Skip to main content

Transitive dependencies

Understanding your project's complete dependency tree is crucial for identifying potential security risks, maintaining code health, and ensuring compatibility across your software stack. Transitive dependencies include direct dependencies (those explicitly declared in a project) and indirect dependencies (dependencies of your dependencies).

How Stacklok Insight reports transitive dependencies

When Stacklok Insight ingests a new package, it automatically triggers the dependency ingestion process. This process examines and records all transitive dependencies associated with the package. Because this process can take time, especially for packages with complex dependency trees, you might initially see only a partial list of dependencies in the user interface. If you notice an incomplete dependency list, refresh the page after a short time to view the full set of dependencies.

The dependency list includes the following details about each dependency:

ColumnDescription
PackageThe package name and version.
SecurityIndicates whether Stacklok Insight detected a high-risk security signal on the dependency.
ActivityThe dependency's activity health score, out of 10.
VulnerabilitiesThe number of known vulnerabilities reported on the dependency.
RelationWhether the package is a direct or indirect dependency of the current package.
LicenseThe dependency's license(s).
DependenciesA link to view the dependencies of the package.

You can traverse the dependency graph by clicking the View dependencies link for a package and continuing to do that for the dependencies of each result.