@ceon-oy/monitor-sdk 1.1.0 → 1.1.2

package/dist/index.d.mts

@@ -49,6 +49,10 @@ interface MonitorClientConfig {
     auditTimeoutMs?: number;
     /** Timeout for npm registry requests in ms (default: 5000, max: 30000) */
     registryTimeoutMs?: number;
+    /** Allow HTTP endpoints in production (default: false, requires explicit opt-in) */
+    allowInsecureHttp?: boolean;
+    /** Custom npm registry URL for fetching latest versions (default: https://registry.npmjs.org) */
+    npmRegistryUrl?: string;
 }
 interface TechnologyItem {
     name: string;
@@ -117,6 +121,13 @@ interface VulnerabilityItem {
     isFixable?: boolean;
     isDirect?: boolean;
 }
+interface VulnerabilitySummary {
+    critical: number;
+    high: number;
+    moderate: number;
+    low: number;
+    info: number;
+}
 interface AuditResult {
     environment: string;
     totalDeps: number;
@@ -127,13 +138,7 @@ interface AuditSummary {
     scanId: string;
     processed: number;
     resolved: number;
-    summary: {
-        critical: number;
-        high: number;
-        moderate: number;
-        low: number;
-        info: number;
-    };
+    summary: VulnerabilitySummary;
 }
 interface MultiAuditSummary {
     results: Array<{
@@ -141,21 +146,9 @@ interface MultiAuditSummary {
         scanId: string;
         processed: number;
         resolved: number;
-        summary: {
-            critical: number;
-            high: number;
-            moderate: number;
-            low: number;
-            info: number;
-        };
+        summary: VulnerabilitySummary;
     }>;
-    totalSummary: {
-        critical: number;
-        high: number;
-        moderate: number;
-        low: number;
-        info: number;
-    };
+    totalSummary: VulnerabilitySummary;
 }
 
 declare class MonitorClient {
@@ -188,6 +181,7 @@ declare class MonitorClient {
     private versionCheckEnabled;
     private auditTimeoutMs;
     private registryTimeoutMs;
+    private npmRegistryUrl;
     constructor(config: MonitorClientConfig);
     /**
      * Security: Validate and sanitize metadata to prevent oversized payloads
@@ -198,6 +192,18 @@ declare class MonitorClient {
      * Removes potential API keys, tokens, and limits response length
      */
     private sanitizeErrorResponse;
+    /**
+     * Security: Sanitize file paths in log messages to prevent exposing full filesystem structure
+     * Truncates long paths and shows only the last few segments
+     */
+    private sanitizePath;
+    /**
+     * Execute a promise with a timeout. Properly cleans up the timer and supports cancellation.
+     * @param promiseFactory Factory function that receives an AbortSignal and returns a promise
+     * @param timeoutMs Timeout in milliseconds
+     * @param message Error message if timeout occurs
+     */
+    private withTimeout;
     captureError(error: Error, context?: ErrorContext): Promise<void>;
     captureMessage(message: string, severity?: Severity, context?: ErrorContext): Promise<void>;
     flush(): Promise<void>;
@@ -239,9 +245,12 @@ declare class MonitorClient {
     private startFlushTimer;
     private stopFlushTimer;
     syncDependencies(): Promise<void>;
+    private performDependencySync;
     /**
      * Enrich technologies with latest version information from npm registry.
      * Only runs if versionCheckEnabled is true.
+     * @param technologies List of technologies to enrich
+     * @param signal Optional AbortSignal to cancel the operation
      */
     private enrichWithLatestVersions;
     syncTechnologies(technologies: TechnologyItem[]): Promise<void>;
@@ -251,10 +260,15 @@ declare class MonitorClient {
     /**
      * Fetch the latest version of a package from npm registry.
      * Returns null if the package cannot be found or the request fails.
+     * Uses npmRegistryUrl config option if provided.
+     * @param packageName The package name to fetch
+     * @param signal Optional AbortSignal to cancel the request
      */
     private fetchLatestVersion;
     /**
      * Fetch latest versions for multiple packages in parallel with concurrency limit.
+     * @param packageNames List of package names to fetch versions for
+     * @param signal Optional AbortSignal to cancel the operation
      */
     private fetchLatestVersions;
     private sendTechnologies;
@@ -320,6 +334,15 @@ declare class MonitorClient {
         timeWindowMinutes?: number;
         threshold?: number;
     }): Promise<BruteForceDetectionResult>;
+    /**
+     * Handle exec errors from audit commands. Returns stdout if available, null if timed out, or rethrows.
+     */
+    private handleAuditExecError;
+    /**
+     * Run a command with a reliable timeout using spawn.
+     * More reliable than execSync timeout in containerized environments.
+     */
+    private runCommandWithTimeout;
     /**
      * Run npm audit and send results to the monitoring server.
      * This scans the project for known vulnerabilities in dependencies.
@@ -342,6 +365,7 @@ declare class MonitorClient {
      * @returns Combined summary of all audit results
      */
     auditMultiplePaths(): Promise<MultiAuditSummary | null>;
+    private performMultiPathAudit;
     /**
      * Parse npm audit JSON output into vulnerability items
      */

package/dist/index.d.ts

@@ -49,6 +49,10 @@ interface MonitorClientConfig {
     auditTimeoutMs?: number;
     /** Timeout for npm registry requests in ms (default: 5000, max: 30000) */
     registryTimeoutMs?: number;
+    /** Allow HTTP endpoints in production (default: false, requires explicit opt-in) */
+    allowInsecureHttp?: boolean;
+    /** Custom npm registry URL for fetching latest versions (default: https://registry.npmjs.org) */
+    npmRegistryUrl?: string;
 }
 interface TechnologyItem {
     name: string;
@@ -117,6 +121,13 @@ interface VulnerabilityItem {
     isFixable?: boolean;
     isDirect?: boolean;
 }
+interface VulnerabilitySummary {
+    critical: number;
+    high: number;
+    moderate: number;
+    low: number;
+    info: number;
+}
 interface AuditResult {
     environment: string;
     totalDeps: number;
@@ -127,13 +138,7 @@ interface AuditSummary {
     scanId: string;
     processed: number;
     resolved: number;
-    summary: {
-        critical: number;
-        high: number;
-        moderate: number;
-        low: number;
-        info: number;
-    };
+    summary: VulnerabilitySummary;
 }
 interface MultiAuditSummary {
     results: Array<{
@@ -141,21 +146,9 @@ interface MultiAuditSummary {
         scanId: string;
         processed: number;
         resolved: number;
-        summary: {
-            critical: number;
-            high: number;
-            moderate: number;
-            low: number;
-            info: number;
-        };
+        summary: VulnerabilitySummary;
     }>;
-    totalSummary: {
-        critical: number;
-        high: number;
-        moderate: number;
-        low: number;
-        info: number;
-    };
+    totalSummary: VulnerabilitySummary;
 }
 
 declare class MonitorClient {
@@ -188,6 +181,7 @@ declare class MonitorClient {
     private versionCheckEnabled;
     private auditTimeoutMs;
     private registryTimeoutMs;
+    private npmRegistryUrl;
     constructor(config: MonitorClientConfig);
     /**
      * Security: Validate and sanitize metadata to prevent oversized payloads
@@ -198,6 +192,18 @@ declare class MonitorClient {
      * Removes potential API keys, tokens, and limits response length
      */
     private sanitizeErrorResponse;
+    /**
+     * Security: Sanitize file paths in log messages to prevent exposing full filesystem structure
+     * Truncates long paths and shows only the last few segments
+     */
+    private sanitizePath;
+    /**
+     * Execute a promise with a timeout. Properly cleans up the timer and supports cancellation.
+     * @param promiseFactory Factory function that receives an AbortSignal and returns a promise
+     * @param timeoutMs Timeout in milliseconds
+     * @param message Error message if timeout occurs
+     */
+    private withTimeout;
     captureError(error: Error, context?: ErrorContext): Promise<void>;
     captureMessage(message: string, severity?: Severity, context?: ErrorContext): Promise<void>;
     flush(): Promise<void>;
@@ -239,9 +245,12 @@ declare class MonitorClient {
     private startFlushTimer;
     private stopFlushTimer;
     syncDependencies(): Promise<void>;
+    private performDependencySync;
     /**
      * Enrich technologies with latest version information from npm registry.
      * Only runs if versionCheckEnabled is true.
+     * @param technologies List of technologies to enrich
+     * @param signal Optional AbortSignal to cancel the operation
      */
     private enrichWithLatestVersions;
     syncTechnologies(technologies: TechnologyItem[]): Promise<void>;
@@ -251,10 +260,15 @@ declare class MonitorClient {
     /**
      * Fetch the latest version of a package from npm registry.
      * Returns null if the package cannot be found or the request fails.
+     * Uses npmRegistryUrl config option if provided.
+     * @param packageName The package name to fetch
+     * @param signal Optional AbortSignal to cancel the request
      */
     private fetchLatestVersion;
     /**
      * Fetch latest versions for multiple packages in parallel with concurrency limit.
+     * @param packageNames List of package names to fetch versions for
+     * @param signal Optional AbortSignal to cancel the operation
      */
     private fetchLatestVersions;
     private sendTechnologies;
@@ -320,6 +334,15 @@ declare class MonitorClient {
         timeWindowMinutes?: number;
         threshold?: number;
     }): Promise<BruteForceDetectionResult>;
+    /**
+     * Handle exec errors from audit commands. Returns stdout if available, null if timed out, or rethrows.
+     */
+    private handleAuditExecError;
+    /**
+     * Run a command with a reliable timeout using spawn.
+     * More reliable than execSync timeout in containerized environments.
+     */
+    private runCommandWithTimeout;
     /**
      * Run npm audit and send results to the monitoring server.
      * This scans the project for known vulnerabilities in dependencies.
@@ -342,6 +365,7 @@ declare class MonitorClient {
      * @returns Combined summary of all audit results
      */
     auditMultiplePaths(): Promise<MultiAuditSummary | null>;
+    private performMultiPathAudit;
     /**
      * Parse npm audit JSON output into vulnerability items
      */

package/dist/index.js

@@ -47,6 +47,8 @@ var CONFIG_LIMITS = {
   // 64KB
   MAX_RETRY_MAP_SIZE: 1e3,
   // Prevent unbounded growth
+  RETRY_MAP_CLEANUP_PERCENTAGE: 0.1,
+  // Remove 10% of oldest entries when map is full
   AUDIT_MAX_BUFFER: 10 * 1024 * 1024,
   // 10MB
   AUDIT_TIMEOUT_MS: 6e4,
@@ -57,8 +59,16 @@ var CONFIG_LIMITS = {
   // 5 minutes
   REGISTRY_TIMEOUT_MS: 5e3,
   // 5 seconds (default)
-  MAX_REGISTRY_TIMEOUT_MS: 3e4
+  MAX_REGISTRY_TIMEOUT_MS: 3e4,
   // 30 seconds (max configurable)
+  TECH_VERSION_FETCH_TIMEOUT_MS: 3e4,
+  // 30 seconds max for all version fetches
+  SYNC_DEPENDENCIES_TIMEOUT_MS: 6e4,
+  // 60 seconds max for all dependency syncs
+  AUDIT_MULTI_PATH_TIMEOUT_MS: 18e4,
+  // 3 minutes max for all audit paths
+  REGISTRY_CONCURRENCY_LIMIT: 5
+  // Limit parallel requests to avoid rate limiting
 };
 var MonitorClient = class {
   constructor(config) {
@@ -75,8 +85,8 @@ var MonitorClient = class {
     if (!config.apiKey || config.apiKey.trim().length === 0) {
       throw new Error("[MonitorClient] API key is required");
     }
-    if (!/^cm_[a-zA-Z0-9_-]+$/.test(config.apiKey)) {
-      throw new Error("[MonitorClient] Invalid API key format. Expected format: cm_xxx");
+    if (!/^cm_[a-zA-Z0-9_-]{16,256}$/.test(config.apiKey)) {
+      throw new Error("[MonitorClient] Invalid API key format. Expected format: cm_xxx (16-256 characters after prefix)");
     }
     if (!config.endpoint || config.endpoint.trim().length === 0) {
       throw new Error("[MonitorClient] Endpoint URL is required");
@@ -87,6 +97,9 @@ var MonitorClient = class {
         throw new Error("[MonitorClient] Endpoint must use HTTP or HTTPS protocol");
       }
       if (url.protocol === "http:" && config.environment !== "development" && config.environment !== "test") {
+        if (!config.allowInsecureHttp) {
+          throw new Error("[MonitorClient] HTTP endpoints require allowInsecureHttp: true in non-development environments");
+        }
         console.warn("[MonitorClient] Warning: Using HTTP in non-development environment is not recommended");
       }
     } catch (err) {
@@ -116,8 +129,8 @@ var MonitorClient = class {
       "@typescript-eslint/*"
     ];
     this.excludePatterns = config.excludePatterns || defaultExcludePatterns;
-    this.compiledExcludePatterns = this.excludePatterns.map((pattern) => {
-      const regexPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+    this.compiledExcludePatterns = this.excludePatterns.filter((pattern) => pattern.length <= 100).map((pattern) => {
+      const regexPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*+/g, "[^/]*");
       return new RegExp(`^${regexPattern}$`);
     });
     this.autoAudit = config.autoAudit || false;
@@ -126,6 +139,7 @@ var MonitorClient = class {
     this.versionCheckEnabled = config.versionCheckEnabled ?? true;
     this.auditTimeoutMs = Math.min(CONFIG_LIMITS.MAX_AUDIT_TIMEOUT_MS, Math.max(1e3, config.auditTimeoutMs || CONFIG_LIMITS.AUDIT_TIMEOUT_MS));
     this.registryTimeoutMs = Math.min(CONFIG_LIMITS.MAX_REGISTRY_TIMEOUT_MS, Math.max(1e3, config.registryTimeoutMs || CONFIG_LIMITS.REGISTRY_TIMEOUT_MS));
+    this.npmRegistryUrl = (config.npmRegistryUrl || "https://registry.npmjs.org").replace(/\/$/, "");
     this.startFlushTimer();
     if (this.trackDependencies) {
       this.syncDependencies().catch((err) => {
@@ -166,8 +180,43 @@ var MonitorClient = class {
     sanitized = sanitized.replace(/cm_[a-zA-Z0-9_-]+/g, "[REDACTED]");
     sanitized = sanitized.replace(/Bearer\s+[a-zA-Z0-9_.-]+/gi, "Bearer [REDACTED]");
     sanitized = sanitized.replace(/authorization['":\s]+[a-zA-Z0-9_.-]+/gi, "authorization: [REDACTED]");
+    sanitized = sanitized.replace(/eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g, "[JWT_REDACTED]");
+    sanitized = sanitized.replace(/AKIA[A-Z0-9]{16}/g, "[AWS_KEY_REDACTED]");
+    sanitized = sanitized.replace(/(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])/g, "[AWS_SECRET_REDACTED]");
+    sanitized = sanitized.replace(/gh[pousr]_[A-Za-z0-9_]{36,}/g, "[GITHUB_TOKEN_REDACTED]");
     return sanitized;
   }
+  /**
+   * Security: Sanitize file paths in log messages to prevent exposing full filesystem structure
+   * Truncates long paths and shows only the last few segments
+   */
+  sanitizePath(filePath, maxSegments = 3) {
+    if (!filePath) return "";
+    const segments = filePath.split(/[/\\]/);
+    if (segments.length <= maxSegments) {
+      return filePath;
+    }
+    return ".../" + segments.slice(-maxSegments).join("/");
+  }
+  /**
+   * Execute a promise with a timeout. Properly cleans up the timer and supports cancellation.
+   * @param promiseFactory Factory function that receives an AbortSignal and returns a promise
+   * @param timeoutMs Timeout in milliseconds
+   * @param message Error message if timeout occurs
+   */
+  withTimeout(promiseFactory, timeoutMs, message) {
+    const controller = new AbortController();
+    let timeoutId;
+    const timeoutPromise = new Promise((_, reject) => {
+      timeoutId = setTimeout(() => {
+        controller.abort();
+        reject(new Error(message));
+      }, timeoutMs);
+    });
+    return Promise.race([promiseFactory(controller.signal), timeoutPromise]).finally(() => {
+      clearTimeout(timeoutId);
+    });
+  }
   async captureError(error, context) {
     if (this.isClosed) return;
     const payload = {
@@ -222,7 +271,7 @@ var MonitorClient = class {
         const retries = this.retryCount.get(key) || 0;
         if (retries < this.maxRetries) {
           if (this.retryCount.size >= CONFIG_LIMITS.MAX_RETRY_MAP_SIZE) {
-            const keysToRemove = Array.from(this.retryCount.keys()).slice(0, Math.ceil(CONFIG_LIMITS.MAX_RETRY_MAP_SIZE * 0.1));
+            const keysToRemove = Array.from(this.retryCount.keys()).slice(0, Math.ceil(CONFIG_LIMITS.MAX_RETRY_MAP_SIZE * CONFIG_LIMITS.RETRY_MAP_CLEANUP_PERCENTAGE));
             for (const oldKey of keysToRemove) {
               this.retryCount.delete(oldKey);
             }
@@ -328,6 +377,8 @@ var MonitorClient = class {
    * Uses auditMultiplePaths() if auditPaths is configured, otherwise runs single audit.
    */
   async runScanAndTrackTime() {
+    const startTime = Date.now();
+    console.log("[MonitorClient] Starting vulnerability scan...");
     try {
       if (this.auditPaths && this.auditPaths.length > 0) {
         await this.auditMultiplePaths();
@@ -335,6 +386,8 @@ var MonitorClient = class {
         await this.auditDependencies();
       }
       this.lastScanTime = /* @__PURE__ */ new Date();
+      const duration = Date.now() - startTime;
+      console.log(`[MonitorClient] Vulnerability scan completed in ${duration}ms`);
     } catch (err) {
       console.error("[MonitorClient] Vulnerability scan failed:", err instanceof Error ? err.message : String(err));
     }
@@ -441,38 +494,56 @@ var MonitorClient = class {
     }
   }
   async syncDependencies() {
+    console.log("[MonitorClient] Starting technology sync...");
     try {
-      if (this.dependencySources && this.dependencySources.length > 0) {
-        for (const source of this.dependencySources) {
-          const technologies = await this.readPackageJsonFromPath(source.path);
-          if (technologies.length === 0) continue;
-          const enrichedTechnologies = await this.enrichWithLatestVersions(technologies);
-          await this.sendTechnologiesWithEnvironment(enrichedTechnologies, source.environment);
-          console.log(`[MonitorClient] Technology sync completed for ${source.environment}`);
+      await this.withTimeout(
+        (signal) => this.performDependencySync(signal),
+        CONFIG_LIMITS.SYNC_DEPENDENCIES_TIMEOUT_MS,
+        "Technology sync timed out"
+      );
+      console.log("[MonitorClient] Technology sync completed successfully");
+    } catch (err) {
+      console.error("[MonitorClient] Technology sync failed:", err instanceof Error ? err.message : String(err));
+    }
+  }
+  async performDependencySync(signal) {
+    if (this.dependencySources && this.dependencySources.length > 0) {
+      for (const source of this.dependencySources) {
+        if (signal?.aborted) {
+          console.log("[MonitorClient] Technology sync cancelled");
+          return;
         }
-      } else {
-        const technologies = await this.readPackageJson();
-        if (technologies.length === 0) return;
-        const enrichedTechnologies = await this.enrichWithLatestVersions(technologies);
-        await this.sendTechnologies(enrichedTechnologies);
-        console.log(`[MonitorClient] Technology sync completed for ${this.environment}`);
+        const technologies = await this.readPackageJsonFromPath(source.path);
+        if (technologies.length === 0) continue;
+        const enrichedTechnologies = await this.enrichWithLatestVersions(technologies, signal);
+        await this.sendTechnologiesWithEnvironment(enrichedTechnologies, source.environment);
+        console.log(`[MonitorClient] Technology sync completed for ${source.environment}`);
       }
-    } catch (err) {
-      console.error("[MonitorClient] Failed to sync dependencies:", err);
+    } else {
+      const technologies = await this.readPackageJson();
+      if (technologies.length === 0) return;
+      const enrichedTechnologies = await this.enrichWithLatestVersions(technologies, signal);
+      await this.sendTechnologies(enrichedTechnologies);
+      console.log(`[MonitorClient] Technology sync completed for ${this.environment}`);
     }
   }
   /**
    * Enrich technologies with latest version information from npm registry.
    * Only runs if versionCheckEnabled is true.
+   * @param technologies List of technologies to enrich
+   * @param signal Optional AbortSignal to cancel the operation
    */
-  async enrichWithLatestVersions(technologies) {
+  async enrichWithLatestVersions(technologies, signal) {
     if (!this.versionCheckEnabled) {
       return technologies;
     }
+    if (signal?.aborted) {
+      return technologies;
+    }
     try {
       console.log(`[MonitorClient] Fetching latest versions for ${technologies.length} packages...`);
       const packageNames = technologies.map((t) => t.name);
-      const latestVersions = await this.fetchLatestVersions(packageNames);
+      const latestVersions = await this.fetchLatestVersions(packageNames, signal);
       const foundCount = [...latestVersions.values()].filter((v) => v !== null).length;
       console.log(`[MonitorClient] Fetched latest versions: ${foundCount}/${technologies.length} packages`);
       return technologies.map((tech) => ({
@@ -504,7 +575,7 @@ var MonitorClient = class {
       const resolvedPath = path.isAbsolute(packagePath) ? packagePath : path.join(baseDir, packagePath);
       const normalizedPath = path.normalize(resolvedPath);
       if (packagePath.includes("\0")) {
-        console.warn("[MonitorClient] Suspicious path blocked:", packagePath);
+        console.warn("[MonitorClient] Suspicious path blocked:", this.sanitizePath(packagePath));
         return [];
       }
       if (!normalizedPath.endsWith("package.json")) {
@@ -517,7 +588,7 @@ var MonitorClient = class {
       try {
         const realPath = fs.realpathSync(normalizedPath);
         if (!realPath.endsWith("package.json")) {
-          console.warn("[MonitorClient] Symlink points to non-package.json file:", packagePath);
+          console.warn("[MonitorClient] Symlink points to non-package.json file:", this.sanitizePath(packagePath));
           return [];
         }
       } catch {
@@ -553,13 +624,17 @@ var MonitorClient = class {
   /**
    * Fetch the latest version of a package from npm registry.
    * Returns null if the package cannot be found or the request fails.
+   * Uses npmRegistryUrl config option if provided.
+   * @param packageName The package name to fetch
+   * @param signal Optional AbortSignal to cancel the request
    */
-  async fetchLatestVersion(packageName) {
+  async fetchLatestVersion(packageName, signal) {
     try {
+      if (signal?.aborted) return null;
       const encodedName = encodeURIComponent(packageName).replace("%40", "@");
-      const response = await fetch(`https://registry.npmjs.org/${encodedName}`, {
+      const response = await fetch(`${this.npmRegistryUrl}/${encodedName}`, {
         headers: { "Accept": "application/json" },
-        signal: AbortSignal.timeout(this.registryTimeoutMs)
+        signal: signal ?? AbortSignal.timeout(this.registryTimeoutMs)
       });
       if (!response.ok) return null;
       const data = await response.json();
@@ -570,16 +645,25 @@ var MonitorClient = class {
   }
   /**
    * Fetch latest versions for multiple packages in parallel with concurrency limit.
+   * @param packageNames List of package names to fetch versions for
+   * @param signal Optional AbortSignal to cancel the operation
    */
-  async fetchLatestVersions(packageNames) {
+  async fetchLatestVersions(packageNames, signal) {
     const results = /* @__PURE__ */ new Map();
-    const concurrencyLimit = 5;
+    const concurrencyLimit = CONFIG_LIMITS.REGISTRY_CONCURRENCY_LIMIT;
+    const totalBatches = Math.ceil(packageNames.length / concurrencyLimit);
     for (let i = 0; i < packageNames.length; i += concurrencyLimit) {
+      if (signal?.aborted) {
+        console.log("[MonitorClient] Version fetch cancelled");
+        break;
+      }
+      const batchNumber = Math.floor(i / concurrencyLimit) + 1;
+      console.log(`[MonitorClient] Fetching versions batch ${batchNumber}/${totalBatches}...`);
       const batch = packageNames.slice(i, i + concurrencyLimit);
       const batchResults = await Promise.all(
         batch.map(async (name) => ({
           name,
-          version: await this.fetchLatestVersion(name)
+          version: await this.fetchLatestVersion(name, signal)
         }))
       );
       for (const { name, version } of batchResults) {
@@ -713,6 +797,67 @@ var MonitorClient = class {
     const result = await response.json();
     return result.data;
   }
+  /**
+   * Handle exec errors from audit commands. Returns stdout if available, null if timed out, or rethrows.
+   */
+  handleAuditExecError(err, packageManager) {
+    const execError = err;
+    if (execError.killed) {
+      console.error(`[MonitorClient] ${packageManager} audit timed out`);
+      return null;
+    }
+    if (execError.stdout) {
+      return execError.stdout;
+    }
+    throw err;
+  }
+  /**
+   * Run a command with a reliable timeout using spawn.
+   * More reliable than execSync timeout in containerized environments.
+   */
+  async runCommandWithTimeout(command, args, options) {
+    const childProcess = await import("child_process");
+    const { spawn } = childProcess;
+    return new Promise((resolve) => {
+      const proc = spawn(command, args, {
+        cwd: options.cwd,
+        stdio: ["pipe", "pipe", "pipe"],
+        shell: false
+      });
+      let stdout = "";
+      let stderr = "";
+      let timedOut = false;
+      let killed = false;
+      const timeoutId = setTimeout(() => {
+        timedOut = true;
+        killed = true;
+        proc.kill("SIGTERM");
+        setTimeout(() => {
+          if (!proc.killed) {
+            proc.kill("SIGKILL");
+          }
+        }, 1e3);
+      }, options.timeout);
+      proc.stdout?.on("data", (data) => {
+        if (stdout.length < options.maxBuffer) {
+          stdout += data.toString();
+        }
+      });
+      proc.stderr?.on("data", (data) => {
+        if (stderr.length < options.maxBuffer) {
+          stderr += data.toString();
+        }
+      });
+      proc.on("close", () => {
+        clearTimeout(timeoutId);
+        resolve({ stdout, timedOut });
+      });
+      proc.on("error", () => {
+        clearTimeout(timeoutId);
+        resolve({ stdout, timedOut: killed });
+      });
+    });
+  }
   /**
    * Run npm audit and send results to the monitoring server.
    * This scans the project for known vulnerabilities in dependencies.
@@ -726,14 +871,11 @@ var MonitorClient = class {
       console.warn("[MonitorClient] auditDependencies only works in Node.js server environment");
       return null;
     }
-    let execSync;
     let path;
     let fs;
     try {
-      const childProcess = await import("child_process");
       const pathModule = await import("path");
       const fsModule = await import("fs");
-      execSync = childProcess.execSync;
       path = pathModule;
       fs = fsModule;
     } catch {
@@ -744,7 +886,7 @@ var MonitorClient = class {
     const environment = options.environment || this.environment;
     try {
       let projectPath = options.projectPath || process.cwd();
-      if (projectPath.includes("\0") || /[;&|`$(){}[\]<>]/.test(projectPath)) {
+      if (projectPath.includes("\0") || /[;&|`$(){}[\]<>\n\r]/.test(projectPath)) {
         console.error("[MonitorClient] Invalid projectPath: contains forbidden characters");
         return null;
       }
@@ -771,31 +913,21 @@ var MonitorClient = class {
         return null;
       }
       const packageManager = this.detectPackageManager(projectPath, fs, path);
-      console.log(`[MonitorClient] Auditing ${projectPath} using ${packageManager}`);
+      console.log(`[MonitorClient] Auditing ${this.sanitizePath(projectPath)} using ${packageManager} (timeout: ${this.auditTimeoutMs}ms)`);
       let auditOutput;
       let vulnerabilities;
       let totalDeps = 0;
       if (packageManager === "yarn") {
-        try {
-          auditOutput = execSync("yarn audit --json", {
-            cwd: projectPath,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-            maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER,
-            timeout: this.auditTimeoutMs
-          });
-        } catch (err) {
-          const execError = err;
-          if (execError.killed) {
-            console.error("[MonitorClient] yarn audit timed out");
-            return null;
-          }
-          if (execError.stdout) {
-            auditOutput = execError.stdout;
-          } else {
-            throw err;
-          }
+        const result2 = await this.runCommandWithTimeout("yarn", ["audit", "--json"], {
+          cwd: projectPath,
+          timeout: this.auditTimeoutMs,
+          maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER
+        });
+        if (result2.timedOut) {
+          console.error(`[MonitorClient] yarn audit timed out after ${this.auditTimeoutMs}ms`);
+          return null;
         }
+        auditOutput = result2.stdout;
         vulnerabilities = this.parseYarnAuditOutput(auditOutput);
         const lines = auditOutput.trim().split("\n");
         for (const line of lines) {
@@ -810,50 +942,30 @@ var MonitorClient = class {
         }
       } else if (packageManager === "pnpm") {
         console.log("[MonitorClient] pnpm detected, using npm audit (pnpm compatible)");
-        try {
-          auditOutput = execSync("npm audit --json", {
-            cwd: projectPath,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-            maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER,
-            timeout: this.auditTimeoutMs
-          });
-        } catch (err) {
-          const execError = err;
-          if (execError.killed) {
-            console.error("[MonitorClient] npm audit timed out");
-            return null;
-          }
-          if (execError.stdout) {
-            auditOutput = execError.stdout;
-          } else {
-            throw err;
-          }
+        const result2 = await this.runCommandWithTimeout("npm", ["audit", "--json"], {
+          cwd: projectPath,
+          timeout: this.auditTimeoutMs,
+          maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER
+        });
+        if (result2.timedOut) {
+          console.error(`[MonitorClient] npm audit timed out after ${this.auditTimeoutMs}ms`);
+          return null;
         }
+        auditOutput = result2.stdout;
         const auditData = JSON.parse(auditOutput);
         vulnerabilities = this.parseNpmAuditOutput(auditData);
         totalDeps = auditData.metadata?.dependencies?.total || 0;
       } else {
-        try {
-          auditOutput = execSync("npm audit --json", {
-            cwd: projectPath,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-            maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER,
-            timeout: this.auditTimeoutMs
-          });
-        } catch (err) {
-          const execError = err;
-          if (execError.killed) {
-            console.error("[MonitorClient] npm audit timed out");
-            return null;
-          }
-          if (execError.stdout) {
-            auditOutput = execError.stdout;
-          } else {
-            throw err;
-          }
+        const result2 = await this.runCommandWithTimeout("npm", ["audit", "--json"], {
+          cwd: projectPath,
+          timeout: this.auditTimeoutMs,
+          maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER
+        });
+        if (result2.timedOut) {
+          console.error(`[MonitorClient] npm audit timed out after ${this.auditTimeoutMs}ms`);
+          return null;
         }
+        auditOutput = result2.stdout;
         const auditData = JSON.parse(auditOutput);
         vulnerabilities = this.parseNpmAuditOutput(auditData);
         totalDeps = auditData.metadata?.dependencies?.total || 0;
@@ -897,6 +1009,24 @@ var MonitorClient = class {
       console.warn("[MonitorClient] No auditPaths configured");
       return null;
     }
+    console.log(`[MonitorClient] Starting multi-path audit (${this.auditPaths.length} paths)...`);
+    try {
+      const result = await this.withTimeout(
+        () => this.performMultiPathAudit(),
+        CONFIG_LIMITS.AUDIT_MULTI_PATH_TIMEOUT_MS,
+        "Multi-path audit timed out"
+      );
+      if (result) {
+        console.log(`[MonitorClient] Multi-path audit complete: ${result.results.length} paths scanned`);
+      }
+      return result;
+    } catch (err) {
+      console.error("[MonitorClient] Multi-path audit failed:", err instanceof Error ? err.message : String(err));
+      return null;
+    }
+  }
+  async performMultiPathAudit() {
+    if (!this.auditPaths) return null;
     const results = [];
     const totalSummary = {
       critical: 0,
@@ -906,7 +1036,7 @@ var MonitorClient = class {
       info: 0
     };
     for (const auditPath of this.auditPaths) {
-      console.log(`[MonitorClient] Auditing ${auditPath.environment} at ${auditPath.path}`);
+      console.log(`[MonitorClient] Auditing ${auditPath.environment} at ${this.sanitizePath(auditPath.path)}`);
       try {
         const summary = await this.auditDependencies({
           projectPath: auditPath.path,
@@ -934,7 +1064,6 @@ var MonitorClient = class {
       console.warn("[MonitorClient] No audit results collected from any path");
       return null;
     }
-    console.log(`[MonitorClient] Multi-path audit complete: ${results.length} paths scanned`);
     return {
       results,
       totalSummary

package/dist/index.mjs

@@ -11,6 +11,8 @@ var CONFIG_LIMITS = {
   // 64KB
   MAX_RETRY_MAP_SIZE: 1e3,
   // Prevent unbounded growth
+  RETRY_MAP_CLEANUP_PERCENTAGE: 0.1,
+  // Remove 10% of oldest entries when map is full
   AUDIT_MAX_BUFFER: 10 * 1024 * 1024,
   // 10MB
   AUDIT_TIMEOUT_MS: 6e4,
@@ -21,8 +23,16 @@ var CONFIG_LIMITS = {
   // 5 minutes
   REGISTRY_TIMEOUT_MS: 5e3,
   // 5 seconds (default)
-  MAX_REGISTRY_TIMEOUT_MS: 3e4
+  MAX_REGISTRY_TIMEOUT_MS: 3e4,
   // 30 seconds (max configurable)
+  TECH_VERSION_FETCH_TIMEOUT_MS: 3e4,
+  // 30 seconds max for all version fetches
+  SYNC_DEPENDENCIES_TIMEOUT_MS: 6e4,
+  // 60 seconds max for all dependency syncs
+  AUDIT_MULTI_PATH_TIMEOUT_MS: 18e4,
+  // 3 minutes max for all audit paths
+  REGISTRY_CONCURRENCY_LIMIT: 5
+  // Limit parallel requests to avoid rate limiting
 };
 var MonitorClient = class {
   constructor(config) {
@@ -39,8 +49,8 @@ var MonitorClient = class {
     if (!config.apiKey || config.apiKey.trim().length === 0) {
       throw new Error("[MonitorClient] API key is required");
     }
-    if (!/^cm_[a-zA-Z0-9_-]+$/.test(config.apiKey)) {
-      throw new Error("[MonitorClient] Invalid API key format. Expected format: cm_xxx");
+    if (!/^cm_[a-zA-Z0-9_-]{16,256}$/.test(config.apiKey)) {
+      throw new Error("[MonitorClient] Invalid API key format. Expected format: cm_xxx (16-256 characters after prefix)");
     }
     if (!config.endpoint || config.endpoint.trim().length === 0) {
       throw new Error("[MonitorClient] Endpoint URL is required");
@@ -51,6 +61,9 @@ var MonitorClient = class {
         throw new Error("[MonitorClient] Endpoint must use HTTP or HTTPS protocol");
       }
       if (url.protocol === "http:" && config.environment !== "development" && config.environment !== "test") {
+        if (!config.allowInsecureHttp) {
+          throw new Error("[MonitorClient] HTTP endpoints require allowInsecureHttp: true in non-development environments");
+        }
         console.warn("[MonitorClient] Warning: Using HTTP in non-development environment is not recommended");
       }
     } catch (err) {
@@ -80,8 +93,8 @@ var MonitorClient = class {
       "@typescript-eslint/*"
     ];
     this.excludePatterns = config.excludePatterns || defaultExcludePatterns;
-    this.compiledExcludePatterns = this.excludePatterns.map((pattern) => {
-      const regexPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+    this.compiledExcludePatterns = this.excludePatterns.filter((pattern) => pattern.length <= 100).map((pattern) => {
+      const regexPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*+/g, "[^/]*");
       return new RegExp(`^${regexPattern}$`);
     });
     this.autoAudit = config.autoAudit || false;
@@ -90,6 +103,7 @@ var MonitorClient = class {
     this.versionCheckEnabled = config.versionCheckEnabled ?? true;
     this.auditTimeoutMs = Math.min(CONFIG_LIMITS.MAX_AUDIT_TIMEOUT_MS, Math.max(1e3, config.auditTimeoutMs || CONFIG_LIMITS.AUDIT_TIMEOUT_MS));
     this.registryTimeoutMs = Math.min(CONFIG_LIMITS.MAX_REGISTRY_TIMEOUT_MS, Math.max(1e3, config.registryTimeoutMs || CONFIG_LIMITS.REGISTRY_TIMEOUT_MS));
+    this.npmRegistryUrl = (config.npmRegistryUrl || "https://registry.npmjs.org").replace(/\/$/, "");
     this.startFlushTimer();
     if (this.trackDependencies) {
       this.syncDependencies().catch((err) => {
@@ -130,8 +144,43 @@ var MonitorClient = class {
     sanitized = sanitized.replace(/cm_[a-zA-Z0-9_-]+/g, "[REDACTED]");
     sanitized = sanitized.replace(/Bearer\s+[a-zA-Z0-9_.-]+/gi, "Bearer [REDACTED]");
     sanitized = sanitized.replace(/authorization['":\s]+[a-zA-Z0-9_.-]+/gi, "authorization: [REDACTED]");
+    sanitized = sanitized.replace(/eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g, "[JWT_REDACTED]");
+    sanitized = sanitized.replace(/AKIA[A-Z0-9]{16}/g, "[AWS_KEY_REDACTED]");
+    sanitized = sanitized.replace(/(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])/g, "[AWS_SECRET_REDACTED]");
+    sanitized = sanitized.replace(/gh[pousr]_[A-Za-z0-9_]{36,}/g, "[GITHUB_TOKEN_REDACTED]");
     return sanitized;
   }
+  /**
+   * Security: Sanitize file paths in log messages to prevent exposing full filesystem structure
+   * Truncates long paths and shows only the last few segments
+   */
+  sanitizePath(filePath, maxSegments = 3) {
+    if (!filePath) return "";
+    const segments = filePath.split(/[/\\]/);
+    if (segments.length <= maxSegments) {
+      return filePath;
+    }
+    return ".../" + segments.slice(-maxSegments).join("/");
+  }
+  /**
+   * Execute a promise with a timeout. Properly cleans up the timer and supports cancellation.
+   * @param promiseFactory Factory function that receives an AbortSignal and returns a promise
+   * @param timeoutMs Timeout in milliseconds
+   * @param message Error message if timeout occurs
+   */
+  withTimeout(promiseFactory, timeoutMs, message) {
+    const controller = new AbortController();
+    let timeoutId;
+    const timeoutPromise = new Promise((_, reject) => {
+      timeoutId = setTimeout(() => {
+        controller.abort();
+        reject(new Error(message));
+      }, timeoutMs);
+    });
+    return Promise.race([promiseFactory(controller.signal), timeoutPromise]).finally(() => {
+      clearTimeout(timeoutId);
+    });
+  }
   async captureError(error, context) {
     if (this.isClosed) return;
     const payload = {
@@ -186,7 +235,7 @@ var MonitorClient = class {
         const retries = this.retryCount.get(key) || 0;
         if (retries < this.maxRetries) {
           if (this.retryCount.size >= CONFIG_LIMITS.MAX_RETRY_MAP_SIZE) {
-            const keysToRemove = Array.from(this.retryCount.keys()).slice(0, Math.ceil(CONFIG_LIMITS.MAX_RETRY_MAP_SIZE * 0.1));
+            const keysToRemove = Array.from(this.retryCount.keys()).slice(0, Math.ceil(CONFIG_LIMITS.MAX_RETRY_MAP_SIZE * CONFIG_LIMITS.RETRY_MAP_CLEANUP_PERCENTAGE));
             for (const oldKey of keysToRemove) {
               this.retryCount.delete(oldKey);
             }
@@ -292,6 +341,8 @@ var MonitorClient = class {
    * Uses auditMultiplePaths() if auditPaths is configured, otherwise runs single audit.
    */
   async runScanAndTrackTime() {
+    const startTime = Date.now();
+    console.log("[MonitorClient] Starting vulnerability scan...");
     try {
       if (this.auditPaths && this.auditPaths.length > 0) {
         await this.auditMultiplePaths();
@@ -299,6 +350,8 @@ var MonitorClient = class {
         await this.auditDependencies();
       }
       this.lastScanTime = /* @__PURE__ */ new Date();
+      const duration = Date.now() - startTime;
+      console.log(`[MonitorClient] Vulnerability scan completed in ${duration}ms`);
     } catch (err) {
       console.error("[MonitorClient] Vulnerability scan failed:", err instanceof Error ? err.message : String(err));
     }
@@ -405,38 +458,56 @@ var MonitorClient = class {
     }
   }
   async syncDependencies() {
+    console.log("[MonitorClient] Starting technology sync...");
     try {
-      if (this.dependencySources && this.dependencySources.length > 0) {
-        for (const source of this.dependencySources) {
-          const technologies = await this.readPackageJsonFromPath(source.path);
-          if (technologies.length === 0) continue;
-          const enrichedTechnologies = await this.enrichWithLatestVersions(technologies);
-          await this.sendTechnologiesWithEnvironment(enrichedTechnologies, source.environment);
-          console.log(`[MonitorClient] Technology sync completed for ${source.environment}`);
+      await this.withTimeout(
+        (signal) => this.performDependencySync(signal),
+        CONFIG_LIMITS.SYNC_DEPENDENCIES_TIMEOUT_MS,
+        "Technology sync timed out"
+      );
+      console.log("[MonitorClient] Technology sync completed successfully");
+    } catch (err) {
+      console.error("[MonitorClient] Technology sync failed:", err instanceof Error ? err.message : String(err));
+    }
+  }
+  async performDependencySync(signal) {
+    if (this.dependencySources && this.dependencySources.length > 0) {
+      for (const source of this.dependencySources) {
+        if (signal?.aborted) {
+          console.log("[MonitorClient] Technology sync cancelled");
+          return;
         }
-      } else {
-        const technologies = await this.readPackageJson();
-        if (technologies.length === 0) return;
-        const enrichedTechnologies = await this.enrichWithLatestVersions(technologies);
-        await this.sendTechnologies(enrichedTechnologies);
-        console.log(`[MonitorClient] Technology sync completed for ${this.environment}`);
+        const technologies = await this.readPackageJsonFromPath(source.path);
+        if (technologies.length === 0) continue;
+        const enrichedTechnologies = await this.enrichWithLatestVersions(technologies, signal);
+        await this.sendTechnologiesWithEnvironment(enrichedTechnologies, source.environment);
+        console.log(`[MonitorClient] Technology sync completed for ${source.environment}`);
       }
-    } catch (err) {
-      console.error("[MonitorClient] Failed to sync dependencies:", err);
+    } else {
+      const technologies = await this.readPackageJson();
+      if (technologies.length === 0) return;
+      const enrichedTechnologies = await this.enrichWithLatestVersions(technologies, signal);
+      await this.sendTechnologies(enrichedTechnologies);
+      console.log(`[MonitorClient] Technology sync completed for ${this.environment}`);
     }
   }
   /**
    * Enrich technologies with latest version information from npm registry.
    * Only runs if versionCheckEnabled is true.
+   * @param technologies List of technologies to enrich
+   * @param signal Optional AbortSignal to cancel the operation
    */
-  async enrichWithLatestVersions(technologies) {
+  async enrichWithLatestVersions(technologies, signal) {
     if (!this.versionCheckEnabled) {
       return technologies;
     }
+    if (signal?.aborted) {
+      return technologies;
+    }
     try {
       console.log(`[MonitorClient] Fetching latest versions for ${technologies.length} packages...`);
       const packageNames = technologies.map((t) => t.name);
-      const latestVersions = await this.fetchLatestVersions(packageNames);
+      const latestVersions = await this.fetchLatestVersions(packageNames, signal);
       const foundCount = [...latestVersions.values()].filter((v) => v !== null).length;
       console.log(`[MonitorClient] Fetched latest versions: ${foundCount}/${technologies.length} packages`);
       return technologies.map((tech) => ({
@@ -468,7 +539,7 @@ var MonitorClient = class {
       const resolvedPath = path.isAbsolute(packagePath) ? packagePath : path.join(baseDir, packagePath);
       const normalizedPath = path.normalize(resolvedPath);
       if (packagePath.includes("\0")) {
-        console.warn("[MonitorClient] Suspicious path blocked:", packagePath);
+        console.warn("[MonitorClient] Suspicious path blocked:", this.sanitizePath(packagePath));
         return [];
       }
       if (!normalizedPath.endsWith("package.json")) {
@@ -481,7 +552,7 @@ var MonitorClient = class {
       try {
         const realPath = fs.realpathSync(normalizedPath);
         if (!realPath.endsWith("package.json")) {
-          console.warn("[MonitorClient] Symlink points to non-package.json file:", packagePath);
+          console.warn("[MonitorClient] Symlink points to non-package.json file:", this.sanitizePath(packagePath));
           return [];
         }
       } catch {
@@ -517,13 +588,17 @@ var MonitorClient = class {
   /**
    * Fetch the latest version of a package from npm registry.
    * Returns null if the package cannot be found or the request fails.
+   * Uses npmRegistryUrl config option if provided.
+   * @param packageName The package name to fetch
+   * @param signal Optional AbortSignal to cancel the request
    */
-  async fetchLatestVersion(packageName) {
+  async fetchLatestVersion(packageName, signal) {
     try {
+      if (signal?.aborted) return null;
       const encodedName = encodeURIComponent(packageName).replace("%40", "@");
-      const response = await fetch(`https://registry.npmjs.org/${encodedName}`, {
+      const response = await fetch(`${this.npmRegistryUrl}/${encodedName}`, {
         headers: { "Accept": "application/json" },
-        signal: AbortSignal.timeout(this.registryTimeoutMs)
+        signal: signal ?? AbortSignal.timeout(this.registryTimeoutMs)
       });
       if (!response.ok) return null;
       const data = await response.json();
@@ -534,16 +609,25 @@ var MonitorClient = class {
   }
   /**
    * Fetch latest versions for multiple packages in parallel with concurrency limit.
+   * @param packageNames List of package names to fetch versions for
+   * @param signal Optional AbortSignal to cancel the operation
    */
-  async fetchLatestVersions(packageNames) {
+  async fetchLatestVersions(packageNames, signal) {
     const results = /* @__PURE__ */ new Map();
-    const concurrencyLimit = 5;
+    const concurrencyLimit = CONFIG_LIMITS.REGISTRY_CONCURRENCY_LIMIT;
+    const totalBatches = Math.ceil(packageNames.length / concurrencyLimit);
     for (let i = 0; i < packageNames.length; i += concurrencyLimit) {
+      if (signal?.aborted) {
+        console.log("[MonitorClient] Version fetch cancelled");
+        break;
+      }
+      const batchNumber = Math.floor(i / concurrencyLimit) + 1;
+      console.log(`[MonitorClient] Fetching versions batch ${batchNumber}/${totalBatches}...`);
       const batch = packageNames.slice(i, i + concurrencyLimit);
       const batchResults = await Promise.all(
         batch.map(async (name) => ({
           name,
-          version: await this.fetchLatestVersion(name)
+          version: await this.fetchLatestVersion(name, signal)
         }))
       );
       for (const { name, version } of batchResults) {
@@ -677,6 +761,67 @@ var MonitorClient = class {
     const result = await response.json();
     return result.data;
   }
+  /**
+   * Handle exec errors from audit commands. Returns stdout if available, null if timed out, or rethrows.
+   */
+  handleAuditExecError(err, packageManager) {
+    const execError = err;
+    if (execError.killed) {
+      console.error(`[MonitorClient] ${packageManager} audit timed out`);
+      return null;
+    }
+    if (execError.stdout) {
+      return execError.stdout;
+    }
+    throw err;
+  }
+  /**
+   * Run a command with a reliable timeout using spawn.
+   * More reliable than execSync timeout in containerized environments.
+   */
+  async runCommandWithTimeout(command, args, options) {
+    const childProcess = await import("child_process");
+    const { spawn } = childProcess;
+    return new Promise((resolve) => {
+      const proc = spawn(command, args, {
+        cwd: options.cwd,
+        stdio: ["pipe", "pipe", "pipe"],
+        shell: false
+      });
+      let stdout = "";
+      let stderr = "";
+      let timedOut = false;
+      let killed = false;
+      const timeoutId = setTimeout(() => {
+        timedOut = true;
+        killed = true;
+        proc.kill("SIGTERM");
+        setTimeout(() => {
+          if (!proc.killed) {
+            proc.kill("SIGKILL");
+          }
+        }, 1e3);
+      }, options.timeout);
+      proc.stdout?.on("data", (data) => {
+        if (stdout.length < options.maxBuffer) {
+          stdout += data.toString();
+        }
+      });
+      proc.stderr?.on("data", (data) => {
+        if (stderr.length < options.maxBuffer) {
+          stderr += data.toString();
+        }
+      });
+      proc.on("close", () => {
+        clearTimeout(timeoutId);
+        resolve({ stdout, timedOut });
+      });
+      proc.on("error", () => {
+        clearTimeout(timeoutId);
+        resolve({ stdout, timedOut: killed });
+      });
+    });
+  }
   /**
    * Run npm audit and send results to the monitoring server.
    * This scans the project for known vulnerabilities in dependencies.
@@ -690,14 +835,11 @@ var MonitorClient = class {
       console.warn("[MonitorClient] auditDependencies only works in Node.js server environment");
       return null;
     }
-    let execSync;
     let path;
     let fs;
     try {
-      const childProcess = await import("child_process");
       const pathModule = await import("path");
       const fsModule = await import("fs");
-      execSync = childProcess.execSync;
       path = pathModule;
       fs = fsModule;
     } catch {
@@ -708,7 +850,7 @@ var MonitorClient = class {
     const environment = options.environment || this.environment;
     try {
       let projectPath = options.projectPath || process.cwd();
-      if (projectPath.includes("\0") || /[;&|`$(){}[\]<>]/.test(projectPath)) {
+      if (projectPath.includes("\0") || /[;&|`$(){}[\]<>\n\r]/.test(projectPath)) {
         console.error("[MonitorClient] Invalid projectPath: contains forbidden characters");
         return null;
       }
@@ -735,31 +877,21 @@ var MonitorClient = class {
         return null;
       }
       const packageManager = this.detectPackageManager(projectPath, fs, path);
-      console.log(`[MonitorClient] Auditing ${projectPath} using ${packageManager}`);
+      console.log(`[MonitorClient] Auditing ${this.sanitizePath(projectPath)} using ${packageManager} (timeout: ${this.auditTimeoutMs}ms)`);
       let auditOutput;
       let vulnerabilities;
       let totalDeps = 0;
       if (packageManager === "yarn") {
-        try {
-          auditOutput = execSync("yarn audit --json", {
-            cwd: projectPath,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-            maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER,
-            timeout: this.auditTimeoutMs
-          });
-        } catch (err) {
-          const execError = err;
-          if (execError.killed) {
-            console.error("[MonitorClient] yarn audit timed out");
-            return null;
-          }
-          if (execError.stdout) {
-            auditOutput = execError.stdout;
-          } else {
-            throw err;
-          }
+        const result2 = await this.runCommandWithTimeout("yarn", ["audit", "--json"], {
+          cwd: projectPath,
+          timeout: this.auditTimeoutMs,
+          maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER
+        });
+        if (result2.timedOut) {
+          console.error(`[MonitorClient] yarn audit timed out after ${this.auditTimeoutMs}ms`);
+          return null;
         }
+        auditOutput = result2.stdout;
         vulnerabilities = this.parseYarnAuditOutput(auditOutput);
         const lines = auditOutput.trim().split("\n");
         for (const line of lines) {
@@ -774,50 +906,30 @@ var MonitorClient = class {
         }
       } else if (packageManager === "pnpm") {
         console.log("[MonitorClient] pnpm detected, using npm audit (pnpm compatible)");
-        try {
-          auditOutput = execSync("npm audit --json", {
-            cwd: projectPath,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-            maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER,
-            timeout: this.auditTimeoutMs
-          });
-        } catch (err) {
-          const execError = err;
-          if (execError.killed) {
-            console.error("[MonitorClient] npm audit timed out");
-            return null;
-          }
-          if (execError.stdout) {
-            auditOutput = execError.stdout;
-          } else {
-            throw err;
-          }
+        const result2 = await this.runCommandWithTimeout("npm", ["audit", "--json"], {
+          cwd: projectPath,
+          timeout: this.auditTimeoutMs,
+          maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER
+        });
+        if (result2.timedOut) {
+          console.error(`[MonitorClient] npm audit timed out after ${this.auditTimeoutMs}ms`);
+          return null;
         }
+        auditOutput = result2.stdout;
         const auditData = JSON.parse(auditOutput);
         vulnerabilities = this.parseNpmAuditOutput(auditData);
         totalDeps = auditData.metadata?.dependencies?.total || 0;
       } else {
-        try {
-          auditOutput = execSync("npm audit --json", {
-            cwd: projectPath,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-            maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER,
-            timeout: this.auditTimeoutMs
-          });
-        } catch (err) {
-          const execError = err;
-          if (execError.killed) {
-            console.error("[MonitorClient] npm audit timed out");
-            return null;
-          }
-          if (execError.stdout) {
-            auditOutput = execError.stdout;
-          } else {
-            throw err;
-          }
+        const result2 = await this.runCommandWithTimeout("npm", ["audit", "--json"], {
+          cwd: projectPath,
+          timeout: this.auditTimeoutMs,
+          maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER
+        });
+        if (result2.timedOut) {
+          console.error(`[MonitorClient] npm audit timed out after ${this.auditTimeoutMs}ms`);
+          return null;
         }
+        auditOutput = result2.stdout;
         const auditData = JSON.parse(auditOutput);
         vulnerabilities = this.parseNpmAuditOutput(auditData);
         totalDeps = auditData.metadata?.dependencies?.total || 0;
@@ -861,6 +973,24 @@ var MonitorClient = class {
       console.warn("[MonitorClient] No auditPaths configured");
       return null;
     }
+    console.log(`[MonitorClient] Starting multi-path audit (${this.auditPaths.length} paths)...`);
+    try {
+      const result = await this.withTimeout(
+        () => this.performMultiPathAudit(),
+        CONFIG_LIMITS.AUDIT_MULTI_PATH_TIMEOUT_MS,
+        "Multi-path audit timed out"
+      );
+      if (result) {
+        console.log(`[MonitorClient] Multi-path audit complete: ${result.results.length} paths scanned`);
+      }
+      return result;
+    } catch (err) {
+      console.error("[MonitorClient] Multi-path audit failed:", err instanceof Error ? err.message : String(err));
+      return null;
+    }
+  }
+  async performMultiPathAudit() {
+    if (!this.auditPaths) return null;
     const results = [];
     const totalSummary = {
       critical: 0,
@@ -870,7 +1000,7 @@ var MonitorClient = class {
       info: 0
     };
     for (const auditPath of this.auditPaths) {
-      console.log(`[MonitorClient] Auditing ${auditPath.environment} at ${auditPath.path}`);
+      console.log(`[MonitorClient] Auditing ${auditPath.environment} at ${this.sanitizePath(auditPath.path)}`);
       try {
         const summary = await this.auditDependencies({
           projectPath: auditPath.path,
@@ -898,7 +1028,6 @@ var MonitorClient = class {
       console.warn("[MonitorClient] No audit results collected from any path");
       return null;
     }
-    console.log(`[MonitorClient] Multi-path audit complete: ${results.length} paths scanned`);
     return {
       results,
       totalSummary

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ceon-oy/monitor-sdk",
-  "version": "1.1.0",
+  "version": "1.1.2",
   "description": "Client SDK for Ceon Monitor - Error tracking, health monitoring, security events, and vulnerability scanning",
   "author": "Ceon",
   "license": "MIT",