CVE Lite CLI Adds Override Auditing to Catch Stale Security Pins in JavaScript Projects
The open-source CVE Lite CLI, endorsed by OWASP, now audits dependency overrides for stale or broken entries that silently leave transitive vulnerabilities unpatched.
The CVE Lite CLI, a free open-source dependency scanner endorsed by OWASP, has added an override auditing feature designed to detect stale or broken security overrides in JavaScript projects. The tool, which runs locally and provides actionable vulnerability fixes, addresses a common blind spot in software supply chain security: overrides that silently stop working after package manager migrations or upstream fixes.
Creator Sonu Kapoor found that three of four popular open-source projects—Cal.com, Jest, and NoCoDB—had silently ineffective overrides that leave transitive dependency vulnerabilities unpatched. Only Next.js passed the audit cleanly. "Cal.com has 90 override entries and 11 that are silently doing nothing," Kapoor told The Register. "Jest has an override for its own package name pointing at nothing in the resolved tree. NoCoDB has entries using wildcard patterns that never matched any path in the graph."
The problem arises when developers add overrides to pin a vulnerable transitive dependency while waiting for an upstream fix, but then forget to verify those overrides later. Overrides can become broken when projects migrate between package managers—npm reads from overrides, pnpm from pnpm.overrides, and Yarn from resolutions—and the security pins are not migrated. "No error, no warning, the vulnerable package ships unconstrained," Kapoor explained.
Kapoor also highlighted that AI coding assistants commonly advise developers to add override entries when asked to fix a transitive dependency vulnerability. "That advice is correct at the moment," he said. "None of them ever tell the developer to come back and verify the entry still works." This creates a false sense of security, as overrides can point at packages no longer in the dependency tree, apply to the wrong package manager, or shift to an unintended version on every install.
The CVE Lite CLI's override audit feature scans package.json and lock files to identify entries that are no longer effective. It runs locally, ensuring no code is sent to external servers, and integrates with CI/CD pipelines. The tool is available on GitHub and can be installed via npm.
This update comes amid a surge in software supply chain attacks, including the ongoing Shai-hulud campaign that has been targeting developer ecosystems. The March 2022 node-ipc incident, where a maintainer intentionally introduced malicious code that wiped files, underscored the risks of transitive dependencies. While overrides are a legitimate security tool, Kapoor emphasized they are not a permanent fix. "The override hygiene feature exists precisely because of this failure mode: teams add an override to address a CVE, move on, and years later, the override does nothing while they still believe they're protected," he said.
For developers managing complex JavaScript projects, the CVE Lite CLI's new capability provides a much-needed safety net. By catching stale overrides early, teams can avoid shipping vulnerable code and maintain a more accurate security posture. The tool is free and open-source, with contributions welcome on GitHub.