diff --git a/content/chainguard/libraries/cve-remediation.md b/content/chainguard/libraries/cve-remediation.md
index fde4c9ff01..37d9e52930 100644
--- a/content/chainguard/libraries/cve-remediation.md
+++ b/content/chainguard/libraries/cve-remediation.md
@@ -54,6 +54,20 @@ For Python, remediated packages use a `+cgr.N` local version suffix. For example
 
 For Java, remediated artifacts use a `-0.cgr.N` suffix appended to the base version. For example, if `org.apache.commons:commons-lang3:3.18.0` has a remediated build, that build is published as org.apache.`commons:commons-lang3:3.18.0-0.cgr.1`. If Chainguard publishes another remediated iteration for the same base version, the trailing number increases, such as `-0.cgr.2` or `-0.cgr.3`.
 
+### Remediation and transitive dependencies
+
+**Python** 
+
+For Python, installing a `+cgr.N` package doesn't automatically remediate its entire dependency tree. Chainguard publishes a `+cgr.N` version only for a package that has a remediation to deliver, and it leaves that package's own dependency declarations unchanged.
+
+This is intentional. Most packages don't pin their dependencies tightly enough to require a rewrite, so the package metadata stays identical to upstream.
+
+Remediation propagates across the dependency tree through the index, not through dependency declarations. When you configure the Chainguard index, your package manager resolves every dependency, both direct and transitive, through Chainguard Libraries rather than the upstream index. As described in [Remediated version naming](#remediated-version-naming), a `+cgr.N` build is a higher-precedence local version, so the resolver selects it automatically wherever Chainguard has published one. Dependencies without a remediation resolve to the standard upstream version served through the same index.
+
+**Java**
+
+Java remediation behavior differs from Python. Because Maven POMs typically pin dependencies to exact versions rather than using version ranges, Chainguard may update a package's POM dependency tree directly to reference remediated versions of its dependencies. This means transitive dependencies can receive CVE remediations without requiring changes to your own dependency declarations.
+
 ### CVE remediation for vendored dependencies
 
 Some Python packages bundle compiled code written in other languages (such as Go, Rust, or C/C++) directly into their wheel. When a CVE exists in a dependency of that