Severity: low · Action: remove (same major) / suggest (cross major)
An override whose concrete-version pin has already been surpassed by the installed version in node_modules.
override: "postcss": "8.4.31"
installed: postcss@8.5.15
The pin no longer raises the floor: the resolved tree is already past it. The override is dead code.
...but node_modules/postcss/package.json has "version": "8.5.15". Output:
LOW (1)
-------
OA004 postcss
package.json/overrides/postcss
Installed version surpasses concrete pin
fix: applyable patch (1 op)
OA004 fires only on concrete-version pins:
"8.4.31"(concrete: checked)"^8.4.31"(range: not checked, would still apply on next install)">=8.4.31"(range: not checked)"latest"(OA002's territory, not OA004's)
A range pin like ^8.4.31 is functionally a floor and remains effective even when the installed version is newer; that's the intended behavior. OA004 is specifically about the "I pinned a single version and forgot about it" case.
Removing a pin that the tree has already surpassed is usually safe: the install resolves to the newer version with or without the override. But there's one corner case:
Some other dependency in the tree might be constraining the version downward. Removing the override could let that constraint pull the version back down.
The fuller "walk the dep graph and check no parent depends on <pin" check is deferred. The current detector uses a coarser major-version heuristic:
| Condition | Action |
|---|---|
Same major (pin@8.4.31 vs installed@8.5.15) |
remove (safe in the common case) |
Cross-major (pin@17.0.0 vs installed@18.3.1) |
suggest (manual review required) |
The cross-major case downgrades to suggest rather than remove because a removal could legitimately let an older-major dep pull the installed version back down. Manual review is the right answer there.
cve-lite overrides --fix --rule OA004For same-major findings, --fix emits a single-op remove patch: the override is safely deletable.
For cross-major findings, the finding is emitted with no fix patch attached (suggest-only). The explanation tells you what to verify before removing manually. --fix skips these.
src/overrides/detectors/oa004-surpassed-pin.ts- The full parent-graph safety check (walk every parent, confirm none depends on
<pin) is tracked as deferred follow-up work.
{ "overrides": { "postcss": "8.4.31" // CVE pin from last year } }