Skip to content

docs: document direct and transitive dependency versions#769

Open
julianosouzanh wants to merge 1 commit into
OWASP:mainfrom
julianosouzanh:docs/issue-554-remediation-direct-transitive-versions
Open

docs: document direct and transitive dependency versions#769
julianosouzanh wants to merge 1 commit into
OWASP:mainfrom
julianosouzanh:docs/issue-554-remediation-direct-transitive-versions

Conversation

@julianosouzanh

@julianosouzanh julianosouzanh commented Jun 28, 2026

Copy link
Copy Markdown

Summary

Adds documentation for the remediation scenario where the same package appears as both a direct dependency and a transitive dependency at different installed versions.

Why this change

The existing How Remediation Works page explains cases where the same package is installed at different versions through different parent packages, but it does not cover the distinct case where one installed version is a declared direct dependency and another version of the same package is introduced transitively.

This documentation clarifies that each installed version should be classified independently. A package version should be treated as direct only when that specific installed version matches the project's declared direct dependency. Otherwise, another installed version with the same package name may still be transitive and should be remediated through the parent dependency path.

What changed

  • Added a new section for direct and transitive versions of the same package
  • Added a Mermaid diagram showing uuid@14.0.0 as a direct dependency and uuid@8.3.2 as a vulnerable transitive dependency
  • Added generated fix command examples showing that remediation should target the parent package, not install another direct version of uuid

Validation

  • Reviewed the updated MDX documentation locally
  • Verified the new section follows the structure of the nearby remediation examples
  • Confirmed this is a documentation-only change

User-facing impact

Does this change:

  • affect scanning behavior
  • affect output formatting
  • affect JSON output
  • affect docs only

Notes

Fixes #554

sonukapoor
sonukapoor approved these changes Jun 29, 2026
View reviewed changes

@sonukapoor sonukapoor left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Juliano - the explanation is accurate and the diagram follows the project's styling conventions well.

Two minor suggestions (not blockers):

  1. uuid@14.0.1 is the current latest - you're using 14.0.0 which exists but is one patch behind. Up to you whether to update it.

  2. The section mentions @compodoc/live-server, nyc, and codecov as parents, but the generated command targets only nyc. Worth adding a sentence like "CVE Lite CLI selects the most actionable upgrade path - in this case nyc - based on the dependency paths it resolves in your lockfile" before the command block. Readers will naturally ask why not the others.

Both are optional - happy to merge as-is if you'd prefer to keep the scope tight.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonukapoor sonukapoor sonukapoor approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

docs: add 'same package, direct and transitive at different versions' scenario to how-remediation-works

2 participants

@julianosouzanh @sonukapoor