docs: add override hygiene auditing documentation#729
Conversation
|
@alamb-hex, can you take a look at this PR, please? |
There was a problem hiding this comment.
Pull request overview
Adds a new “Override Hygiene Auditing” documentation section for the cve-lite overrides command (OA001–OA008), and surfaces it across the Docusaurus site and top-level docs/README so users can discover and integrate the feature. Also introduces several real-world package.json fixtures intended for reproducible override-audit scanning.
Changes:
- Adds a new
/docs/override-hygieneguide index plus one page per rule (OA001–OA008), including examples, outputs, fix guidance, and diagrams. - Integrates the new docs section into the website UI (homepage feature card, sidebar category, footer/nav link) and existing guides (workflow integration, fix mode, docs index, comparison tables).
- Adds example fixtures from cal.com, Next.js, NoCoDB, and Jest under
examples/for future scans/tests.
Reviewed changes
Copilot reviewed 21 out of 25 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| website/src/pages/index.tsx | Adds homepage messaging + a new feature card linking to override hygiene docs. |
| website/sidebars.ts | Adds an “Override Hygiene” sidebar category with OA001–OA008 entries. |
| website/docusaurus.config.ts | Adds a footer/nav link to the override hygiene docs. |
| website/docs/workflow-integration.md | Documents CI usage patterns for override hygiene audits. |
| website/docs/override-hygiene/index.md | New top-level guide page: how to run, rule summary, autofix table, CI guidance, comparisons. |
| website/docs/override-hygiene/oa001.md | New OA001 rule page. |
| website/docs/override-hygiene/oa002.md | New OA002 rule page. |
| website/docs/override-hygiene/oa003.md | New OA003 rule page. |
| website/docs/override-hygiene/oa004.md | New OA004 rule page. |
| website/docs/override-hygiene/oa005.md | New OA005 rule page. |
| website/docs/override-hygiene/oa006.md | New OA006 rule page. |
| website/docs/override-hygiene/oa007.md | New OA007 rule page. |
| website/docs/override-hygiene/oa008.md | New OA008 rule page. |
| website/docs/index.md | Adds an entry for the override hygiene docs in the main docs index. |
| website/docs/fix-mode.md | Documents using --check-overrides with --fix, plus the standalone audit flow. |
| website/docs/comparison.md | Adds “Override hygiene auditing” row to the docs comparison table. |
| README.md | Adds an “Override hygiene auditing” row to the README comparison table + link to the new guide. |
| examples/nocodb/package.json | Adds a real-world fixture package.json for override auditing scenarios. |
| examples/nextjs/package.json | Adds a real-world fixture package.json for override auditing scenarios. |
| examples/jest/package.json | Adds a real-world fixture package.json (Yarn resolutions) for override auditing scenarios. |
| examples/cal-com/package.json | Adds a real-world fixture package.json (Yarn resolutions) for override auditing scenarios. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
alamb-hex
left a comment
alamb-hex
left a comment
There was a problem hiding this comment.
Took a pass focused on the OA rule docs for technical accuracy against the merged detectors. The structure is great - one page per rule with explanation, example, terminal output, fix command, and diagrams is exactly what this needed, and the per-rule fix descriptions are accurate for OA001-OA005, OA007, OA008. Two things to fix, both where the docs drifted from current behavior:
1. OA006 fix description is inaccurate (the important one)
oa006.md says "Auto-fix: yes", "--fix applies the structural rewrite automatically", and "adds a parent override at >=<parent-installed-version>". The merged detector does something deliberately different:
- The fix is
tier: 'proposed'- surfaced as a recommendation, not applied by default. So it's not auto-fix. - It writes a parent dependency floor, never a new override entry - that's the chokepoint-guard invariant (the fix hook can remove/repin/relocate existing overrides but never invents a new override key). If the parent already has an override it repins that to the floor; if not, it relocates (retire the binary override + add a
/dependenciesfloor).
Suggested wording:
Auto-fix: proposed (suggested, not applied by default)
--fixsurfaces a recommendation rather than applying it. If the parent already has an override, it repins that to a>=<parent-installed-version>floor; if not, it relocates - retires the binary override and adds a parent dependency floor (an upgrade), never a new override key. Because the floor is inferred, it is surfaced for review rather than auto-applied.
The "OA006 checks node_modules before firing / stays silent when already effective" part is accurate - keep that.
2. Terminal-output examples don't match shipped output
The ## Terminal output blocks in oa001-oa007 (7 files) show:
fix: applicable patch (1 op)
The renderer in src/output/override-findings-terminal.ts actually prints:
fix: autofix available (1 op)
(It was renamed from the original "applyable" to "autofix available" - the spelling fix to "applicable" landed in the docs but the code emits "autofix available".) Updating the seven examples to fix: autofix available (N op) keeps the captures matching real output. oa008 correctly has no fix line (auto-fix: no).
Nice-to-have, not blocking: the cal.com / Next.js / NoCoDB / Jest fixtures are a great real-world demo set. Worth noting they are complementary to - not a substitute for - small synthetic per-rule fixtures for deterministic e2e (the #44 / examples-library thread); these real lockfiles will drift with upstream, the synthetic ones won't. Happy to take that on separately.
Everything else verified accurate against the detectors. Great addition - this makes the feature real for users.
sonukapoor
force-pushed
the
docs/issue-728-override-hygiene-docs
branch
from
76f1690 to
83c7237
Compare
|
@alamb-hex Both items are addressed:
The note about complementing real-world fixtures with synthetic per-rule fixtures for deterministic e2e is a good idea - will open a separate issue for that. |
|
@alamb-hex Can you review this one more time? |
alamb-hex
left a comment
alamb-hex
left a comment
There was a problem hiding this comment.
Both items from the last round are verified fixed:
- Terminal-output examples now read
fix: autofix available (N op)across oa001-oa007 (oa008 correctly has no fix line) - matches the renderer. - OA006 is now
Auto-fix: proposed (suggested, not applied by default)and the prose reflects the real behavior - repin an existing override or relocate to a parent dependency floor, never a new override key. Accurate against thetier: 'proposed'detector.
Docs are technically accurate now. LGTM.
One heads-up before merge: the branch conflicts with main, and it's just the tool-comparison table in website/docs/comparison.md. Main has since grown that table to 8 tools (added DependencyCheck and dep-scan) and already includes the "Override hygiene auditing" row. So on rebase, just take main's version of that table - the override row is already there in the wider form, nothing from this branch's 6-tool copy is needed. That's the only conflict; the other 24 files are clean.
Adds index page and individual pages for all 8 override hygiene rules (OA001-OA008). Each rule page includes explanation, example package.json, terminal output, fix command, and diagrams where the failure mode benefits from visual explanation. Sidebar updated with Override Hygiene category. Closes #728
Adds stat pill and feature card on homepage, comparison table row, entry in docs index, override hygiene section in fix-mode guide and workflow-integration guide with CI patterns and GitHub Actions example, and footer Guides link.
Adds package.json and lockfiles from cal.com, Next.js, NoCoDB, and Jest fetched from their public repos. These contain real override/resolutions blocks and serve as reproducible examples for override hygiene scanning and future test fixtures.
… pages - applyable -> applicable in terminal output blocks across oa001-oa007 - OA005 severity: low-critical -> low to critical (matches per-rule page) - OA006 severity: medium-high -> high / medium (matches per-rule page)
…x available" Applies across OA001-OA005 and OA007. The label now matches the CLI's actual output string for auto-fixable findings.
Auto-fix label changes from "yes" to "proposed" - the --fix flag surfaces a recommendation for OA006 rather than applying it automatically, because the parent dependency floor requires review. Updates index.md summary table and auto-fix table to reflect this.
sonukapoor
force-pushed
the
docs/issue-728-override-hygiene-docs
branch
from
83c7237 to
ee91fa0
Compare
Adds comprehensive documentation for the
cve-lite overridescommand, surfaces the feature across the website, and includes real-world example fixtures from four major JS projects.What changed
website/docs/override-hygiene/section with an index page and one page per rule (OA001-OA008), each with explanation, example, terminal output, fix command, and diagrams--check-overridescombo and standalone audit commandCloses #728