The scan reports issues in libraries that aren’t referenced in our code.
These appear to be transitive dependencies pulled in automatically.
I’m unsure whether these should still be treated as real risks.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
The scan reports issues in libraries that aren’t referenced in our code.
These appear to be transitive dependencies pulled in automatically.
I’m unsure whether these should still be treated as real risks.
Even if you don’t call a library directly, it still exists in your runtime environment and contributes to attack surface. Vulnerabilities in transitive dependencies can still be exploitable if an attacker finds a path to trigger them.
That said, not every flagged issue is immediately exploitable. The key is understanding whether the vulnerable code is reachable and under what conditions.
Completely ignoring transitive vulnerabilities increases long-term risk, especially as systems evolve.
Takeaway: Dependency risk extends beyond what your code explicitly uses.