What are Transitive Dependencies?
Open source components typically are not operational on their own. They often include and depend on the functionality of other open source components in order to function. When talking about dependencies, there are two types: Direct and transitive. Your application makes an initial call to a direct dependency. If the direct dependency requires any outside components for it to function, those outside components are your application’s transitive dependencies.
These types of dependencies are notoriously difficult to remediate. This is because they are not readily accessible to you. Their code base resides with their maintainers, rendering your application entirely, well, dependent upon their work. If the maintainer of one of your transitive dependencies releases a fix, the amount of time before it makes its way up the supply chain to impact your direct dependency could be a while. Things are further complicated if the transitive dependency is utilized by several other components. In this case, there could be an even longer wait as the transitive dependency has even more supply chains to navigate.