PackageFix / Glossary / Transitive Dependency

Transitive Dependency

All ecosystems
Definition

A transitive dependency is a package you didn't explicitly install but ended up in your project because a package you did install needs it. If your app uses Express, and Express uses a package called qs, then qs is a transitive dependency of your app — even though you never wrote it in your package.json.

Why transitive dependencies matter for security

Most developers know their direct dependencies — the 20 or 30 packages they've actually added to their project. But a typical Node.js application has 500 to 1000 packages in node_modules once all the transitive dependencies are resolved. Most of those are packages you've never heard of, and you're trusting all of them.

When npm audit reports a vulnerability, it's often in a transitive dependency. The CVE is in a package three layers deep that you didn't install and don't use directly. The fix isn't as simple as bumping a version number in your package.json — you need to either update the direct dependency that brings it in, or use an overrides block to force the safe version.

An example

Your app
  └── express 4.17.1 (direct)
        └── qs 6.5.2 (transitive — vulnerable to CVE-2022-24999)
        └── body-parser (transitive)
              └── qs 6.5.2 (transitive, again)

You didn't install qs. You don't use qs directly. But it's in your app twice, both vulnerable. To fix it, you either update express (which ships with a newer qs), or you add an npm overrides block to force a safe version.

How to fix a transitive dependency vulnerability

npm overrides
{
  "overrides": {
    "qs": "6.11.0"
  }
}

PackageFix generates this overrides block automatically when it detects a transitive vulnerability. You don't need to know which package brings it in — just copy the generated override and run npm install.

Check your dependencies for CVEs, CISA KEV entries, and supply chain risks.

Open PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

How many transitive dependencies does a typical project have?
A typical Node.js project has 5-30 direct dependencies and anywhere from 100 to 1000+ transitive dependencies. React apps tend to have more because of the build toolchain. A create-react-app project has over 1,800 packages in node_modules.
What's a lockfile's role in transitive dependencies?
The lockfile (package-lock.json, poetry.lock, Gemfile.lock) records the exact resolved versions of every direct and transitive dependency. Without a lockfile, running npm install on different machines or at different times can produce different transitive dependency versions — which means different vulnerability exposure.
Does PackageFix scan transitive dependencies?
Yes — drop your lockfile (package-lock.json for npm, poetry.lock for Python) alongside your manifest into PackageFix. It parses the lockfile to check every resolved transitive dependency, not just the ones in your package.json.
Can I tell npm to ignore a transitive dependency vulnerability?
You can add it to npm's audit ignore list, but this just hides the vulnerability — it doesn't fix it. Use overrides to actually force a safe version.

Related guides

Dependency Scanning

How to find vulnerable deps

Fix Transitive Vulnerabilities

npm overrides guide

GitHub Actions Scanning

Automate in CI

npm Security Guide

All npm vulnerability guides