@coana-tech/cli 14.12.159 → 14.12.160

package/cli.mjs

@@ -205220,55 +205220,34 @@ var Spinner = class _Spinner {
 
 // ../utils/src/telemetry/telemetry-collector.ts
 import { execFile } from "child_process";
-import { platform } from "os";
+import { platform } from "process";
 import { promisify } from "util";
 var execFileAsync = promisify(execFile);
-var TelemetryCollector = class {
-  /**
-   * Collect memory metrics for a child process by PID.
-   * Uses OS-specific commands to query memory usage.
-   *
-   * @param pid - The process ID to query
-   * @returns TelemetryMetrics or undefined if the process doesn't exist or query fails
-   */
-  async collectChildProcessMetrics(pid) {
-    if (!Number.isInteger(pid) || pid <= 0) {
-      return void 0;
-    }
-    try {
-      const currentPlatform = platform();
-      if (currentPlatform === "darwin" || currentPlatform === "linux") {
-        return await this.collectUnixProcessMetrics(pid);
-      }
-      return void 0;
-    } catch {
-      return void 0;
-    }
+var TelemetryCollector = class _TelemetryCollector {
+  constructor(pid) {
+    this.pid = pid;
+  }
+  static create(pid) {
+    if (!Number.isInteger(pid) || pid <= 0 || !["darwin", "linux"].includes(platform)) return void 0;
+    return new _TelemetryCollector(pid);
   }
   /**
    * Collect metrics for a Unix-like system (macOS, Linux) using ps command.
    */
-  async collectUnixProcessMetrics(pid) {
+  async collectChildProcessMetrics() {
     try {
-      const { stdout } = await execFileAsync("ps", ["-o", "rss=,pcpu=", "-p", String(pid)], {
+      const { stdout } = await execFileAsync("ps", ["-o", "rss=,pcpu=", "-p", String(this.pid)], {
         timeout: 5e3
       });
-      const trimmed = stdout.trim();
-      if (!trimmed) {
-        return void 0;
-      }
-      const parts = trimmed.split(/\s+/);
-      if (parts.length < 2) {
-        return void 0;
-      }
+      const parts = stdout.trim().split(/\s+/);
+      if (parts.length < 2) return void 0;
       const rssKb = parseInt(parts[0], 10);
       const cpuPercent = parseFloat(parts[1]);
-      if (isNaN(rssKb) || isNaN(cpuPercent)) {
-        return void 0;
-      }
-      const rssBytes = rssKb * 1024;
+      if (isNaN(rssKb) || isNaN(cpuPercent)) return void 0;
       return {
-        rss: rssBytes,
+        rss: rssKb * 1024,
+        // Convert KB to bytes
+        // Note: cpuPercent can exceed 100% on multi-core systems (e.g., 250% = 2.5 cores used)
         cpuPercent
       };
     } catch {
@@ -205376,14 +205355,14 @@ function startHeartbeat(options) {
   return () => clearInterval(timer);
 }
 var DEFAULT_TELEMETRY_INTERVAL_MS = 5e3;
-function startTelemetry(pid, handler) {
-  const collector = new TelemetryCollector();
+function startTelemetry(subprocess, handler) {
+  const collector = TelemetryCollector.create(subprocess.pid);
+  if (!collector) return;
+  handler.onInit?.(subprocess);
   const intervalMs = handler.intervalMs ?? DEFAULT_TELEMETRY_INTERVAL_MS;
   const collectAndReport = async () => {
-    const metrics = await collector.collectChildProcessMetrics(pid);
-    if (metrics) {
-      handler.onTelemetry(metrics);
-    }
+    const metrics = await collector.collectChildProcessMetrics();
+    if (metrics) handler.onTelemetry(metrics);
   };
   collectAndReport().catch((err) => {
     logger.debug("Initial telemetry collection failed:", err);
@@ -205395,6 +205374,48 @@ function startTelemetry(pid, handler) {
   timer.unref?.();
   return () => clearInterval(timer);
 }
+function wrapWithMemoryLimit(cmd, options) {
+  const memoryLimitKiB = Math.ceil(options.memoryLimitInMB * 1024);
+  if (memoryLimitKiB <= 0)
+    throw new Error(`memoryLimitInMB * 1024 must be a positive number, got: ${memoryLimitKiB}`);
+  switch (process.platform) {
+    case "darwin":
+      {
+        const prevHandler = options.telemetryHandler;
+        let subprocess;
+        options.telemetryHandler = {
+          intervalMs: prevHandler?.intervalMs ?? 2e3,
+          onInit: (sp) => {
+            subprocess = sp;
+            prevHandler?.onInit?.(sp);
+          },
+          onTelemetry(metrics) {
+            if (subprocess?.exitCode === null && metrics.rss >= memoryLimitKiB * 1024) {
+              logger.debug(
+                `Memory limit of ${options.memoryLimitInMB} MiB exceeded (RSS: ${(metrics.rss / 1024 / 1024).toFixed(
+                  2
+                )} MiB). Terminating process.`
+              );
+              subprocess.kill(options.killSignal ?? "SIGTERM");
+              subprocess = void 0;
+            }
+            prevHandler?.onTelemetry(metrics);
+          }
+        };
+      }
+      break;
+    case "linux":
+      return [
+        "sh",
+        ...typeof cmd === "string" ? ["-c", `ulimit -v ${memoryLimitKiB} && eval "$1"`, "_", cmd] : ["-c", `ulimit -v ${memoryLimitKiB} && exec "$@"`, "_", ...cmd]
+      ];
+    default:
+      logger.debug(
+        `Memory limit enforcement is not supported on platform: ${process.platform}. Ignoring memory limit option.`
+      );
+  }
+  return cmd;
+}
 async function execNeverFail(cmd, dir, options) {
   const stopHeartbeat = options?.heartbeat ? startHeartbeat(options.heartbeat) : void 0;
   let stopTelemetry;
@@ -205404,6 +205425,8 @@ async function execNeverFail(cmd, dir, options) {
     analyzerTelemetryServer = new AnalyzerTelemetryServer(options.analyzerTelemetryHandler);
     analyzerTelemetryFilePath = await analyzerTelemetryServer.start();
   }
+  if (options?.memoryLimitInMB !== void 0)
+    cmd = wrapWithMemoryLimit(cmd, options);
   try {
     return await new Promise((resolve45) => {
       let args2;
@@ -205418,9 +205441,8 @@ async function execNeverFail(cmd, dir, options) {
           resolve45({ error, stdout, stderr });
         }
       );
-      if (options?.telemetryHandler && childProcess.pid) {
-        stopTelemetry = startTelemetry(childProcess.pid, options.telemetryHandler);
-      }
+      if (options?.telemetryHandler && childProcess.pid)
+        stopTelemetry = startTelemetry(childProcess, options.telemetryHandler);
       if (options?.pipe) {
         childProcess.stdout?.on("data", (data2) => {
           Spinner.instance().suspend(() => {
@@ -224295,55 +224317,38 @@ var Spinner2 = class _Spinner {
 
 // ../utils/dist/telemetry/telemetry-collector.js
 import { execFile as execFile3 } from "child_process";
-import { platform as platform7 } from "os";
+import { platform as platform7 } from "process";
 import { promisify as promisify2 } from "util";
 var execFileAsync2 = promisify2(execFile3);
-var TelemetryCollector2 = class {
-  /**
-   * Collect memory metrics for a child process by PID.
-   * Uses OS-specific commands to query memory usage.
-   *
-   * @param pid - The process ID to query
-   * @returns TelemetryMetrics or undefined if the process doesn't exist or query fails
-   */
-  async collectChildProcessMetrics(pid) {
-    if (!Number.isInteger(pid) || pid <= 0) {
-      return void 0;
-    }
-    try {
-      const currentPlatform = platform7();
-      if (currentPlatform === "darwin" || currentPlatform === "linux") {
-        return await this.collectUnixProcessMetrics(pid);
-      }
-      return void 0;
-    } catch {
+var TelemetryCollector2 = class _TelemetryCollector {
+  pid;
+  constructor(pid) {
+    this.pid = pid;
+  }
+  static create(pid) {
+    if (!Number.isInteger(pid) || pid <= 0 || !["darwin", "linux"].includes(platform7))
       return void 0;
-    }
+    return new _TelemetryCollector(pid);
   }
   /**
    * Collect metrics for a Unix-like system (macOS, Linux) using ps command.
    */
-  async collectUnixProcessMetrics(pid) {
+  async collectChildProcessMetrics() {
     try {
-      const { stdout } = await execFileAsync2("ps", ["-o", "rss=,pcpu=", "-p", String(pid)], {
+      const { stdout } = await execFileAsync2("ps", ["-o", "rss=,pcpu=", "-p", String(this.pid)], {
         timeout: 5e3
       });
-      const trimmed = stdout.trim();
-      if (!trimmed) {
-        return void 0;
-      }
-      const parts = trimmed.split(/\s+/);
-      if (parts.length < 2) {
+      const parts = stdout.trim().split(/\s+/);
+      if (parts.length < 2)
         return void 0;
-      }
       const rssKb = parseInt(parts[0], 10);
       const cpuPercent = parseFloat(parts[1]);
-      if (isNaN(rssKb) || isNaN(cpuPercent)) {
+      if (isNaN(rssKb) || isNaN(cpuPercent))
         return void 0;
-      }
-      const rssBytes = rssKb * 1024;
       return {
-        rss: rssBytes,
+        rss: rssKb * 1024,
+        // Convert KB to bytes
+        // Note: cpuPercent can exceed 100% on multi-core systems (e.g., 250% = 2.5 cores used)
         cpuPercent
       };
     } catch {
@@ -224452,14 +224457,16 @@ function startHeartbeat2(options) {
   return () => clearInterval(timer);
 }
 var DEFAULT_TELEMETRY_INTERVAL_MS2 = 5e3;
-function startTelemetry2(pid, handler) {
-  const collector = new TelemetryCollector2();
+function startTelemetry2(subprocess, handler) {
+  const collector = TelemetryCollector2.create(subprocess.pid);
+  if (!collector)
+    return;
+  handler.onInit?.(subprocess);
   const intervalMs = handler.intervalMs ?? DEFAULT_TELEMETRY_INTERVAL_MS2;
   const collectAndReport = async () => {
-    const metrics = await collector.collectChildProcessMetrics(pid);
-    if (metrics) {
+    const metrics = await collector.collectChildProcessMetrics();
+    if (metrics)
       handler.onTelemetry(metrics);
-    }
   };
   collectAndReport().catch((err) => {
     logger.debug("Initial telemetry collection failed:", err);
@@ -224471,6 +224478,42 @@ function startTelemetry2(pid, handler) {
   timer.unref?.();
   return () => clearInterval(timer);
 }
+function wrapWithMemoryLimit2(cmd, options) {
+  const memoryLimitKiB = Math.ceil(options.memoryLimitInMB * 1024);
+  if (memoryLimitKiB <= 0)
+    throw new Error(`memoryLimitInMB * 1024 must be a positive number, got: ${memoryLimitKiB}`);
+  switch (process.platform) {
+    case "darwin":
+      {
+        const prevHandler = options.telemetryHandler;
+        let subprocess;
+        options.telemetryHandler = {
+          intervalMs: prevHandler?.intervalMs ?? 2e3,
+          onInit: (sp) => {
+            subprocess = sp;
+            prevHandler?.onInit?.(sp);
+          },
+          onTelemetry(metrics) {
+            if (subprocess?.exitCode === null && metrics.rss >= memoryLimitKiB * 1024) {
+              logger.debug(`Memory limit of ${options.memoryLimitInMB} MiB exceeded (RSS: ${(metrics.rss / 1024 / 1024).toFixed(2)} MiB). Terminating process.`);
+              subprocess.kill(options.killSignal ?? "SIGTERM");
+              subprocess = void 0;
+            }
+            prevHandler?.onTelemetry(metrics);
+          }
+        };
+      }
+      break;
+    case "linux":
+      return [
+        "sh",
+        ...typeof cmd === "string" ? ["-c", `ulimit -v ${memoryLimitKiB} && eval "$1"`, "_", cmd] : ["-c", `ulimit -v ${memoryLimitKiB} && exec "$@"`, "_", ...cmd]
+      ];
+    default:
+      logger.debug(`Memory limit enforcement is not supported on platform: ${process.platform}. Ignoring memory limit option.`);
+  }
+  return cmd;
+}
 async function execNeverFail3(cmd, dir, options) {
   const stopHeartbeat = options?.heartbeat ? startHeartbeat2(options.heartbeat) : void 0;
   let stopTelemetry;
@@ -224480,6 +224523,8 @@ async function execNeverFail3(cmd, dir, options) {
     analyzerTelemetryServer = new AnalyzerTelemetryServer2(options.analyzerTelemetryHandler);
     analyzerTelemetryFilePath = await analyzerTelemetryServer.start();
   }
+  if (options?.memoryLimitInMB !== void 0)
+    cmd = wrapWithMemoryLimit2(cmd, options);
   try {
     return await new Promise((resolve45) => {
       let args2;
@@ -224490,9 +224535,8 @@ async function execNeverFail3(cmd, dir, options) {
       const childProcess = execFile4(cmd, args2, { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args2 === void 0, timeout }, (error, stdout, stderr) => {
         resolve45({ error, stdout, stderr });
       });
-      if (options?.telemetryHandler && childProcess.pid) {
-        stopTelemetry = startTelemetry2(childProcess.pid, options.telemetryHandler);
-      }
+      if (options?.telemetryHandler && childProcess.pid)
+        stopTelemetry = startTelemetry2(childProcess, options.telemetryHandler);
       if (options?.pipe) {
         childProcess.stdout?.on("data", (data2) => {
           Spinner2.instance().suspend(() => {
@@ -250903,7 +250947,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "14.12.159";
+var version3 = "14.12.160";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.159",
+  "version": "14.12.160",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -80900,55 +80900,34 @@ import { execFile as execFile2 } from "child_process";
 
 // ../utils/src/telemetry/telemetry-collector.ts
 import { execFile } from "child_process";
-import { platform } from "os";
+import { platform } from "process";
 import { promisify } from "util";
 var execFileAsync = promisify(execFile);
-var TelemetryCollector = class {
-  /**
-   * Collect memory metrics for a child process by PID.
-   * Uses OS-specific commands to query memory usage.
-   *
-   * @param pid - The process ID to query
-   * @returns TelemetryMetrics or undefined if the process doesn't exist or query fails
-   */
-  async collectChildProcessMetrics(pid) {
-    if (!Number.isInteger(pid) || pid <= 0) {
-      return void 0;
-    }
-    try {
-      const currentPlatform = platform();
-      if (currentPlatform === "darwin" || currentPlatform === "linux") {
-        return await this.collectUnixProcessMetrics(pid);
-      }
-      return void 0;
-    } catch {
-      return void 0;
-    }
+var TelemetryCollector = class _TelemetryCollector {
+  constructor(pid) {
+    this.pid = pid;
+  }
+  static create(pid) {
+    if (!Number.isInteger(pid) || pid <= 0 || !["darwin", "linux"].includes(platform)) return void 0;
+    return new _TelemetryCollector(pid);
   }
   /**
    * Collect metrics for a Unix-like system (macOS, Linux) using ps command.
    */
-  async collectUnixProcessMetrics(pid) {
+  async collectChildProcessMetrics() {
     try {
-      const { stdout } = await execFileAsync("ps", ["-o", "rss=,pcpu=", "-p", String(pid)], {
+      const { stdout } = await execFileAsync("ps", ["-o", "rss=,pcpu=", "-p", String(this.pid)], {
         timeout: 5e3
       });
-      const trimmed = stdout.trim();
-      if (!trimmed) {
-        return void 0;
-      }
-      const parts = trimmed.split(/\s+/);
-      if (parts.length < 2) {
-        return void 0;
-      }
+      const parts = stdout.trim().split(/\s+/);
+      if (parts.length < 2) return void 0;
       const rssKb = parseInt(parts[0], 10);
       const cpuPercent = parseFloat(parts[1]);
-      if (isNaN(rssKb) || isNaN(cpuPercent)) {
-        return void 0;
-      }
-      const rssBytes = rssKb * 1024;
+      if (isNaN(rssKb) || isNaN(cpuPercent)) return void 0;
       return {
-        rss: rssBytes,
+        rss: rssKb * 1024,
+        // Convert KB to bytes
+        // Note: cpuPercent can exceed 100% on multi-core systems (e.g., 250% = 2.5 cores used)
         cpuPercent
       };
     } catch {
@@ -81053,14 +81032,14 @@ function startHeartbeat(options) {
   return () => clearInterval(timer);
 }
 var DEFAULT_TELEMETRY_INTERVAL_MS = 5e3;
-function startTelemetry(pid, handler) {
-  const collector = new TelemetryCollector();
+function startTelemetry(subprocess, handler) {
+  const collector = TelemetryCollector.create(subprocess.pid);
+  if (!collector) return;
+  handler.onInit?.(subprocess);
   const intervalMs = handler.intervalMs ?? DEFAULT_TELEMETRY_INTERVAL_MS;
   const collectAndReport = async () => {
-    const metrics = await collector.collectChildProcessMetrics(pid);
-    if (metrics) {
-      handler.onTelemetry(metrics);
-    }
+    const metrics = await collector.collectChildProcessMetrics();
+    if (metrics) handler.onTelemetry(metrics);
   };
   collectAndReport().catch((err) => {
     logger.debug("Initial telemetry collection failed:", err);
@@ -81072,6 +81051,48 @@ function startTelemetry(pid, handler) {
   timer.unref?.();
   return () => clearInterval(timer);
 }
+function wrapWithMemoryLimit(cmd, options) {
+  const memoryLimitKiB = Math.ceil(options.memoryLimitInMB * 1024);
+  if (memoryLimitKiB <= 0)
+    throw new Error(`memoryLimitInMB * 1024 must be a positive number, got: ${memoryLimitKiB}`);
+  switch (process.platform) {
+    case "darwin":
+      {
+        const prevHandler = options.telemetryHandler;
+        let subprocess;
+        options.telemetryHandler = {
+          intervalMs: prevHandler?.intervalMs ?? 2e3,
+          onInit: (sp) => {
+            subprocess = sp;
+            prevHandler?.onInit?.(sp);
+          },
+          onTelemetry(metrics) {
+            if (subprocess?.exitCode === null && metrics.rss >= memoryLimitKiB * 1024) {
+              logger.debug(
+                `Memory limit of ${options.memoryLimitInMB} MiB exceeded (RSS: ${(metrics.rss / 1024 / 1024).toFixed(
+                  2
+                )} MiB). Terminating process.`
+              );
+              subprocess.kill(options.killSignal ?? "SIGTERM");
+              subprocess = void 0;
+            }
+            prevHandler?.onTelemetry(metrics);
+          }
+        };
+      }
+      break;
+    case "linux":
+      return [
+        "sh",
+        ...typeof cmd === "string" ? ["-c", `ulimit -v ${memoryLimitKiB} && eval "$1"`, "_", cmd] : ["-c", `ulimit -v ${memoryLimitKiB} && exec "$@"`, "_", ...cmd]
+      ];
+    default:
+      logger.debug(
+        `Memory limit enforcement is not supported on platform: ${process.platform}. Ignoring memory limit option.`
+      );
+  }
+  return cmd;
+}
 async function execNeverFail(cmd, dir, options) {
   const stopHeartbeat = options?.heartbeat ? startHeartbeat(options.heartbeat) : void 0;
   let stopTelemetry;
@@ -81081,6 +81102,8 @@ async function execNeverFail(cmd, dir, options) {
     analyzerTelemetryServer = new AnalyzerTelemetryServer(options.analyzerTelemetryHandler);
     analyzerTelemetryFilePath = await analyzerTelemetryServer.start();
   }
+  if (options?.memoryLimitInMB !== void 0)
+    cmd = wrapWithMemoryLimit(cmd, options);
   try {
     return await new Promise((resolve23) => {
       let args;
@@ -81095,9 +81118,8 @@ async function execNeverFail(cmd, dir, options) {
           resolve23({ error, stdout, stderr });
         }
       );
-      if (options?.telemetryHandler && childProcess.pid) {
-        stopTelemetry = startTelemetry(childProcess.pid, options.telemetryHandler);
-      }
+      if (options?.telemetryHandler && childProcess.pid)
+        stopTelemetry = startTelemetry(childProcess, options.telemetryHandler);
       if (options?.pipe) {
         childProcess.stdout?.on("data", (data2) => {
           Spinner.instance().suspend(() => {
@@ -111156,7 +111178,8 @@ var GoCodeAwareVulnerabilityScanner = class {
           ${this.projectDir} ${vulnAccPaths}`, void 0, {
         timeout: timeoutInSeconds * 1e3,
         killSignal: "SIGKILL",
-        env: memoryLimitInMB ? { ...process.env, GOMEMLIMIT: `${memoryLimitInMB}MiB` } : void 0,
+        memoryLimitInMB,
+        env: memoryLimitInMB ? { ...process.env, GOMEMLIMIT: `${Math.max(Math.ceil(memoryLimitInMB - 256), 0)}MiB` } : void 0,
         heartbeat: HEARTBEATS.go,
         telemetryHandler,
         analyzerTelemetryHandler
@@ -112033,16 +112056,6 @@ function getVersion(analysisName) {
 
 // dist/whole-program-code-aware-vulnerability-scanner/python/python-code-aware-vulnerability-scanner.js
 var { omit, once: once3, pick, sortedUniq, uniqBy } = import_lodash14.default;
-var memlimitWrapper = `import sys, runpy, resource
-if memory_limit := int(sys.argv.pop(1)):
-  try:
-    resource.setrlimit(resource.RLIMIT_AS, (memory_limit * 1024 ** 2, resource.RLIM_INFINITY))
-  except ValueError as e:
-    # If we're running on PyPy, memory is bounded by PYPY_GC_MAX env var
-    if sys.implementation.name != "pypy":
-      print("ERROR: Failed to set memory limit", e, file=sys.stderr)
-runpy.run_module("mambalade", alter_sys=True)
-`;
 var PythonCodeAwareVulnerabilityScanner = class {
   state;
   projectDir;
@@ -112071,10 +112084,10 @@ var PythonCodeAwareVulnerabilityScanner = class {
     this.mambaladeVenvPath ??= await setupMambalade();
     logger.info("Started instantiating Python code-aware analysis");
     logger.debug(`Trying to find files to analyze from projectDir: ${this.projectDir}`);
-    const { rootWorkingDir, reachabilityAnalysisOptions } = this.state;
+    const { rootWorkingDir, reachabilityAnalysisOptions: { excludeDirs, memoryLimitInMB } } = this.state;
     let filesToAnalyze = await findFilesToAnalyze(this.projectDir);
-    if (reachabilityAnalysisOptions.excludeDirs)
-      filesToAnalyze = excludeFiles(rootWorkingDir, this.projectDir, filesToAnalyze, reachabilityAnalysisOptions.excludeDirs);
+    if (excludeDirs)
+      filesToAnalyze = excludeFiles(rootWorkingDir, this.projectDir, filesToAnalyze, excludeDirs);
     logger.info(`Found ${filesToAnalyze.length} files to analyze`);
     logger.debug("%O", filesToAnalyze);
     if (filesToAnalyze.length === 0)
@@ -112097,7 +112110,7 @@ var PythonCodeAwareVulnerabilityScanner = class {
     const reachedPackagesOutputFile = join17(tmpDir, "reached-packages.json");
     const pythonExecutable = join17(this.mambaladeVenvPath, "bin", "python");
     const mambaladeArgs = cmdt`\
-      ${pythonExecutable} - ${reachabilityAnalysisOptions.memoryLimitInMB ?? 0}
+      ${pythonExecutable} -m mambalade
       --vulnerabilities ${vulnAccPaths}
       --unsound-class-decorators --context-sensitivity=heuristics
       --path ${this.virtualEnvInfo.virtualEnvPathToSitePackages}
@@ -112111,10 +112124,11 @@ var PythonCodeAwareVulnerabilityScanner = class {
       ${filesToAnalyze}`;
     try {
       const { stderr } = await exec2(mambaladeArgs, this.projectDir, {
-        stdin: memlimitWrapper,
         env: {
           ...process.env,
-          PYPY_GC_MAX: `${reachabilityAnalysisOptions.memoryLimitInMB ?? 0}MB`
+          // Set PyPy-specific the memory limit 256MiB lower than the overall memory limit
+          // to (hopefully) handle OOM gracefully within mambalade (instead of the OS killing the process).
+          PYPY_GC_MAX: `${memoryLimitInMB ? Math.max(Math.ceil(memoryLimitInMB - 256), 1) : 0}MB`
         },
         // Forcefully kill the process if the internal timeout mechanism fails.
         // Use SIGKILL to ensure termination even if the process is unresponsive.
@@ -112122,7 +112136,8 @@ var PythonCodeAwareVulnerabilityScanner = class {
         killSignal: "SIGKILL",
         heartbeat: HEARTBEATS.python,
         telemetryHandler,
-        analyzerTelemetryHandler
+        analyzerTelemetryHandler,
+        memoryLimitInMB
       });
       logger.debug("Done running mambalade");
       const errors = stderr.split("\n").filter((line) => line.startsWith("ERROR:") && !/^ERROR: Excluded distribution/.test(line));