What is a transitive dependency vulnerability?

A transitive (indirect) dependency is a package your package depends on, but you don't import directly. If that package has a vulnerability, your application is affected even though you never explicitly chose to use it. Most modern vulnerabilities are in transitive dependencies.

Should I update all dependencies immediately when a CVE is published?

Prioritize by severity and exploitability. CVSS 9.0+ with public exploits: patch within 24-72 hours. CVSS 7.0-8.9: within 1-2 weeks. Below 7.0: evaluate whether the vulnerable code path is reachable in your application. Not all CVEs affect all usage patterns.

What is a software bill of materials (SBOM)?

An SBOM is a complete inventory of all software components and dependencies in an application, including their versions and licenses. US Executive Order 14028 (2021) made SBOMs mandatory for software sold to federal agencies, driving adoption across the industry.

DevTools Surf

Dependency Checker

This tool is not yet implemented.

About Dependency Checker

Dependency Checker preview - DevOps / CI-CD tool

Check dependencies for security vulnerabilities and outdated packages. Part of the DevTools Surf developer suite. Browse more tools in the DevOps / CI-CD collection.

Use Cases

Audit npm, pip, or gem dependencies for known CVEs before deploying
Identify transitive dependencies with critical vulnerabilities
Track which packages have available security patches
Generate a software bill of materials (SBOM) for compliance requirements

Tips

Paste your package.json, requirements.txt, or Gemfile — the checker scans all listed packages against vulnerability databases (OSV, GHSA, NVD)
Filter results by severity (Critical, High, Medium, Low) to prioritize patches — not all vulnerabilities require immediate action
Use the 'outdated packages' tab separately from vulnerabilities — some outdated packages are secure but miss performance improvements or API updates

Fun Facts

The npm registry hosts over 2.1 million packages as of 2024 — the largest software package repository in the world by number of packages. The average Node.js application has 1,000+ transitive dependencies when all nested dependencies are counted.
The 'left-pad incident' of 2016 saw a developer unpublish an 11-line npm package, breaking thousands of builds including React and Babel. npm responded by preventing unpublishing of packages with over 50 weekly downloads — changing the governance model for the entire ecosystem.
The Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j received a CVSS score of 10.0 — the maximum. It affected millions of Java applications and took 18 months to fully remediate across the ecosystem. Dependency scanners detected it within hours of disclosure.

FAQ

What is a transitive dependency vulnerability?: A transitive (indirect) dependency is a package your package depends on, but you don't import directly. If that package has a vulnerability, your application is affected even though you never explicitly chose to use it. Most modern vulnerabilities are in transitive dependencies.
Should I update all dependencies immediately when a CVE is published?: Prioritize by severity and exploitability. CVSS 9.0+ with public exploits: patch within 24-72 hours. CVSS 7.0-8.9: within 1-2 weeks. Below 7.0: evaluate whether the vulnerable code path is reachable in your application. Not all CVEs affect all usage patterns.
What is a software bill of materials (SBOM)?: An SBOM is a complete inventory of all software components and dependencies in an application, including their versions and licenses. US Executive Order 14028 (2021) made SBOMs mandatory for software sold to federal agencies, driving adoption across the industry.

Related DevOps / CI-CD Tools

CI/CD Pipeline Builder GitHub Actions Generator GitLab CI Generator Jenkins Pipeline Simulator CircleCI Config Builder Travis CI Simulator Codecov Report Analyzer License Compliance Checker

DevTools Surf