Fix Transitive Python Vulnerabilities PyPI

Fix CVEs in indirect Python dependencies. Drop poetry.lock or pip freeze output for full transitive scanning.

⚠ The Problem

A CVE affects a package you never directly installed — it came in as a sub-dependency. pip audit flags it but can't fix it without breaking the dependency chain.

Bad Configuration — requirements.txt

# Your app uses flask==2.0.0
# flask depends on werkzeug==2.0.0
# werkzeug 2.0.0 is affected by CVE-2023-25577

Fixed Configuration — requirements.txt

# In requirements.txt, pin the transitive dep directly:
werkzeug==3.0.3

✓ Fix

Pin the vulnerable transitive dependency directly in requirements.txt. Drop your poetry.lock into PackageFix for full transitive path visualization. After updating, run pip install -r requirements.txt.

Scan your dependencies now — paste your manifest, get a fixed version back in seconds.

Open PackageFix →

No signup · No CLI · No GitHub connection · Runs 100% in your browser

Frequently Asked Questions

How do I find transitive Python vulnerabilities?

Drop poetry.lock or the output of pip freeze alongside requirements.txt into PackageFix. It parses the full dependency tree.

Can I pin a transitive dependency in requirements.txt?

Yes. Adding werkzeug==3.0.3 directly to requirements.txt forces pip to use that version. This is the standard approach for transitive CVE fixes.

Does poetry handle transitive vulnerability fixes?

poetry update can update a transitive dep. PackageFix generates the exact version to target.

What is the OSV transitive path?

PackageFix shows: YourApp → flask@2.0.0 → werkzeug@2.0.0 [CVE-2023-25577]. This tells you exactly which direct dependency is pulling in the vulnerable package.

Fix Transitive Python Vulnerabilities PyPI

Bad Configuration — requirements.txt

Fixed Configuration — requirements.txt

Frequently Asked Questions

Related Guides