I am referring to the construction of the set of available packages as documented here.
Consider the setup at the very bottom, i.e. Fabrikam builds on Contoso builds on AdventureWorks. According to the documentation, Fabrikam can only pull packages from Contoso that Contoso itself has already pulled from AdventureWorks. Now suppose that AdventureWorks creates a security update for one of its packages and makes it available immediately. As per documentation, Fabrikam will not see this new package version unless Contoso pulls it first. That would mean that the security of Fabrikam also hinges on the response time of Contoso. If Contoso never pulls the new package, Fabrikam is never going to get it.
Am I misinterpreting the documentation? This seems like a blatant security problem to me.
I would expect that new package versions can be pulled through Contoso regardless of Contoso having pulled them itself first.
You are correct, Azure Artifacts upstreams are not transitive.
If it's possible and reasonable to do so, Fabrikam could also directly upstream to AdventureWorks.