OA004: Surpassed Pin

Severity: low · Auto-fix: yes (same major), suggest (cross-major)

A concrete-version override pin that has already been surpassed by the installed version in node_modules. The pin no longer raises the floor - the resolved tree is already past it. The override entry is dead code.

Example

{
  "overrides": {
    "postcss": "8.4.31"
  }
}

node_modules/postcss/package.json shows "version": "8.5.15". The override was written to address a CVE in 8.4.x that has since been patched in upstream releases. The pin is redundant.

Terminal output

LOW (1)
-------
  OA004  postcss
    package.json/overrides/postcss
    Installed version surpasses concrete pin
    fix: autofix available (1 op)

Fix

cve-lite overrides . --fix --rule OA004

For same-major findings, --fix removes the override entry - the installed version already satisfies the security intent.

For cross-major findings, the tool suggests manual review rather than auto-fixing. A different major version means the dependency landscape may have changed in ways that warrant a deliberate decision before removing the pin.

Example​

Terminal output​

Fix​

Example

Terminal output

Fix