@ceon-oy/monitor-sdk 1.1.1 → 1.1.2

package/dist/index.d.mts

@@ -198,8 +198,8 @@ declare class MonitorClient {
      */
     private sanitizePath;
     /**
-     * Execute a promise with a timeout. Properly cleans up the timer to prevent leaks.
-     * @param promise The promise to execute
+     * Execute a promise with a timeout. Properly cleans up the timer and supports cancellation.
+     * @param promiseFactory Factory function that receives an AbortSignal and returns a promise
      * @param timeoutMs Timeout in milliseconds
      * @param message Error message if timeout occurs
      */
@@ -249,6 +249,8 @@ declare class MonitorClient {
     /**
      * Enrich technologies with latest version information from npm registry.
      * Only runs if versionCheckEnabled is true.
+     * @param technologies List of technologies to enrich
+     * @param signal Optional AbortSignal to cancel the operation
      */
     private enrichWithLatestVersions;
     syncTechnologies(technologies: TechnologyItem[]): Promise<void>;
@@ -259,10 +261,14 @@ declare class MonitorClient {
      * Fetch the latest version of a package from npm registry.
      * Returns null if the package cannot be found or the request fails.
      * Uses npmRegistryUrl config option if provided.
+     * @param packageName The package name to fetch
+     * @param signal Optional AbortSignal to cancel the request
      */
     private fetchLatestVersion;
     /**
      * Fetch latest versions for multiple packages in parallel with concurrency limit.
+     * @param packageNames List of package names to fetch versions for
+     * @param signal Optional AbortSignal to cancel the operation
      */
     private fetchLatestVersions;
     private sendTechnologies;
@@ -332,6 +338,11 @@ declare class MonitorClient {
      * Handle exec errors from audit commands. Returns stdout if available, null if timed out, or rethrows.
      */
     private handleAuditExecError;
+    /**
+     * Run a command with a reliable timeout using spawn.
+     * More reliable than execSync timeout in containerized environments.
+     */
+    private runCommandWithTimeout;
     /**
      * Run npm audit and send results to the monitoring server.
      * This scans the project for known vulnerabilities in dependencies.

package/dist/index.d.ts

@@ -198,8 +198,8 @@ declare class MonitorClient {
      */
     private sanitizePath;
     /**
-     * Execute a promise with a timeout. Properly cleans up the timer to prevent leaks.
-     * @param promise The promise to execute
+     * Execute a promise with a timeout. Properly cleans up the timer and supports cancellation.
+     * @param promiseFactory Factory function that receives an AbortSignal and returns a promise
      * @param timeoutMs Timeout in milliseconds
      * @param message Error message if timeout occurs
      */
@@ -249,6 +249,8 @@ declare class MonitorClient {
     /**
      * Enrich technologies with latest version information from npm registry.
      * Only runs if versionCheckEnabled is true.
+     * @param technologies List of technologies to enrich
+     * @param signal Optional AbortSignal to cancel the operation
      */
     private enrichWithLatestVersions;
     syncTechnologies(technologies: TechnologyItem[]): Promise<void>;
@@ -259,10 +261,14 @@ declare class MonitorClient {
      * Fetch the latest version of a package from npm registry.
      * Returns null if the package cannot be found or the request fails.
      * Uses npmRegistryUrl config option if provided.
+     * @param packageName The package name to fetch
+     * @param signal Optional AbortSignal to cancel the request
      */
     private fetchLatestVersion;
     /**
      * Fetch latest versions for multiple packages in parallel with concurrency limit.
+     * @param packageNames List of package names to fetch versions for
+     * @param signal Optional AbortSignal to cancel the operation
      */
     private fetchLatestVersions;
     private sendTechnologies;
@@ -332,6 +338,11 @@ declare class MonitorClient {
      * Handle exec errors from audit commands. Returns stdout if available, null if timed out, or rethrows.
      */
     private handleAuditExecError;
+    /**
+     * Run a command with a reliable timeout using spawn.
+     * More reliable than execSync timeout in containerized environments.
+     */
+    private runCommandWithTimeout;
     /**
      * Run npm audit and send results to the monitoring server.
      * This scans the project for known vulnerabilities in dependencies.

package/dist/index.js

@@ -199,17 +199,21 @@ var MonitorClient = class {
     return ".../" + segments.slice(-maxSegments).join("/");
   }
   /**
-   * Execute a promise with a timeout. Properly cleans up the timer to prevent leaks.
-   * @param promise The promise to execute
+   * Execute a promise with a timeout. Properly cleans up the timer and supports cancellation.
+   * @param promiseFactory Factory function that receives an AbortSignal and returns a promise
    * @param timeoutMs Timeout in milliseconds
    * @param message Error message if timeout occurs
    */
-  withTimeout(promise, timeoutMs, message) {
+  withTimeout(promiseFactory, timeoutMs, message) {
+    const controller = new AbortController();
     let timeoutId;
     const timeoutPromise = new Promise((_, reject) => {
-      timeoutId = setTimeout(() => reject(new Error(message)), timeoutMs);
+      timeoutId = setTimeout(() => {
+        controller.abort();
+        reject(new Error(message));
+      }, timeoutMs);
     });
-    return Promise.race([promise, timeoutPromise]).finally(() => {
+    return Promise.race([promiseFactory(controller.signal), timeoutPromise]).finally(() => {
       clearTimeout(timeoutId);
     });
   }
@@ -493,7 +497,7 @@ var MonitorClient = class {
     console.log("[MonitorClient] Starting technology sync...");
     try {
       await this.withTimeout(
-        this.performDependencySync(),
+        (signal) => this.performDependencySync(signal),
         CONFIG_LIMITS.SYNC_DEPENDENCIES_TIMEOUT_MS,
         "Technology sync timed out"
       );
@@ -502,19 +506,23 @@ var MonitorClient = class {
       console.error("[MonitorClient] Technology sync failed:", err instanceof Error ? err.message : String(err));
     }
   }
-  async performDependencySync() {
+  async performDependencySync(signal) {
     if (this.dependencySources && this.dependencySources.length > 0) {
       for (const source of this.dependencySources) {
+        if (signal?.aborted) {
+          console.log("[MonitorClient] Technology sync cancelled");
+          return;
+        }
         const technologies = await this.readPackageJsonFromPath(source.path);
         if (technologies.length === 0) continue;
-        const enrichedTechnologies = await this.enrichWithLatestVersions(technologies);
+        const enrichedTechnologies = await this.enrichWithLatestVersions(technologies, signal);
         await this.sendTechnologiesWithEnvironment(enrichedTechnologies, source.environment);
         console.log(`[MonitorClient] Technology sync completed for ${source.environment}`);
       }
     } else {
       const technologies = await this.readPackageJson();
       if (technologies.length === 0) return;
-      const enrichedTechnologies = await this.enrichWithLatestVersions(technologies);
+      const enrichedTechnologies = await this.enrichWithLatestVersions(technologies, signal);
       await this.sendTechnologies(enrichedTechnologies);
       console.log(`[MonitorClient] Technology sync completed for ${this.environment}`);
     }
@@ -522,19 +530,20 @@ var MonitorClient = class {
   /**
    * Enrich technologies with latest version information from npm registry.
    * Only runs if versionCheckEnabled is true.
+   * @param technologies List of technologies to enrich
+   * @param signal Optional AbortSignal to cancel the operation
    */
-  async enrichWithLatestVersions(technologies) {
+  async enrichWithLatestVersions(technologies, signal) {
     if (!this.versionCheckEnabled) {
       return technologies;
     }
+    if (signal?.aborted) {
+      return technologies;
+    }
     try {
       console.log(`[MonitorClient] Fetching latest versions for ${technologies.length} packages...`);
       const packageNames = technologies.map((t) => t.name);
-      const latestVersions = await this.withTimeout(
-        this.fetchLatestVersions(packageNames),
-        CONFIG_LIMITS.TECH_VERSION_FETCH_TIMEOUT_MS,
-        "Version fetch timed out after 30 seconds"
-      );
+      const latestVersions = await this.fetchLatestVersions(packageNames, signal);
       const foundCount = [...latestVersions.values()].filter((v) => v !== null).length;
       console.log(`[MonitorClient] Fetched latest versions: ${foundCount}/${technologies.length} packages`);
       return technologies.map((tech) => ({
@@ -616,13 +625,16 @@ var MonitorClient = class {
    * Fetch the latest version of a package from npm registry.
    * Returns null if the package cannot be found or the request fails.
    * Uses npmRegistryUrl config option if provided.
+   * @param packageName The package name to fetch
+   * @param signal Optional AbortSignal to cancel the request
    */
-  async fetchLatestVersion(packageName) {
+  async fetchLatestVersion(packageName, signal) {
     try {
+      if (signal?.aborted) return null;
       const encodedName = encodeURIComponent(packageName).replace("%40", "@");
       const response = await fetch(`${this.npmRegistryUrl}/${encodedName}`, {
         headers: { "Accept": "application/json" },
-        signal: AbortSignal.timeout(this.registryTimeoutMs)
+        signal: signal ?? AbortSignal.timeout(this.registryTimeoutMs)
       });
       if (!response.ok) return null;
       const data = await response.json();
@@ -633,19 +645,25 @@ var MonitorClient = class {
   }
   /**
    * Fetch latest versions for multiple packages in parallel with concurrency limit.
+   * @param packageNames List of package names to fetch versions for
+   * @param signal Optional AbortSignal to cancel the operation
    */
-  async fetchLatestVersions(packageNames) {
+  async fetchLatestVersions(packageNames, signal) {
     const results = /* @__PURE__ */ new Map();
     const concurrencyLimit = CONFIG_LIMITS.REGISTRY_CONCURRENCY_LIMIT;
     const totalBatches = Math.ceil(packageNames.length / concurrencyLimit);
     for (let i = 0; i < packageNames.length; i += concurrencyLimit) {
+      if (signal?.aborted) {
+        console.log("[MonitorClient] Version fetch cancelled");
+        break;
+      }
       const batchNumber = Math.floor(i / concurrencyLimit) + 1;
       console.log(`[MonitorClient] Fetching versions batch ${batchNumber}/${totalBatches}...`);
       const batch = packageNames.slice(i, i + concurrencyLimit);
       const batchResults = await Promise.all(
         batch.map(async (name) => ({
           name,
-          version: await this.fetchLatestVersion(name)
+          version: await this.fetchLatestVersion(name, signal)
         }))
       );
       for (const { name, version } of batchResults) {
@@ -793,6 +811,53 @@ var MonitorClient = class {
     }
     throw err;
   }
+  /**
+   * Run a command with a reliable timeout using spawn.
+   * More reliable than execSync timeout in containerized environments.
+   */
+  async runCommandWithTimeout(command, args, options) {
+    const childProcess = await import("child_process");
+    const { spawn } = childProcess;
+    return new Promise((resolve) => {
+      const proc = spawn(command, args, {
+        cwd: options.cwd,
+        stdio: ["pipe", "pipe", "pipe"],
+        shell: false
+      });
+      let stdout = "";
+      let stderr = "";
+      let timedOut = false;
+      let killed = false;
+      const timeoutId = setTimeout(() => {
+        timedOut = true;
+        killed = true;
+        proc.kill("SIGTERM");
+        setTimeout(() => {
+          if (!proc.killed) {
+            proc.kill("SIGKILL");
+          }
+        }, 1e3);
+      }, options.timeout);
+      proc.stdout?.on("data", (data) => {
+        if (stdout.length < options.maxBuffer) {
+          stdout += data.toString();
+        }
+      });
+      proc.stderr?.on("data", (data) => {
+        if (stderr.length < options.maxBuffer) {
+          stderr += data.toString();
+        }
+      });
+      proc.on("close", () => {
+        clearTimeout(timeoutId);
+        resolve({ stdout, timedOut });
+      });
+      proc.on("error", () => {
+        clearTimeout(timeoutId);
+        resolve({ stdout, timedOut: killed });
+      });
+    });
+  }
   /**
    * Run npm audit and send results to the monitoring server.
    * This scans the project for known vulnerabilities in dependencies.
@@ -806,14 +871,11 @@ var MonitorClient = class {
       console.warn("[MonitorClient] auditDependencies only works in Node.js server environment");
       return null;
     }
-    let execSync;
     let path;
     let fs;
     try {
-      const childProcess = await import("child_process");
       const pathModule = await import("path");
       const fsModule = await import("fs");
-      execSync = childProcess.execSync;
       path = pathModule;
       fs = fsModule;
     } catch {
@@ -851,24 +913,21 @@ var MonitorClient = class {
         return null;
       }
       const packageManager = this.detectPackageManager(projectPath, fs, path);
-      console.log(`[MonitorClient] Auditing ${this.sanitizePath(projectPath)} using ${packageManager}`);
+      console.log(`[MonitorClient] Auditing ${this.sanitizePath(projectPath)} using ${packageManager} (timeout: ${this.auditTimeoutMs}ms)`);
       let auditOutput;
       let vulnerabilities;
       let totalDeps = 0;
       if (packageManager === "yarn") {
-        try {
-          auditOutput = execSync("yarn audit --json", {
-            cwd: projectPath,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-            maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER,
-            timeout: this.auditTimeoutMs
-          });
-        } catch (err) {
-          const output = this.handleAuditExecError(err, "yarn");
-          if (output === null) return null;
-          auditOutput = output;
+        const result2 = await this.runCommandWithTimeout("yarn", ["audit", "--json"], {
+          cwd: projectPath,
+          timeout: this.auditTimeoutMs,
+          maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER
+        });
+        if (result2.timedOut) {
+          console.error(`[MonitorClient] yarn audit timed out after ${this.auditTimeoutMs}ms`);
+          return null;
         }
+        auditOutput = result2.stdout;
         vulnerabilities = this.parseYarnAuditOutput(auditOutput);
         const lines = auditOutput.trim().split("\n");
         for (const line of lines) {
@@ -883,36 +942,30 @@ var MonitorClient = class {
         }
       } else if (packageManager === "pnpm") {
         console.log("[MonitorClient] pnpm detected, using npm audit (pnpm compatible)");
-        try {
-          auditOutput = execSync("npm audit --json", {
-            cwd: projectPath,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-            maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER,
-            timeout: this.auditTimeoutMs
-          });
-        } catch (err) {
-          const output = this.handleAuditExecError(err, "npm");
-          if (output === null) return null;
-          auditOutput = output;
+        const result2 = await this.runCommandWithTimeout("npm", ["audit", "--json"], {
+          cwd: projectPath,
+          timeout: this.auditTimeoutMs,
+          maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER
+        });
+        if (result2.timedOut) {
+          console.error(`[MonitorClient] npm audit timed out after ${this.auditTimeoutMs}ms`);
+          return null;
         }
+        auditOutput = result2.stdout;
         const auditData = JSON.parse(auditOutput);
         vulnerabilities = this.parseNpmAuditOutput(auditData);
         totalDeps = auditData.metadata?.dependencies?.total || 0;
       } else {
-        try {
-          auditOutput = execSync("npm audit --json", {
-            cwd: projectPath,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-            maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER,
-            timeout: this.auditTimeoutMs
-          });
-        } catch (err) {
-          const output = this.handleAuditExecError(err, "npm");
-          if (output === null) return null;
-          auditOutput = output;
+        const result2 = await this.runCommandWithTimeout("npm", ["audit", "--json"], {
+          cwd: projectPath,
+          timeout: this.auditTimeoutMs,
+          maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER
+        });
+        if (result2.timedOut) {
+          console.error(`[MonitorClient] npm audit timed out after ${this.auditTimeoutMs}ms`);
+          return null;
         }
+        auditOutput = result2.stdout;
         const auditData = JSON.parse(auditOutput);
         vulnerabilities = this.parseNpmAuditOutput(auditData);
         totalDeps = auditData.metadata?.dependencies?.total || 0;
@@ -959,7 +1012,7 @@ var MonitorClient = class {
     console.log(`[MonitorClient] Starting multi-path audit (${this.auditPaths.length} paths)...`);
     try {
       const result = await this.withTimeout(
-        this.performMultiPathAudit(),
+        () => this.performMultiPathAudit(),
         CONFIG_LIMITS.AUDIT_MULTI_PATH_TIMEOUT_MS,
         "Multi-path audit timed out"
       );

package/dist/index.mjs

@@ -163,17 +163,21 @@ var MonitorClient = class {
     return ".../" + segments.slice(-maxSegments).join("/");
   }
   /**
-   * Execute a promise with a timeout. Properly cleans up the timer to prevent leaks.
-   * @param promise The promise to execute
+   * Execute a promise with a timeout. Properly cleans up the timer and supports cancellation.
+   * @param promiseFactory Factory function that receives an AbortSignal and returns a promise
    * @param timeoutMs Timeout in milliseconds
    * @param message Error message if timeout occurs
    */
-  withTimeout(promise, timeoutMs, message) {
+  withTimeout(promiseFactory, timeoutMs, message) {
+    const controller = new AbortController();
     let timeoutId;
     const timeoutPromise = new Promise((_, reject) => {
-      timeoutId = setTimeout(() => reject(new Error(message)), timeoutMs);
+      timeoutId = setTimeout(() => {
+        controller.abort();
+        reject(new Error(message));
+      }, timeoutMs);
     });
-    return Promise.race([promise, timeoutPromise]).finally(() => {
+    return Promise.race([promiseFactory(controller.signal), timeoutPromise]).finally(() => {
       clearTimeout(timeoutId);
     });
   }
@@ -457,7 +461,7 @@ var MonitorClient = class {
     console.log("[MonitorClient] Starting technology sync...");
     try {
       await this.withTimeout(
-        this.performDependencySync(),
+        (signal) => this.performDependencySync(signal),
         CONFIG_LIMITS.SYNC_DEPENDENCIES_TIMEOUT_MS,
         "Technology sync timed out"
       );
@@ -466,19 +470,23 @@ var MonitorClient = class {
       console.error("[MonitorClient] Technology sync failed:", err instanceof Error ? err.message : String(err));
     }
   }
-  async performDependencySync() {
+  async performDependencySync(signal) {
     if (this.dependencySources && this.dependencySources.length > 0) {
       for (const source of this.dependencySources) {
+        if (signal?.aborted) {
+          console.log("[MonitorClient] Technology sync cancelled");
+          return;
+        }
         const technologies = await this.readPackageJsonFromPath(source.path);
         if (technologies.length === 0) continue;
-        const enrichedTechnologies = await this.enrichWithLatestVersions(technologies);
+        const enrichedTechnologies = await this.enrichWithLatestVersions(technologies, signal);
         await this.sendTechnologiesWithEnvironment(enrichedTechnologies, source.environment);
         console.log(`[MonitorClient] Technology sync completed for ${source.environment}`);
       }
     } else {
       const technologies = await this.readPackageJson();
       if (technologies.length === 0) return;
-      const enrichedTechnologies = await this.enrichWithLatestVersions(technologies);
+      const enrichedTechnologies = await this.enrichWithLatestVersions(technologies, signal);
       await this.sendTechnologies(enrichedTechnologies);
       console.log(`[MonitorClient] Technology sync completed for ${this.environment}`);
     }
@@ -486,19 +494,20 @@ var MonitorClient = class {
   /**
    * Enrich technologies with latest version information from npm registry.
    * Only runs if versionCheckEnabled is true.
+   * @param technologies List of technologies to enrich
+   * @param signal Optional AbortSignal to cancel the operation
    */
-  async enrichWithLatestVersions(technologies) {
+  async enrichWithLatestVersions(technologies, signal) {
     if (!this.versionCheckEnabled) {
       return technologies;
     }
+    if (signal?.aborted) {
+      return technologies;
+    }
     try {
       console.log(`[MonitorClient] Fetching latest versions for ${technologies.length} packages...`);
       const packageNames = technologies.map((t) => t.name);
-      const latestVersions = await this.withTimeout(
-        this.fetchLatestVersions(packageNames),
-        CONFIG_LIMITS.TECH_VERSION_FETCH_TIMEOUT_MS,
-        "Version fetch timed out after 30 seconds"
-      );
+      const latestVersions = await this.fetchLatestVersions(packageNames, signal);
       const foundCount = [...latestVersions.values()].filter((v) => v !== null).length;
       console.log(`[MonitorClient] Fetched latest versions: ${foundCount}/${technologies.length} packages`);
       return technologies.map((tech) => ({
@@ -580,13 +589,16 @@ var MonitorClient = class {
    * Fetch the latest version of a package from npm registry.
    * Returns null if the package cannot be found or the request fails.
    * Uses npmRegistryUrl config option if provided.
+   * @param packageName The package name to fetch
+   * @param signal Optional AbortSignal to cancel the request
    */
-  async fetchLatestVersion(packageName) {
+  async fetchLatestVersion(packageName, signal) {
     try {
+      if (signal?.aborted) return null;
       const encodedName = encodeURIComponent(packageName).replace("%40", "@");
       const response = await fetch(`${this.npmRegistryUrl}/${encodedName}`, {
         headers: { "Accept": "application/json" },
-        signal: AbortSignal.timeout(this.registryTimeoutMs)
+        signal: signal ?? AbortSignal.timeout(this.registryTimeoutMs)
       });
       if (!response.ok) return null;
       const data = await response.json();
@@ -597,19 +609,25 @@ var MonitorClient = class {
   }
   /**
    * Fetch latest versions for multiple packages in parallel with concurrency limit.
+   * @param packageNames List of package names to fetch versions for
+   * @param signal Optional AbortSignal to cancel the operation
    */
-  async fetchLatestVersions(packageNames) {
+  async fetchLatestVersions(packageNames, signal) {
     const results = /* @__PURE__ */ new Map();
     const concurrencyLimit = CONFIG_LIMITS.REGISTRY_CONCURRENCY_LIMIT;
     const totalBatches = Math.ceil(packageNames.length / concurrencyLimit);
     for (let i = 0; i < packageNames.length; i += concurrencyLimit) {
+      if (signal?.aborted) {
+        console.log("[MonitorClient] Version fetch cancelled");
+        break;
+      }
       const batchNumber = Math.floor(i / concurrencyLimit) + 1;
       console.log(`[MonitorClient] Fetching versions batch ${batchNumber}/${totalBatches}...`);
       const batch = packageNames.slice(i, i + concurrencyLimit);
       const batchResults = await Promise.all(
         batch.map(async (name) => ({
           name,
-          version: await this.fetchLatestVersion(name)
+          version: await this.fetchLatestVersion(name, signal)
         }))
       );
       for (const { name, version } of batchResults) {
@@ -757,6 +775,53 @@ var MonitorClient = class {
     }
     throw err;
   }
+  /**
+   * Run a command with a reliable timeout using spawn.
+   * More reliable than execSync timeout in containerized environments.
+   */
+  async runCommandWithTimeout(command, args, options) {
+    const childProcess = await import("child_process");
+    const { spawn } = childProcess;
+    return new Promise((resolve) => {
+      const proc = spawn(command, args, {
+        cwd: options.cwd,
+        stdio: ["pipe", "pipe", "pipe"],
+        shell: false
+      });
+      let stdout = "";
+      let stderr = "";
+      let timedOut = false;
+      let killed = false;
+      const timeoutId = setTimeout(() => {
+        timedOut = true;
+        killed = true;
+        proc.kill("SIGTERM");
+        setTimeout(() => {
+          if (!proc.killed) {
+            proc.kill("SIGKILL");
+          }
+        }, 1e3);
+      }, options.timeout);
+      proc.stdout?.on("data", (data) => {
+        if (stdout.length < options.maxBuffer) {
+          stdout += data.toString();
+        }
+      });
+      proc.stderr?.on("data", (data) => {
+        if (stderr.length < options.maxBuffer) {
+          stderr += data.toString();
+        }
+      });
+      proc.on("close", () => {
+        clearTimeout(timeoutId);
+        resolve({ stdout, timedOut });
+      });
+      proc.on("error", () => {
+        clearTimeout(timeoutId);
+        resolve({ stdout, timedOut: killed });
+      });
+    });
+  }
   /**
    * Run npm audit and send results to the monitoring server.
    * This scans the project for known vulnerabilities in dependencies.
@@ -770,14 +835,11 @@ var MonitorClient = class {
       console.warn("[MonitorClient] auditDependencies only works in Node.js server environment");
       return null;
     }
-    let execSync;
     let path;
     let fs;
     try {
-      const childProcess = await import("child_process");
       const pathModule = await import("path");
       const fsModule = await import("fs");
-      execSync = childProcess.execSync;
       path = pathModule;
       fs = fsModule;
     } catch {
@@ -815,24 +877,21 @@ var MonitorClient = class {
         return null;
       }
       const packageManager = this.detectPackageManager(projectPath, fs, path);
-      console.log(`[MonitorClient] Auditing ${this.sanitizePath(projectPath)} using ${packageManager}`);
+      console.log(`[MonitorClient] Auditing ${this.sanitizePath(projectPath)} using ${packageManager} (timeout: ${this.auditTimeoutMs}ms)`);
       let auditOutput;
       let vulnerabilities;
       let totalDeps = 0;
       if (packageManager === "yarn") {
-        try {
-          auditOutput = execSync("yarn audit --json", {
-            cwd: projectPath,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-            maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER,
-            timeout: this.auditTimeoutMs
-          });
-        } catch (err) {
-          const output = this.handleAuditExecError(err, "yarn");
-          if (output === null) return null;
-          auditOutput = output;
+        const result2 = await this.runCommandWithTimeout("yarn", ["audit", "--json"], {
+          cwd: projectPath,
+          timeout: this.auditTimeoutMs,
+          maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER
+        });
+        if (result2.timedOut) {
+          console.error(`[MonitorClient] yarn audit timed out after ${this.auditTimeoutMs}ms`);
+          return null;
         }
+        auditOutput = result2.stdout;
         vulnerabilities = this.parseYarnAuditOutput(auditOutput);
         const lines = auditOutput.trim().split("\n");
         for (const line of lines) {
@@ -847,36 +906,30 @@ var MonitorClient = class {
         }
       } else if (packageManager === "pnpm") {
         console.log("[MonitorClient] pnpm detected, using npm audit (pnpm compatible)");
-        try {
-          auditOutput = execSync("npm audit --json", {
-            cwd: projectPath,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-            maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER,
-            timeout: this.auditTimeoutMs
-          });
-        } catch (err) {
-          const output = this.handleAuditExecError(err, "npm");
-          if (output === null) return null;
-          auditOutput = output;
+        const result2 = await this.runCommandWithTimeout("npm", ["audit", "--json"], {
+          cwd: projectPath,
+          timeout: this.auditTimeoutMs,
+          maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER
+        });
+        if (result2.timedOut) {
+          console.error(`[MonitorClient] npm audit timed out after ${this.auditTimeoutMs}ms`);
+          return null;
         }
+        auditOutput = result2.stdout;
         const auditData = JSON.parse(auditOutput);
         vulnerabilities = this.parseNpmAuditOutput(auditData);
         totalDeps = auditData.metadata?.dependencies?.total || 0;
       } else {
-        try {
-          auditOutput = execSync("npm audit --json", {
-            cwd: projectPath,
-            encoding: "utf-8",
-            stdio: ["pipe", "pipe", "pipe"],
-            maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER,
-            timeout: this.auditTimeoutMs
-          });
-        } catch (err) {
-          const output = this.handleAuditExecError(err, "npm");
-          if (output === null) return null;
-          auditOutput = output;
+        const result2 = await this.runCommandWithTimeout("npm", ["audit", "--json"], {
+          cwd: projectPath,
+          timeout: this.auditTimeoutMs,
+          maxBuffer: CONFIG_LIMITS.AUDIT_MAX_BUFFER
+        });
+        if (result2.timedOut) {
+          console.error(`[MonitorClient] npm audit timed out after ${this.auditTimeoutMs}ms`);
+          return null;
         }
+        auditOutput = result2.stdout;
         const auditData = JSON.parse(auditOutput);
         vulnerabilities = this.parseNpmAuditOutput(auditData);
         totalDeps = auditData.metadata?.dependencies?.total || 0;
@@ -923,7 +976,7 @@ var MonitorClient = class {
     console.log(`[MonitorClient] Starting multi-path audit (${this.auditPaths.length} paths)...`);
     try {
       const result = await this.withTimeout(
-        this.performMultiPathAudit(),
+        () => this.performMultiPathAudit(),
         CONFIG_LIMITS.AUDIT_MULTI_PATH_TIMEOUT_MS,
         "Multi-path audit timed out"
       );

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ceon-oy/monitor-sdk",
-  "version": "1.1.1",
+  "version": "1.1.2",
   "description": "Client SDK for Ceon Monitor - Error tracking, health monitoring, security events, and vulnerability scanning",
   "author": "Ceon",
   "license": "MIT",