Question: Transitive dependencies

[psimsa]

This question came to mind when I was looking at GH Sponsor's list of packages/repos my pet projects apparently depend on. I found out the top of the list are those that are in fact n-th level npm dependencies of dependencies used by the likes of React or .net's dotnet new react command. Ok, nuget is "slightly less messy" than npm, but still - the packages I actually voluntarily use and include in projects myself were at the bottom of the list somewhere.

Imagine a situation:

• My project depends on package A
• Package A depends on packages B and C
• Package C depends on SL

Will sponsorship requirement apply to me? For instance, a real life example:

• Some Azure SDKs (still) depend on newtonsoft.json
• I use Azure SDK to connect to Azure services I pay for

Assuming newtonsoft.json included SL (it likely won't but what-if)

• It's really Microsoft's (or that specific Azure's team's) decision to use newtonsoft
• While James' has done some great work, I don't want to have to sponsor the package just because Microsoft decided to include it. I already pay Microsoft for the Azure service, part of which is access to the SDK

So the obvious question is, how is this handled? I would expect transitive dependencies to be excluded from any checks for the reasons above and only direct ones (the ones I personally include) to be taken into consideration but that's my point of view...

[kzu]

Great question @psimsa.

The package author gets to decide if their sponsorship is transitive or not (at the moment).

NuGet provides a package dependency graph that SL inspects to determine if your package is a top-level dependency or not. If the SL settings used by the package-provided analyzer doesn't specify transitivity, SL won't check sponsorship unless the package is top-level.

Since direct dependencies are the most likely scenario where you want sponsorship checks (i.e. some Azure package using Newtonsoft.Json, the check would be for the Azure package authors, not their consumers), the default is to be non-transitive.