BlogPartners

Glossary

Transitive Dependency

What Is a Transitive Dependency?

A transitive dependency is a software component that an application includes indirectly — pulled in not by the developer's own code, but by another dependency that itself depends on it, often through multiple layers of nested relationships.

Most of the open-source code inside a typical application is transitive. A developer adds one direct dependency; that library brings its own dependencies; those bring more. The result is dependency graphs containing hundreds or thousands of components — most of which the development team has never explicitly chosen. Transitive dependencies are where most supply chain risk hides, and where most blast radius is hardest to scope.

NetRise Provenance maps direct and transitive dependency relationships explicitly, so teams can see how far a compromised package can reach into their products and environments.

Related Terms

Direct Dependency · Statically Linked Dependency · Blast Radius · Open Source Software · Software Supply Chain Attack · Typosquatting and Dependency Confusion

Related Content