What is an SBOM, and how do SCA, version pinning, and lockfiles manage transitive dependency risk?

An SBOM (Software Bill of Materials, e.g. CycloneDX or SPDX) is a machine-readable inventory of every component and version in your software — the prerequisite for answering 'are we affected by CVE-X?' quickly (cf. Log4Shell). SCA tools consume that inventory to flag known-vulnerable and license-risky components, ideally reachability-aware to cut noise. Transitive dependencies (your deps' deps) are the bulk of the risk and the hard part — you didn't choose them and they shift silently. Control this with lockfiles (package-lock.json, poetry.lock) so builds are reproducible and the full transitive tree is pinned, deliberate version pinning with a managed upgrade cadence, dependency-update automation (Dependabot/Renovate), and verifying integrity (hashes, signatures, provenance) to resist tampering.