Transitive Dependencies: The Hidden Baggage in Your Code
Think of transitive dependencies as your dependency's dependencies. You add one library, but it pulls in others you didn't explicitly ask for. This happens in any project using a package manager.
Transitive dependencies are the 'plus-ones' at your project's party; you depend on a library, and it brings its own dependencies along. You didn't directly invite them, but they're now part of your software. This is fundamental to package managers like npm or pip, which resolve the entire chain. The footgun: people forget this hidden baggage is part of their attack surface. A vulnerability in a dependency-of-a-dependency is a vulnerability in your application.
Read the original → Wikipedia: Transitive dependency
- #dependencies
- #ci/cd
- #build tools
- #security
Get five bites like this every day.
Tezvyn delivers a daily feed of 60-second tech bites with quizzes to lock in what you learn.