OA001: Orphaned Target

Severity: high · Auto-fix: yes

An override entry whose target package is not present anywhere in the resolved dependency tree. The override has no effect - there is nothing for it to apply to.

This happens when a transitive dependency is dropped or renamed in an upstream package after the override was written. The pin stays, pointing at nothing.

Example

{
  "dependencies": {
    "next": "^16.2.6"
  },
  "overrides": {
    "left-pad": "1.3.0"
  }
}

left-pad was a CVE concern years ago. Nothing in the current dependency tree pulls it in anymore. The override creates a false sense of protection: it looks like left-pad is pinned to a safe version when in reality it is not installed at all.

Terminal output

HIGH (1)
--------
  OA001  left-pad
    package.json/overrides/left-pad
    Override target not in resolved tree
    fix: autofix available (1 op)

Fix

cve-lite overrides . --fix --rule OA001

--fix removes the entry with a single RFC 6902 remove patch. Re-run npm install (or pnpm install, yarn) to confirm the cleanup took effect.

Example​

Terminal output​

Fix​

Example

Terminal output

Fix