Any package which itself declares over 100 direct dependencies is considered overly complex by SOOS. For optimal scanning performance, SOOS will trim the dependency list for these packages which will result in any dependencies after the first 100 to be excluded from the scan.
Because of this, SOOS cannot provide a complete assessment of the presence (or absence) of vulnerabilities and/or license identification for packages that exceed the maximum direct dependency limit.
In this scenario the following notification will be displayed on the Project Details page.
Note - this does not apply to the number of dependencies defined in manifest(s), there is no limit to the number of total packages referenced by a manifest.
Read here about the maximum allowable depth of dependency trees.
Can't find what you're looking for?