Skip to main content

OA006: Coupled Platform Binary

Severity: high (platform binaries) / medium (other targets)  ·  Auto-fix: proposed (suggested, not applied by default)

A flat override targeting a platform-specific binary package when one or more installed parent packages declare that binary as an exact-version dependency. The override is fighting the parent's pin.

Platform binaries must match their parent JS package byte-for-byte. Parents declare them as exact optionalDependencies for this reason. Overriding the binary directly without overriding the parent leads to unpredictable resolution.

Common binary packages affected: @esbuild/<platform>, @next/swc-<platform>, @rollup/rollup-<platform>, lightningcss-<platform>, sharp prebuilts.

Example

{
  "overrides": {
    "@esbuild/linux-x64": "latest"
  }
}

Installed tree:

node_modules/[email protected]
  optionalDependencies: { "@esbuild/linux-x64": "0.28.0" }   <- exact pin
node_modules/@esbuild/[email protected]                       <- frozen by lockfile

The override targets the binary. The parent esbuild exact-pins it. Depending on npm/pnpm version and registry state, the override may be ignored, may break the parent, or may install both versions side by side - and none of those outcomes are reliably correct.

Terminal output

HIGH (1)
--------
  OA006  @esbuild/linux-x64
    package.json/overrides/@esbuild~1linux-x64
    Override on platform binary fights an exact-pinned parent
    fix: autofix available (2 ops)

Fix

Override the parent instead of the binary:

{
  "overrides": {
    "esbuild": ">=0.28.0"
  }
}
cve-lite overrides . --fix --rule OA006
rm -rf node_modules package-lock.json
npm install
cve-lite overrides .

--fix surfaces a recommendation rather than applying it automatically. If the parent already has an override, it repins that to a >=<parent-installed-version> floor; if not, it relocates - retires the binary override and adds a parent dependency floor (an upgrade path), never a new override key. Because the floor is inferred from the installed tree, it is surfaced for review rather than auto-applied.

note

OA006 checks node_modules before firing. If the override is already working - the installed binary satisfies the override floor - OA006 stays silent. The rule only fires when the override is not confirmed effective on disk.