Severity: low · Action: replace (single-op) · Requires: --check-network
A "latest" or "next" floating-tag override that has resolved to a version older than what the registry currently advertises. The override looks like "always the newest" but is actually frozen at whatever version was current when npm install last touched the lockfile.
This rule requires opt-in network access via the --check-network flag because it needs to call registry.npmjs.org to see the current dist-tags. Local-only runs (the default) skip it.
Installed: @esbuild/linux-x64@0.25.12 (frozen in lockfile from months ago).
Registry says: dist-tags.latest = 0.28.0.
LOW (1)
-------
OA007 @esbuild/linux-x64
package.json/overrides/@esbuild~1linux-x64
Floating-tag override is frozen behind the registry
fix: applyable patch (1 op)
This is OA002's companion. OA002 catches "latest" based on static analysis alone ("floating tag is bad"). OA007 catches the specific subset where the freezing has already happened in the real world: the registry has advanced past the user's resolved version, and the user is unwittingly stuck on an older release.
Composed with OA002, you get the full story:
- OA002 (offline): "your override uses a floating tag; it could freeze."
- OA007 (online): "your override froze, and the registry has moved on by N versions."
OA007 is severity low on its own: a floating tag drifting behind the registry is a maintenance smell, not a confirmed vulnerability. When the stale copy is actually below a security floor you declared elsewhere, OA008 (critical) is the rule that fires.
cve-lite overrides --check-networkWhy opt-in? The override audit is local-first by design. Many CI environments have egress restrictions; some users specifically want the tool to work offline. --check-network is the explicit yes to network calls.
When the network call fails (timeout, 404, registry unreachable), OA007 silently skips that package and surfaces a skippedDetectors note rather than emitting a false-negative finding.
- Floating tags other than
latestandnext. (Tags likerc,beta,canaryare project-specific and noisy to flag automatically.) - Versions that are newer than the registry's
latest(e.g., you're on a pre-release ahead of the public release). That's a deliberate state, not a stale pin. - Concrete-version pins (those are OA004's territory once they get surpassed).
cve-lite overrides --fix --rule OA007 --check-network--fix emits a single-op replace patch swapping the floating tag for >=<registry-latest>:
// instead of:
"overrides": { "@esbuild/linux-x64": "latest" }
// do this:
"overrides": { "@esbuild/linux-x64": ">=0.28.0" } // current registry latest
// then: rm -rf node_modules package-lock.json && npm installIf the override target is a platform binary, also consider whether you should be overriding the parent instead. See OA006.
--check-network issues one HTTP GET per override target with a floating-tag pin, in parallel. No credentials are sent, no telemetry is collected; the response body is parsed for dist-tags only and discarded.
The npm registry's rate limit is generous for unauthenticated reads; a typical project's override block is well below it.
src/overrides/detectors/oa007-frozen-latest.ts- npm registry dist-tags: semantics of
latest/next
{ "overrides": { "@esbuild/linux-x64": "latest" } }