docs: document direct and transitive dependency versions#769
Open
julianosouzanh wants to merge 1 commit into
Open
docs: document direct and transitive dependency versions#769julianosouzanh wants to merge 1 commit into
julianosouzanh wants to merge 1 commit into
Conversation
sonukapoor
approved these changes
Jun 29, 2026
sonukapoor
left a comment
Collaborator
There was a problem hiding this comment.
Thanks Juliano - the explanation is accurate and the diagram follows the project's styling conventions well.
Two minor suggestions (not blockers):
-
uuid@14.0.1is the current latest - you're using14.0.0which exists but is one patch behind. Up to you whether to update it. -
The section mentions
@compodoc/live-server,nyc, andcodecovas parents, but the generated command targets onlynyc. Worth adding a sentence like "CVE Lite CLI selects the most actionable upgrade path - in this casenyc- based on the dependency paths it resolves in your lockfile" before the command block. Readers will naturally ask why not the others.
Both are optional - happy to merge as-is if you'd prefer to keep the scope tight.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds documentation for the remediation scenario where the same package appears as both a direct dependency and a transitive dependency at different installed versions.
Why this change
The existing How Remediation Works page explains cases where the same package is installed at different versions through different parent packages, but it does not cover the distinct case where one installed version is a declared direct dependency and another version of the same package is introduced transitively.
This documentation clarifies that each installed version should be classified independently. A package version should be treated as direct only when that specific installed version matches the project's declared direct dependency. Otherwise, another installed version with the same package name may still be transitive and should be remediated through the parent dependency path.
What changed
Validation
User-facing impact
Does this change:
Notes
Fixes #554