OA003: Wrong Section
Severity: high · Auto-fix: yes
An override declared in the wrong package manager section. Each package manager reads a different key:
| Package manager | Correct key |
|---|---|
| npm | overrides (top-level) |
| pnpm | pnpm.overrides |
| Yarn | resolutions |
When the section does not match the active package manager, the override is silently ignored. Security pins sitting in the wrong section look correct in code review and accomplish nothing during installation.
Example
{
"pnpm": {
"overrides": {
"postcss": "8.5.15"
}
}
}
This project has a package-lock.json - it is an npm project. npm ignores pnpm.overrides entirely. postcss resolves to whatever the transitive dependency chain asks for, completely unconstrained.
Terminal output
HIGH (1)
--------
OA003 postcss
package.json/pnpm/overrides/postcss
Override declared in wrong package-manager section
fix: autofix available (1 op)
Why this is so common
OA003 is the single highest-impact category of override hygiene problem in the wild. It happens most often when:
- A project migrates from one package manager to another and the override block is not updated
- A developer copies a snippet from a project using a different package manager
- A team member adds an override without checking which lockfile the project uses
Fix
cve-lite overrides . --fix --rule OA003
--fix applies a RFC 6902 move patch, relocating the override to the correct section. Re-run npm install (or pnpm install, yarn) afterward to apply the override at install time.