Skip to main content

OA004: Surpassed Pin

Severity: low  ·  Auto-fix: yes (same major), suggest (cross-major)

A concrete-version override pin that has already been surpassed by the installed version in node_modules. The pin no longer raises the floor - the resolved tree is already past it. The override entry is dead code.


Example

{
"overrides": {
"postcss": "8.4.31"
}
}

node_modules/postcss/package.json shows "version": "8.5.15". The override was written to address a CVE in 8.4.x that has since been patched in upstream releases. The pin is redundant.


Terminal output

LOW (1)
┌───────┬─────────┬──────────────────────────────────────────┐
│ Rule │ Package │ Message │
├───────┼─────────┼──────────────────────────────────────────┤
│ OA004 │ postcss │ Installed version surpasses concrete pin │
│ │ │ package.json > /overrides/postcss │
└───────┴─────────┴──────────────────────────────────────────┘
> cve-lite . overrides --fix --rule OA004

Fix

cve-lite . overrides --fix --rule OA004

For same-major findings, --fix removes the override entry - the installed version already satisfies the security intent.

For cross-major findings, the tool suggests manual review rather than auto-fixing. A different major version means the dependency landscape may have changed in ways that warrant a deliberate decision before removing the pin.