Skip to content

Latest commit

 

History

History
76 lines (51 loc) · 2.7 KB

File metadata and controls

76 lines (51 loc) · 2.7 KB

OA004: Surpassed pin

Severity: low  ·  Action: remove (same major) / suggest (cross major)

What it catches

An override whose concrete-version pin has already been surpassed by the installed version in node_modules.

override:   "postcss": "8.4.31"
installed:  postcss@8.5.15

The pin no longer raises the floor: the resolved tree is already past it. The override is dead code.

Example

{
  "overrides": {
    "postcss": "8.4.31"   // CVE pin from last year
  }
}

...but node_modules/postcss/package.json has "version": "8.5.15". Output:

LOW (1)
-------
  OA004  postcss
    package.json/overrides/postcss
    Installed version surpasses concrete pin
    fix: applyable patch (1 op)

Scope

OA004 fires only on concrete-version pins:

  • "8.4.31" (concrete: checked)
  • "^8.4.31" (range: not checked, would still apply on next install)
  • ">=8.4.31" (range: not checked)
  • "latest" (OA002's territory, not OA004's)

A range pin like ^8.4.31 is functionally a floor and remains effective even when the installed version is newer; that's the intended behavior. OA004 is specifically about the "I pinned a single version and forgot about it" case.

Safety heuristic

Removing a pin that the tree has already surpassed is usually safe: the install resolves to the newer version with or without the override. But there's one corner case:

Some other dependency in the tree might be constraining the version downward. Removing the override could let that constraint pull the version back down.

The fuller "walk the dep graph and check no parent depends on <pin" check is deferred. The current detector uses a coarser major-version heuristic:

Condition Action
Same major (pin@8.4.31 vs installed@8.5.15) remove (safe in the common case)
Cross-major (pin@17.0.0 vs installed@18.3.1) suggest (manual review required)

The cross-major case downgrades to suggest rather than remove because a removal could legitimately let an older-major dep pull the installed version back down. Manual review is the right answer there.

How to fix

cve-lite overrides --fix --rule OA004

For same-major findings, --fix emits a single-op remove patch: the override is safely deletable.

For cross-major findings, the finding is emitted with no fix patch attached (suggest-only). The explanation tells you what to verify before removing manually. --fix skips these.

References