npm - @prodcycle/prodcycle - Versions diffs - 0.6.2 → 0.6.3 - Mend

@prodcycle/prodcycle 0.6.2 → 0.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/api-client.js +16 -4
package/package.json +1 -1

package/dist/api-client.js CHANGED Viewed

@@ -322,6 +322,7 @@ class ComplianceApiClient {
         let lastError = null;
         for (let attempt = 0; attempt < MAX_RETRY_ATTEMPTS; attempt++) {
             let response;
+            let responseText;
             try {
                 response = await fetch(url, {
                     method,
@@ -332,11 +333,23 @@ class ComplianceApiClient {
                     ...(data !== null ? { body: JSON.stringify(data) } : {}),
                     signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
                 });
+                // Body read inside the same try/catch as fetch() because undici can
+                // throw mid-stream (ALB drops the connection, abort signal fires
+                // during body read, server sends a partial response). Pre-fix this
+                // leaked out of `request()` as an unhandled error instead of being
+                // retried — long chunked-session scans were especially exposed,
+                // since every `appendChunk` call is its own request and any one
+                // mid-stream drop torpedoed the whole scan. The chunk write is
+                // idempotent on the server (unique `(scan_id, fingerprint)` index),
+                // so retry is safe. Mirror of the Python client's catch over
+                // `OSError, http.client.HTTPException` — keep both in lockstep.
+                responseText = await response.text();
             }
             catch (networkErr) {
-                // Connection-level failures (DNS, TCP, TLS). Treat as retryable up
-                // to the same cap as 503 — the server may be momentarily down or
-                // the network blip may resolve.
+                // Connection-level failures (DNS, TCP, TLS) OR body-read-level
+                // failures (abort, RST mid-stream). Treat as retryable up to the
+                // same cap as 503 — the server may be momentarily down or the
+                // network blip may resolve.
                 lastError =
                     networkErr instanceof Error ? networkErr : new Error(String(networkErr));
                 if (attempt < MAX_RETRY_ATTEMPTS - 1) {
@@ -345,7 +358,6 @@ class ComplianceApiClient {
                 }
                 throw new Error(`Failed to connect to ProdCycle API: ${lastError.message}`);
             }
-            const responseText = await response.text();
             let parsed = null;
             try {
                 parsed = responseText ? JSON.parse(responseText) : null;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@prodcycle/prodcycle",
-  "version": "0.6.2",
+  "version": "0.6.3",
   "description": "Multi-framework policy-as-code compliance scanner for infrastructure and application code.",
   "homepage": "https://docs.prodcycle.com",
   "repository": {