OA002: Floating Tag
Severity: medium · Auto-fix: yes (when package is installed)
An override whose pin value is a floating tag or non-semver string.
| Floating value | Why it is a problem |
|---|---|
"latest" | Reinterpreted on every install - the "safe" version changes arbitrarily |
"next" | Pre-release channel; may introduce breaking changes |
"*" | Matches any version - no floor at all |
"" (empty string) | npm treats as * |
| Invalid semver | Coerced or rejected at install time |
Overrides exist to pin a specific safe version. A floating tag defeats that goal entirely.
Example
{
"overrides": {
"@esbuild/linux-x64": "latest"
}
}
"latest" could resolve to a version older than the one that was current when the override was written, or it could resolve to a new major that breaks the consuming package.
Terminal output
MEDIUM (1)
----------
OA002 @esbuild/linux-x64
package.json/overrides/@esbuild~1linux-x64
Override pinned to floating tag
fix: autofix available (1 op)
Fix
cve-lite overrides . --fix --rule OA002
--fix replaces the floating tag with >=<installed-version> - a floor that encodes "at least this version for security" while letting the resolver pick newer compatible versions on future installs.
If the package is not yet installed, the fix is suggested but not applied. Install your dependencies first, then re-run --fix.