@prodcycle/prodcycle 0.6.3 → 0.6.4

package/dist/utils/fs.js

@@ -38,6 +38,12 @@ const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const minimatch_1 = require("minimatch");
 const MAX_FILE_SIZE = 256 * 1024; // 256 KB
+// Reusable strict UTF-8 decoder. `TextDecoder` is stateless on the same
+// instance (encoding + fatal are fixed at construction), so we allocate
+// once at module load instead of once per file in the walk loop —
+// repos with thousands of files would otherwise produce thousands of
+// short-lived decoder objects per scan.
+const UTF8_DECODER = new TextDecoder('utf-8', { fatal: true });
 /**
  * Total file ceiling per scan. Hit on the OSS-CLI benchmark scanning
  * `hapifhir/hapi-fhir` (~13k files) — the CLI silently dropped ~3k files
@@ -397,18 +403,31 @@ function walk(dir, repoRoot, gitignores, prodcycleIgnores, includePatterns, user
         }
         if (isBinary(buffer))
             continue;
-        const content = buffer.toString('utf8');
-        // Post-decode filter: the service enforces the 256 KB per-file limit
-        // on the UTF-8 byte length of the decoded string content, which can
-        // differ from the file's on-disk byte count. `buffer.toString('utf8')`
-        // silently replaces invalid UTF-8 byte sequences with U+FFFD (3 UTF-8
-        // bytes each), so a file with invalid bytes that's under 256 KB on
-        // disk can balloon over the limit after the round trip. The cheap
-        // `stats.size` check above would let it through; the service then
-        // rejects the entire chunk with 413 and torpedoes the scan.
-        // Re-measuring here keeps the CLI's filter aligned with the service
-        // enforcement. Concrete case from the GA-validation sweep:
-        // `web/pnpm-lock.yaml` with stray non-UTF-8 bytes.
+        // Strict UTF-8 decode: throw (and skip the file) on invalid byte
+        // sequences. Pre-fix this was `buffer.toString('utf8')`, which
+        // silently replaces invalid bytes with U+FFFD and includes the file
+        // anyway. Python's `open(encoding='utf-8')` raises UnicodeDecodeError
+        // on the same input and skips the file via its except clause, so
+        // Node ended up sending files Python wouldn't. Those files were
+        // overwhelmingly garbage (U+FFFD soup with no real content), but
+        // the inflated payload pushed many scans over the sync /validate
+        // limit and into the chunked-session fallback — Node ran 5–75x
+        // slower than Python on the same repos (dexidp-dex: npm=525s vs
+        // py=7s, frappe-erpnext: 1448s vs 42s, both 0 finding differences)
+        // during the 2026-05-12 GA-validation sweep. Catch the decode
+        // error and treat exactly like Python.
+        let content;
+        try {
+            content = UTF8_DECODER.decode(buffer);
+        }
+        catch {
+            continue;
+        }
+        // Post-decode size filter mirrors the service's 256 KB per-file
+        // enforcement. Without invalid-UTF-8 inflation (now skipped above),
+        // post-decode byte length usually matches `stats.size`, but a BOM
+        // or rare normalization edge case can still differ — keep the
+        // re-measure as defense-in-depth.
         if (Buffer.byteLength(content, 'utf8') > MAX_FILE_SIZE)
             continue;
         files[relPath] = content;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prodcycle/prodcycle",
-  "version": "0.6.3",
+  "version": "0.6.4",
   "description": "Multi-framework policy-as-code compliance scanner for infrastructure and application code.",
   "homepage": "https://docs.prodcycle.com",
   "repository": {