Skip to content

Latest commit

 

History

History
87 lines (58 loc) · 3.77 KB

File metadata and controls

87 lines (58 loc) · 3.77 KB

OA007: Frozen latest

Severity: low  ·  Action: replace (single-op)  ·  Requires: --check-network

What it catches

A "latest" or "next" floating-tag override that has resolved to a version older than what the registry currently advertises. The override looks like "always the newest" but is actually frozen at whatever version was current when npm install last touched the lockfile.

This rule requires opt-in network access via the --check-network flag because it needs to call registry.npmjs.org to see the current dist-tags. Local-only runs (the default) skip it.

Example

{
  "overrides": {
    "@esbuild/linux-x64": "latest"
  }
}

Installed: @esbuild/linux-x64@0.25.12 (frozen in lockfile from months ago). Registry says: dist-tags.latest = 0.28.0.

LOW (1)
-------
  OA007  @esbuild/linux-x64
    package.json/overrides/@esbuild~1linux-x64
    Floating-tag override is frozen behind the registry
    fix: applyable patch (1 op)

Why it matters

This is OA002's companion. OA002 catches "latest" based on static analysis alone ("floating tag is bad"). OA007 catches the specific subset where the freezing has already happened in the real world: the registry has advanced past the user's resolved version, and the user is unwittingly stuck on an older release.

Composed with OA002, you get the full story:

  • OA002 (offline): "your override uses a floating tag; it could freeze."
  • OA007 (online): "your override froze, and the registry has moved on by N versions."

OA007 is severity low on its own: a floating tag drifting behind the registry is a maintenance smell, not a confirmed vulnerability. When the stale copy is actually below a security floor you declared elsewhere, OA008 (critical) is the rule that fires.

How to enable

cve-lite overrides --check-network

Why opt-in? The override audit is local-first by design. Many CI environments have egress restrictions; some users specifically want the tool to work offline. --check-network is the explicit yes to network calls.

When the network call fails (timeout, 404, registry unreachable), OA007 silently skips that package and surfaces a skippedDetectors note rather than emitting a false-negative finding.

What it does NOT catch

  • Floating tags other than latest and next. (Tags like rc, beta, canary are project-specific and noisy to flag automatically.)
  • Versions that are newer than the registry's latest (e.g., you're on a pre-release ahead of the public release). That's a deliberate state, not a stale pin.
  • Concrete-version pins (those are OA004's territory once they get surpassed).

How to fix

cve-lite overrides --fix --rule OA007 --check-network

--fix emits a single-op replace patch swapping the floating tag for >=<registry-latest>:

// instead of:
"overrides": { "@esbuild/linux-x64": "latest" }
// do this:
"overrides": { "@esbuild/linux-x64": ">=0.28.0" }   // current registry latest
// then: rm -rf node_modules package-lock.json && npm install

If the override target is a platform binary, also consider whether you should be overriding the parent instead. See OA006.

Privacy and rate-limit notes

--check-network issues one HTTP GET per override target with a floating-tag pin, in parallel. No credentials are sent, no telemetry is collected; the response body is parsed for dist-tags only and discarded.

The npm registry's rate limit is generous for unauthenticated reads; a typical project's override block is well below it.

References