OA005: Nested Ineffective Override
Severity: low to critical (sub-code dependent) · Auto-fix: partial
npm supports parent-scoped override syntax where the pin applies only along a specific install path:
{
"overrides": {
"@esbuild-kit/core-utils": {
"esbuild": "^0.25.0"
}
}
}
This is more surgical than a top-level "esbuild" override, but it is also fragile. OA005 has five sub-codes covering every way a nested override can fail.
Sub-codes
| Sub-code | Severity | What it detects |
|---|---|---|
| OA005.a | critical | Project uses pnpm or Yarn - nested-object syntax is silently ignored entirely |
| OA005.b | high | The outer parent is not in the resolved tree |
| OA005.c | high | The inner key is not in the outer parent's dependencies |
| OA005.d | medium | Inner dep is also installed via another path that the nested pin does not cover |
| OA005.e | low | Nested form is valid but a top-level override would be more durable |
The most dangerous sub-code: OA005.a
pnpm silently ignores the nested-object override shape entirely. A critical security pin written in npm's nested syntax has no effect in a pnpm project.
{
"pnpm": {
"overrides": {
"@some/parent": {
"inner-dep": "1.0.0"
}
}
}
}
This looks like a carefully targeted security pin. It does nothing.
Terminal output
CRITICAL (1)
------------
OA005.a inner-dep (via @some/parent)
package.json/pnpm/overrides/@some~1parent/inner-dep
Nested override syntax is silently ignored by pnpm
fix: autofix available (1 op)
Fix
cve-lite overrides . --fix --rule OA005
--fix applies remove patches for OA005.a, OA005.b, and OA005.c. OA005.d and OA005.e are suggest-only - flattening a nested override is a scope decision that requires manual review.