Fix SCA vulnerabilities
Last updated: May 19, 2026
A transitive dependency (also called an indirect dependency) is a package that your project does not depend on directly, but that is required by one of your direct or intermediate dependencies.
It is common for Software Composition Analysis (SCA) reports to flag vulnerabilities within transitive dependencies. Resolving these issues is often complex, as you lack direct control over the versioning of a transitive dependency; instead, its version is governed by a direct or intermediate dependency.
To help you navigate these challenges, the following sections provide remediation guides for vulnerabilities within JavaScript (npm), Python (uv), and Kotlin (gradle) ecosystems.
You may notice other tools reporting more findings for the same codebase. This is often because they count once per workspace or manifest file rather than once per unique CVE. Fluid Attacks prioritizes actionability: one finding, one action.
Custom remediation guides
Learn to use the generative artificial intelligence integrated with the Fluid Attacks VS Code extension to receive specific vulnerability remediation guidance.
In JavaScript
Learn the recommended strategies to remediate SCA vulnerabilities found in transitive npm dependencies, from updating packages to using dependency overrides.