From d825dbf5d007269fef6be2fb839e92b2c67ed757 Mon Sep 17 00:00:00 2001
From: s-stumbo <sally.stumbo@chainguard.dev>
Date: Tue, 9 Jun 2026 11:12:54 -0400
Subject: [PATCH 1/2] Add info about transitives to CVE Remediation

Signed-off-by: s-stumbo <sally.stumbo@chainguard.dev>
---
 content/chainguard/libraries/cve-remediation.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/content/chainguard/libraries/cve-remediation.md b/content/chainguard/libraries/cve-remediation.md
index fde4c9ff01..fd6bb7b9ae 100644
--- a/content/chainguard/libraries/cve-remediation.md
+++ b/content/chainguard/libraries/cve-remediation.md
@@ -54,6 +54,14 @@ For Python, remediated packages use a `+cgr.N` local version suffix. For example
 
 For Java, remediated artifacts use a `-0.cgr.N` suffix appended to the base version. For example, if `org.apache.commons:commons-lang3:3.18.0` has a remediated build, that build is published as org.apache.`commons:commons-lang3:3.18.0-0.cgr.1`. If Chainguard publishes another remediated iteration for the same base version, the trailing number increases, such as `-0.cgr.2` or `-0.cgr.3`.
 
+### Remediation and transitive dependencies
+
+Installing a `+cgr.N` package doesn't automatically remediate its entire dependency tree. Chainguard publishes a `+cgr.N` version only for a package that has a remediation to deliver, and it leaves that package's own dependency declarations unchanged.
+
+This is intentional. Most packages don't pin their dependencies tightly enough to require a rewrite, so the package metadata stays identical to upstream.
+
+Remediation propagates across the dependency tree through the index, not through dependency declarations. When you configure the Chainguard index, your package manager resolves every dependency, both direct and transitive, through Chainguard Libraries rather than the upstream index. As described in [Remediated version naming](#remediated-version-naming), a `+cgr.N` build is a higher-precedence local version, so the resolver selects it automatically wherever Chainguard has published one. Dependencies without a remediation resolve to the standard upstream version served through the same index.
+
 ### CVE remediation for vendored dependencies
 
 Some Python packages bundle compiled code written in other languages (such as Go, Rust, or C/C++) directly into their wheel. When a CVE exists in a dependency of that

From 2c5bb8b4c0e30f8037a8201f3836c7063ce618b7 Mon Sep 17 00:00:00 2001
From: s-stumbo <sally.stumbo@chainguard.dev>
Date: Thu, 11 Jun 2026 09:29:17 -0400
Subject: [PATCH 2/2] update

Signed-off-by: s-stumbo <sally.stumbo@chainguard.dev>
---
 content/chainguard/libraries/cve-remediation.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/content/chainguard/libraries/cve-remediation.md b/content/chainguard/libraries/cve-remediation.md
index fd6bb7b9ae..37d9e52930 100644
--- a/content/chainguard/libraries/cve-remediation.md
+++ b/content/chainguard/libraries/cve-remediation.md
@@ -56,12 +56,18 @@ For Java, remediated artifacts use a `-0.cgr.N` suffix appended to the base vers
 
 ### Remediation and transitive dependencies
 
-Installing a `+cgr.N` package doesn't automatically remediate its entire dependency tree. Chainguard publishes a `+cgr.N` version only for a package that has a remediation to deliver, and it leaves that package's own dependency declarations unchanged.
+**Python** 
+
+For Python, installing a `+cgr.N` package doesn't automatically remediate its entire dependency tree. Chainguard publishes a `+cgr.N` version only for a package that has a remediation to deliver, and it leaves that package's own dependency declarations unchanged.
 
 This is intentional. Most packages don't pin their dependencies tightly enough to require a rewrite, so the package metadata stays identical to upstream.
 
 Remediation propagates across the dependency tree through the index, not through dependency declarations. When you configure the Chainguard index, your package manager resolves every dependency, both direct and transitive, through Chainguard Libraries rather than the upstream index. As described in [Remediated version naming](#remediated-version-naming), a `+cgr.N` build is a higher-precedence local version, so the resolver selects it automatically wherever Chainguard has published one. Dependencies without a remediation resolve to the standard upstream version served through the same index.
 
+**Java**
+
+Java remediation behavior differs from Python. Because Maven POMs typically pin dependencies to exact versions rather than using version ranges, Chainguard may update a package's POM dependency tree directly to reference remediated versions of its dependencies. This means transitive dependencies can receive CVE remediations without requiring changes to your own dependency declarations.
+
 ### CVE remediation for vendored dependencies
 
 Some Python packages bundle compiled code written in other languages (such as Go, Rust, or C/C++) directly into their wheel. When a CVE exists in a dependency of that