OA007: Frozen Latest

Severity: low · Auto-fix: yes · Requires: --check-network

A "latest" or "next" floating-tag override that has resolved to a version older than what the npm registry currently advertises. The lockfile froze the "latest" tag months ago and the registry has since moved on.

This rule is OA002's companion. OA002 catches floating tags statically ("this tag could freeze"). OA007 catches the specific subset where freezing has already happened in the real world.

This rule requires a network check and is opt-in:

cve-lite overrides . --check-network

Example

{
  "overrides": {
    "@esbuild/linux-x64": "latest"
  }
}

Installed:       @esbuild/[email protected]  (from lockfile, 6 months ago)
Registry latest: 0.28.0

Terminal output

LOW (1)
-------
  OA007  @esbuild/linux-x64
    package.json/overrides/@esbuild~1linux-x64
    Floating-tag override is frozen behind the registry
    fix: autofix available (1 op)

Fix

cve-lite overrides . --fix --rule OA007 --check-network

--fix replaces the floating tag with >=<registry-latest>, pinning the floor to the current registry version.

Example​

Terminal output​

Fix​

Example

Terminal output

Fix