Every time a tool has transitive dependencies, it got:

• Reproducibility. The tree can resolve differently each time, so you need a lockfile to record what you got.
• Supply chain amplification. A single compromised package deep in the tree can cascade outward through every project that depends on it.
• Override and exclusion. Users need mechanisms to deal with transitive dependencies they didn’t choose and don’t want.
• Mutable references. Version tags that can be moved, rewritten, or force-pushed mean the same identifier can point at different code tomorrow.
• Full-tree pinning. Pinning your direct dependencies means nothing if their dependencies use mutable references.
• Integrity verification. You need to know that what you’re running today is the same thing you ran yesterday.