In our repo we use a ton of packages, each of which have their own sub-dependencies (quite a few levels deep). This results in security vulnerabilities in sub-dependencies that we haven't even explicitly installed. We were advised to use the serverless-webpack NPM package, because it bundles only specific code and packages from the node_modules folder that is required for our AWS lambda function to run, and not the entire node_modules folder.
Could someone explain how this works? How would serverless-webpack know which specific package is required by our lambda to function? It's not like we install packages that we don't use in our code. So, how would the security risk go down?