Transitive dependencies
Understanding your project's complete dependency tree is crucial for identifying potential security risks, maintaining code health, and ensuring compatibility across your software stack. Transitive dependencies include direct dependencies (those explicitly declared in a project) and indirect dependencies (dependencies of your dependencies).
How Stacklok Insight reports transitive dependencies
When Stacklok Insight ingests a new package, it automatically triggers the dependency ingestion process. This process examines and records all transitive dependencies associated with the package. Because this process can take time, especially for packages with complex dependency trees, you might initially see only a partial list of dependencies in the user interface. If you notice an incomplete dependency list, refresh the page after a short time to view the full set of dependencies.
The dependency list includes the following details about each dependency:
Column | Description |
---|---|
Package | The package name and version. |
Security | Indicates whether Stacklok Insight detected a high-risk security signal on the dependency. |
Activity | The dependency's activity health score, out of 10. |
Vulnerabilities | The number of known vulnerabilities reported on the dependency. |
Relation | Whether the package is a direct or indirect dependency of the current package. |
License | The dependency's license(s). |
Dependencies | A link to view the dependencies of the package. |
You can traverse the dependency graph by clicking the View dependencies link for a package and continuing to do that for the dependencies of each result.