top level dependencies. However each one of those dependencies uses other dependencies and are typically referred to as
transitive dependencies. All the package managers install the nested dependencies without the developer having to explicitly ask for it.
fromfield which shows the chain of dependencies leading the vulnerability displayed. The way to interpret the information below is that my application goof has a top level dependency tap (version 5.8.0) that has a nested dependency nyc that further depends on istanbul that ultimately depends on handlebars (version 4.0.5) which if the nested dependency that is carrying the vulnerability in this case.