Fix SCA vulnerabilities
Last updated: Mar 24, 2026
A transitive dependency (also called an indirect dependency) is a package that your project does not depend on directly, but that is required by one of your direct or intermediate dependencies.
It is common for Software Composition Analysis (SCA) reports to flag vulnerabilities within transitive dependencies. Resolving these issues is often complex, as you lack direct control over the versioning of a transitive dependency; instead, its version is governed by a direct or intermediate dependency.
To help you navigate these challenges, the following sections provide remediation guides for vulnerabilities within JavaScript (npm), Python (uv), and Kotlin (gradle) ecosystems.
Custom remediation guides
Learn to use the generative artificial intelligence integrated with the Fluid Attacks VS Code extension to receive specific vulnerability remediation guidance.
In JavaScript
Learn the recommended strategies to remediate SCA vulnerabilities found in transitive npm dependencies, from updating packages to using dependency overrides.