Transitive dependencies are the ones you never declared but still ship: pulled in by the libraries you do declare, and just as capable of carrying a vulnerability. This video walks through finding and fixing them with OpenRewrite.
Start with the “Find and fix vulnerable dependencies” recipe to identify which transitive dependencies need to move. Then apply “Upgrade transitive Gradle dependencies,” which adds a constraint section in Gradle that references the specific CVEs and sets a minimum fixed version. Constraints let you raise the floor on a transitive version without promoting it to a direct dependency.
Run through the Moderne Platform, the same recipe applies across every repository at once, so the minimum fixed version holds consistently across your codebase rather than one project at a time.
