Skip to main content

OA009: Stale Floor

Severity: low  ·  Auto-fix: yes

An override whose >= or ^ range floor is already met by every parent package's declared range, making the override dead weight. The resolved tree already enforces a stricter minimum than the floor, so removing the override changes nothing.


Example

{
"overrides": {
"js-yaml": ">=4.2.0"
}
}

js-yaml is depended on by a parent that declares "js-yaml": "^4.5.0" - a minimum of 4.5.0, already higher than the 4.2.0 floor. The override was written to address a CVE in 3.x that has since been fixed upstream. The floor is redundant.


Terminal output

LOW (1)
┌───────┬─────────┬────────────────────────────────────────────────────┐
│ Rule │ Package │ Message │
├───────┼─────────┼────────────────────────────────────────────────────┤
│ OA009 │ js-yaml │ Override floor already met by all parent │
│ │ │ declarations │
│ │ │ package.json > /overrides/js-yaml │
└───────┴─────────┴────────────────────────────────────────────────────┘
> cve-lite . overrides --fix --rule OA009

Scope

OA009 fires only on >= and ^ range floors:

PatternHandled by
">=4.2.0"OA009
"^4.2.0"OA009
"4.2.0" (concrete pin)OA004
"~4.2.0" (tilde)out of scope for v1
"latest" (floating tag)OA002

OA009 requires node_modules to be present. It is skipped automatically when node_modules is absent, and it stays silent when any parent's declared minimum falls below the floor.


Fix

cve-lite . overrides --fix --rule OA009

--fix emits a remove patch that deletes the stale floor entry from package.json. If the removed entry was the last override, the empty overrides container is also removed.


Why this is low severity

Low because:

  1. No vulnerability is exposed. A stale floor doesn't harm the dependency tree - it just does nothing.
  2. The fix is safe and automatic. Unlike OA008 or OA006, removing a stale floor cannot break resolution. Every parent already enforces a stricter minimum.
  3. It is a hygiene signal, not a security failure. OA009 catches the aftermath of upstream package upgrades and keeps package.json clean.

Complementary rules

  • OA004 flags surpassed concrete pins ("4.2.0" when the installed version is already higher). OA009 is the range-floor equivalent.
  • OA001 flags orphaned override targets where no parent declares the package at all. OA009 assumes the opposite: every parent declares the target, and each parent's minimum already meets the floor.
  • PD001 - OA009 will not fire on an override entry that anchors a phantom import. If source code imports the package and it is not declared as a dependency, PD001 fires instead and the OA009 removal suggestion is suppressed - removing the override would break the import.