What are direct and deep dependencies?

Known vulnerabilities can be introduced either via direct or deep dependencies.

• A direct dependency is a package that you’ve included in your own project via package.json or Gemfile.
• A deep dependency, also referred to as an indirect, chained, or transitive dependency, is a package that you are not using directly, but one that is used by one of your direct dependencies.

In other words, if your application is using package A, and package A is using package B, then your application is indirectly depending on package B. If package B is vulnerable, you are vulnerable.