What are direct and deep dependencies?

Known vulnerabilities can be introduced either via direct or deep dependencies.

  • A direct dependency is a package that you’ve included in your own project via package.json or Gemfile.
  • A deep dependency, also referred to as an indirect, chained, or transitive dependency, is a package that you are not using directly, but one that is used by one of your direct dependencies.

In other words, if your application is using package A, and package A is using package B, then your application is indirectly depending on package B. And if package B is vulnerable, you are vulnerable.