dependencyInsight, what does "selected by rule" mean?

When I run dependencyInsight some of my dependencies are marked “selected by rule”. What does this mean? What rule? Where is this rule defined?

Example:

org.springframework.security:spring-security-config:4.2.3.RELEASE (selected by rule)

dependencyInsight does a great job of telling you where a dependency is coming from, but I haven’t yet figured how to use it to figure out where which versions its conflict resolution strategy is deciding between come from.