npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

pnpm-override-prune

v0.0.7

Published

Detect prunable pnpm.overrides entries by checking the npm registry against pnpm-lock.yaml.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

iwamotiwamot

Keywords

pnpmoverridesauditcli

Readme

pnpm-override-prune

npm node

Detect prunable override entries in pnpm / aube projects.

Usage

# Detect prunable entries (default)
pnpm dlx pnpm-override-prune                          # checks ./package.json
pnpm dlx pnpm-override-prune path/to/package.json     # checks given file

# Remove prunable entries in place
pnpm dlx pnpm-override-prune --fix

For aube users, replace pnpm dlx with aube dlx.

Example output:

=== package.json:pnpm.overrides (2 entries) ===
[PRUNE] @xmldom/xmldom >=0.9.10  0.9.10
[PRUNE] postcss >=8.5.10         8.5.12

Run with --fix to prune entries marked [PRUNE].

Exit codes:

| Code | Meaning | |------|---------| | 0 | No prunable entries (or --fix succeeded) | | 1 | Prunable entries found (without --fix) | | 2 | package.json or lockfile not found, or parse error |

Why

pnpm and aube let you pin a transitive dependency version via override entries — in package.json (pnpm.overrides or top-level overrides) or in pnpm-workspace.yaml / aube-workspace.yaml (top-level overrides:).

A common reason to reach for these is CVE mitigation: a vulnerability is disclosed in a transitive package, and you force the patched minimum version while direct deps catch up.

Once they do, the entry is no longer doing anything — but it's easy to forget which ones are still load-bearing. Stale overrides become a judgment cost at every audit or upgrade ("is this still needed, or just history?").

pnpm-override-prune answers that mechanically: it checks whether each entry's lower bound is already satisfied by what the npm registry would resolve without the override.

How it works

For each override target, the tool gathers the specs that constrain it without the override applied:

  • direct importer specs read from each workspace package.json (the lockfile's importer specifiers are skipped because pnpm rewrites them to the override value)
  • parent-package metadata fetched from https://registry.npmjs.org for transitive parents

For each spec it computes the highest published version that spec would resolve to on its own. The reported version is the lowest of those — the worst case some consumer would land on if the override were removed. If that version already meets the override's lower bound, the entry is [PRUNE]; otherwise [KEEP].

Scope

  • Reads override entries from:
    • package.jsonpnpm.overrides
    • package.json → top-level overrides (npm-compatible form, also used by aube audit --fix)
    • pnpm-workspace.yaml or aube-workspace.yaml → top-level overrides:
  • When a key appears in both pnpm.overrides and top-level overrides, both are reported independently. pnpm gives pnpm.overrides precedence at install time, but stale duplicates in the other location are easy to overlook.
  • Only specifiers using >= and/or > are checked. Exact pins (1.2.3), caret (^1.2.3), tilde (~1.2.3), and bounded ranges are skipped — removing an intentional upper bound is unsafe.
  • Versioned keys like "glob-parent@<5.1.2": ">=5.1.2" (the form pnpm audit --fix typically emits) are evaluated. The selector is matched against each parent's requested spec via semver.intersects — the rule pnpm itself uses since pnpm/pnpm#6904.
  • Lockfile must be pnpm-lock.yaml or aube-lock.yaml at lockfileVersion: '9.0' (pnpm 9+ / aube). Older formats are not supported in this release.

Known limitations

  • Skips values using non-semver protocols (catalog:, workspace:, file:, link:, portal:, npm:, github:, git-prefixed, http: / https:).
  • Skips nested-key overrides like "parent>child": "1.2.3". Only flat name &rarr; spec mappings are evaluated.
  • Skips versioned keys whose selector isn't a parseable semver range (e.g., "foo@latest": ">=1.0.0"). pnpm itself falls back to literal-string matching for such selectors, so they're rarely effective; verdict is left for human review.
  • Each override entry is evaluated independently. When multiple entries target the same package (e.g., several lodash@... rows from cumulative pnpm audit --fix runs), the tool won't propose consolidating them into a single stronger entry — it only marks each one prunable when its own selector/spec combination is a no-op against the natural resolution.
  • Public npm registry only. Private registries and .npmrc scoped registry configuration are not consulted.
  • Parents that aren't on the public registry — e.g. workspace-internal packages resolved as transitive parents — are silently dropped from the constraint set. The natural resolution may then appear less constrained than it actually is.

License

MIT