Transitive dependencies should not have publicly visible aliases

[apt-itude]

Distributions that are marked as "is_direct": false in the requirements-lock.json file should not be exposed via a public @pip//x alias. Developers should be forced to add a dependency to the requirements.txt file in order to use a package as a direct dependency.