What is the difference between Direct dependencies and Transitive dependencies in the context of Dependency Review?

Direct dependencies are the ones you explicitly declare in your project’s manifest, such as in package.json or pom.xml. Transitive dependencies are the dependencies brought in indirectly through those direct dependencies—the dependencies of your dependencies. In Dependency Review, this distinction matters because you control and review what you directly include, while the transitive ones are pulled in by those direct choices and may carry their own security or licensing implications. For example, if you declare a library A, and A depends on B and C, then B and C are transitive dependencies. The idea that direct dependencies are pulled in by transitive is the reverse, and the notion that transitive dependencies are explicitly listed is generally incorrect since they’re not usually declared by you but provided by the direct dependencies. Direct dependencies are indeed listed in the manifest.