Override Hygiene Auditing
Dependency overrides are security patches you apply manually when a vulnerable transitive package is not yet fixed upstream. They work - but they accumulate debt silently over time. The package gets updated, the CVE gets fixed, the override stays. Or worse: the override was never effective to begin with, and your project has been exposed the entire time without knowing it.
cve-lite overrides audits your override declarations against 8 rules and tells you exactly which ones are stale, broken, misplaced, or failing to take effect on disk.
Running the audit
# Scan current directory
cve-lite overrides .
# Scan a specific project
cve-lite overrides /path/to/project
# JSON output for CI
cve-lite overrides . --json
# Include network checks (required for OA007)
cve-lite overrides . --check-network
# Auto-fix all fixable findings
cve-lite overrides . --fix
# Fix a specific rule
cve-lite overrides . --fix --rule OA001
The 8 rules
| Rule | Name | Severity | Auto-fix | What it detects |
|---|---|---|---|---|
| OA001 | Orphaned target | high | yes | Override target not present anywhere in the resolved tree |
| OA002 | Floating tag | medium | yes | Override pinned to "latest", "next", "*", or invalid semver |
| OA003 | Wrong section | high | yes | Override in the wrong package manager key - silently ignored at install time |
| OA004 | Surpassed pin | low | yes | Installed version already higher than the concrete pin |
| OA005 | Nested ineffective | low to critical | partial | Nested override that is silently ignored or cannot apply |
| OA006 | Coupled platform binary | high / medium | proposed | Override fights an exact-pinned parent - resolution is unpredictable |
| OA007 | Frozen latest | low | yes | Floating tag locked behind a newer registry version (requires --check-network) |
| OA008 | Materialized vulnerable copy | critical | no | Vulnerable package copy still on disk despite an active override floor |
How override debt accumulates
Auto-fix
Most findings can be fixed automatically. --fix applies RFC 6902 JSON patches to package.json atomically, preserving your existing formatting.
| Rule | Fixable? | What the patch does |
|---|---|---|
| OA001 | yes | remove the orphaned entry |
| OA002 | yes (when installed) | replace floating tag with >=<installed-version> |
| OA003 | yes | move override to the correct section |
| OA004 | yes (same major) | remove the surpassed pin |
| OA005.a/b/c | yes | remove the ineffective entry |
| OA005.d/e | suggest only | flattening requires manual review |
| OA006 | proposed | suggest parent dependency floor (not auto-applied) |
| OA007 | yes (with --check-network) | replace with >=<registry-latest> |
| OA008 | suggest only | investigate the parent dependency chain |
CI integration
# Fail CI on any critical or high finding
cve-lite overrides . --fail-on high
# Run as part of the regular CVE scan
cve-lite . --check-overrides --fail-on high
Log every detection and fix event for compliance audit trails:
cve-lite overrides . --fix --audit-log ./override-audit.ndjson
How this compares to other tools
Most dependency security tools read package.json statically and stop there. They see the override entry and assume it is working.
cve-lite overrides cross-checks overrides against the resolved lockfile and the installed node_modules tree - which is the only way to catch OA001 (orphaned), OA003 (wrong section), OA008 (still on disk despite floor), and OA006 (parent-coupling failure).
| Capability | cve-lite overrides | npm audit | OSV-Scanner | Snyk CLI | Socket CLI |
|---|---|---|---|---|---|
| Detect orphaned overrides (OA001) | ✅ | ❌ | ❌ | ❌ | ❌ |
| Detect wrong-section overrides (OA003) | ✅ | ❌ | ❌ | ❌ | ❌ |
| Detect overrides that fail on disk (OA008) | ✅ | ❌ | ❌ | ❌ | ❌ |
| Cross-reference override against parent deps | ✅ | ❌ | ❌ | ❌ | ❌ |
| Auto-fix with RFC 6902 patches | ✅ | ❌ | ❌ | ❌ | ❌ |
| Works offline | ✅ | ❌ | ✅ | ❌ | ❌ |