Add info about transitive dependencies to CVE Remediation

[s-stumbo]

[ ] Check if this is a typo or other quick fix and ignore the rest :)

Type of change

Update to CVE Remediation page

What should this PR do?

• Clarify that installing a +cgr.N package doesn't automatically remediate its entire dependency tree.
• Adds a "Remediation and transitive dependencies" subsection to the CVE remediation page explaining that Chainguard publishes +cgr.N versions only where there's a remediation to deliver
• Adds note about how this differs for Java

Why are we making this change?

Feedback from Slack: https://chainguard-dev.slack.com/archives/C07FTFZNP51/p1780493504623989

What are the acceptance criteria?

• Content should be clear and accurate

How should this PR be tested?

Any documentation published to Chainguard Academy is reviewed carefully for accuracy. GUI procedures, API commands, and CLI code snippets in a draft are run and tested thoroughly — by both the author and the reviewer — to confirm they work exactly as written. This helps ensure that readers can follow along and get the same results. See the edu repo's README.

Review the deploy preview to ensure content appears as expected.

---Created in collaboration with Claude Code running Claude Opus 4.8 (1M context) on 2026-06-09.

[netlify]

✅ Deploy Preview for ornate-narwhal-088216 ready!

Name	Link
🔨 Latest commit	2c5bb8b
🔍 Latest deploy log	https://app.netlify.com/projects/ornate-narwhal-088216/deploys/6a2ab83f5547be00088c108d
😎 Deploy Preview	https://deploy-preview-3402--ornate-narwhal-088216.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[matthewhelmke]

LGTM

[mosabua]

users should use Maven and other tools to make sure the right deps are used and potentially use dependenncyManagement and other means to override