tree
  • Identify when dependencies are updated or changed
  • Track security health metrics over time
  • Provide early warning of potentially problematic dependencies

Integration with your existing workflow

Kusari seamlessly integrates with your development processes:

  • CI/CD pipeline integration ensures new dependencies are evaluated before deployment
  • Developer-friendly interfaces help engineering teams understand and address issues
  • API-driven architecture allows for custom integrations with your existing tools
  • Automated reporting keeps stakeholders informed about supply chain health

Taking control of your transitive dependencies

Effectively managing transitive dependencies requires a comprehensive approach:

  1. Generate SBOMs during build processes to capture a complete inventory of all components
  2. Validate the accuracy and completeness of your dependency information
  3. Analyze dependencies for vulnerabilities, license issues, and maintenance concerns
  4. Remediate identified issues with a risk-based approach
  5. Monitor your dependency tree for changes over time
  6. Share dependency information with relevant stakeholders

How often should an organization audit its transitive dependencies?

Vulnerability databases update constantly, with dozens of new CVEs published daily. Rather than periodic audits, we recommend continuous monitoring that alerts you when new vulnerabilities affect your specific dependency graph. This approach ensures you're aware of new risks as soon as they're discovered.

What's the most effective way to remediate vulnerable transitive dependencies?

The optimal remediation strategy depends on your specific dependency graph. Options include:

  • Updating the direct dependency that pulls in the vulnerable component
  • Replacing the direct dependency with an alternative that doesn't use the vulnerable component
  • Adding dependency constraints to force use of a safe version
  • In some cases, forking and fixing the vulnerable dependency

Kusari can help identify the most efficient remediation path based on your specific dependency structure. In fact, with the Kusari Platform, you can implement this full lifecycle approach to transitive dependency management, giving you confidence in your software supply chain security.

To learn more about how Kusari can help secure your software supply chain and manage transitive dependencies, request a demo or contact our team today.

Want to learn more about Kusari?

About KusariResourcesContactCareersCompany Logos

© 2025 Kusari Inc. All rights reserved.

Terms
Privacy
Cookies