Known vulnerabilities can be introduced from direct dependencies or indirect ("deep" / "chained" / "transitive") dependencies:
- An indirect dependency is a package that your project does not use directly, but is used by one of your direct dependencies. So if your application uses package A, and package A uses package B, then your application indirectly depends on package B. And if package B is vulnerable, your project is vulnerable.
Snyk analyzes the full dependency tree, including all the third-party libraries used, and compares the results to Snyk’s vulnerability database.