Transitive dependencies are exponentially increasing open source software risk

Mike McGuire

Authored by Mike McGuire

Jun 09, 2025 / 3 min read

Table of Contents

As developers rely more and more on open source components to build software, the number of transitive dependencies increases significantly. These “hidden” dependencies can create complex dependency chains that are difficult to detect, manage, and test for security vulnerabilities and license conflicts.

How transitive dependencies increase software size and complexity

The size and complexity of open source projects show no signs of abating anytime soon. The 2025 “Open Source Security and Risk Analysis” (OSSRA) report reveals that the average open source project now includes over 1,200 dependencies—a 30% increase from the previous year—and exceeds 100 MB in size. Transitive dependencies are the largest driver of the exponential growth in open source dependencies, and they contribute heavily to the growth in the sheer size of projects as well.

Key stats on transitive dependency risk

This year’s OSSRA report includes several other key findings that also highlight the prevalence of transitive dependencies and their impact.

  • Prevalence: 64% of the open source components identified in the OSSRA report were transitive dependencies
  • Complexity: The number of open source files in the average application has tripled since 2020
  • Security risks: 81% of codebases contain high- or critical-risk vulnerabilities, nearly half of which are introduced by transitive dependencies
  • License conflicts: 56% of codebases have license conflicts, the majority caused by incompatible transitive dependencies

These issues require organizations to adopt robust management practices to mitigate risks and leverage the advantages that open source provides.

How transitive dependencies enter applications

When a developer adds a library or package to a project, that library likely relies on additional libraries and packages to function properly. This creates a chain of dependencies in which third-party, fourth-party, and “nth-party” code becomes part of software. The complexity of this dependency graph is what makes it so challenging to detect, manage, and test all parts of an application.

Several factors contribute to the complexity of managing transitive dependencies.

  • Depth: The further down the dependency graph, the more difficult it is to manage and control the security and quality of components
  • Lack of visibility: Because transitive dependencies are not explicitly declared, they’re harder to track and manage than direct dependencies and components
  • Scale: Modern applications can contain thousands of transitive dependencies, making it nearly impossible to detect and manage them without automated tooling

Why managing transitive dependencies is so challenging

The increase in size and complexity of open source projects leads to several issues that development and security teams need to be aware of.

  • Maintenance overhead: Managing a large number of dependencies requires significant effort to ensure they’re up-to-date and compatible
  • Build times: Larger projects with numerous dependencies often require longer build times, which slows down the development process and reduces productivity
  • Code quality: The more dependencies a project has, the harder it is to ensure code quality due to the increased potential for new bugs and inconsistencies to be introduced

Transitive dependencies can propagate vulnerabilities throughout the software supply chain. A single vulnerable dependency can impact multiple projects, making it difficult to track and mitigate risks. Limited visibility into these dependencies magnifies their impact, contributing to undetected vulnerabilities and security breaches. And patch management is more complex and time-consuming due to the sheer number of dependencies in projects. Package managers offer ways to update dependencies, but forcing such updates is risky and can potentially break other parts of the application.

Essential best practices for managing transitive dependencies

Visibility is key in mitigating the risks of transitive dependencies. You can’t fix the issues you can’t see or find. A software composition analysis (SCA) tool that offers a combination of discovery techniques gives teams complete visibility into all dependencies within their applications, whether direct or transitive.

  • Generate and validate Software Bills of Materials, a comprehensive inventory of all open source dependencies, regardless of how they were included or what language or package manager is being used. 
  • Continuously monitor all software components, including dependencies, to detect new vulnerabilities, exposed secrets, and malicious packages.  
  • Defining policies helps your organization maintain a secure and compliant software supply chain without impeding the development process. Policies around proactive assessment, continuous monitoring, secure development practices, and compliance reporting take the guesswork out of individual cases by standardizing processes and responses. 
  • Automation is also key to managing transitive dependencies effectively. Tools that discover and track dependencies can help teams use minimal and well-maintained libraries while keeping the dependencies updated on a regular basis.

Other essential practices for managing transitive dependencies include

  • Evaluate and track IP and license obligations
  • Understand package manager behavior
  • Train developers on how to identify and evaluate dependencies
  • Follow an established framework for managing open source dependencies

For more detailed information about how to effectively manage transitive dependencies and prevent them from introducing risk to your applications, talk to Black Duck to see how we can help, or download our latest white paper, “Managing Transitive Dependencies in Open Source Software.

Learn More

Continue Reading

Three steps to ensuring the reliability and security of your C++ projects

Three steps to ensuring the reliability and security of your C++ projects

Corey Hamilton
By Corey Hamilton

Jun 03, 2025 / 3 min read

Tags: SCA, Build Security into DevOps, SAST, DevSecOps
Black Duck Logo on Dark Background

How to secure AI-generated code with DevSecOps best practices

Steven Zimmerman
By Steven Zimmerman

May 08, 2025 / 3 min read

Tags: Artificial Intelligence, Build Security into DevOps, DevSecOps
security automation and integration

Security automation and integration can smooth AppSec friction

Steven Zimmerman
By Steven Zimmerman

Jan 23, 2025 / 6 min read

Tags: Agile, CI/CD, Build Security into DevOps, DevSecOps
Vulnerability Background Thumbnail

Overcome AST noise to find and fix software vulnerabilities

Steven Zimmerman
By Steven Zimmerman

Jan 06, 2025 / 6 min read

Tags: Agile, CI/CD, Build Security into DevOps, DevSecOps
AI widens gap between security and dev thumbnail

Artificial intelligence widens the gap between security and development

Steven Zimmerman
By Steven Zimmerman

Dec 01, 2024 / 7 min read

Tags: Artificial Intelligence, Build Security into DevOps, DevSecOps
Global DevSecOps Background Thumbnail Alt

Key insights from Black Duck’s 2024 Global State of DevSecOps report

Fred Bals
By Fred Bals

Oct 08, 2024 / 5 min read

Tags: Security News & Trends, DevSecOps

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security