@socketsecurity/cli-with-sentry 1.1.96 → 1.1.98

package/dist/utils.js

@@ -16,10 +16,14 @@ var path = require('node:path');
 var regexps = require('../external/@socketsecurity/registry/lib/regexps');
 var prompts = require('../external/@socketsecurity/registry/lib/prompts');
 var spawn = require('../external/@socketsecurity/registry/lib/spawn');
+var fs = require('node:fs');
+var fs$2 = require('node:fs/promises');
+var promises$1 = require('node:stream/promises');
+var node_zlib = require('node:zlib');
 var fs$1 = require('../external/@socketsecurity/registry/lib/fs');
 var require$$5 = require('node:module');
 var require$$3 = require('node:https');
-var fs = require('node:fs');
+var web = require('node:stream/web');
 var require$$13 = require('../external/@socketsecurity/registry/lib/url');
 var agent = require('../external/@socketsecurity/registry/lib/agent');
 var bin = require('../external/@socketsecurity/registry/lib/bin');
@@ -2051,9 +2055,11 @@ function getHttpsAgent() {
   return _httpsAgent;
 }
 
-// Wrapper around fetch that supports extra CA certificates via SSL_CERT_FILE.
-// Uses node:https.request with a custom agent when extra CA certs are needed,
-// falling back to regular fetch() otherwise. Follows redirects like fetch().
+// All outbound API requests use node:https.request rather than global fetch.
+// This ensures no body timeout is applied — large streaming ND-JSON responses
+// (e.g. full scan results) can transfer without a hard deadline. When
+// SSL_CERT_FILE is configured, a custom HttpsAgent carrying the extra CA
+// certificates is passed; otherwise the default agent is used.
 
 // Internal httpsRequest-based fetch with redirect support.
 function _httpsRequestFetch(url, init, agent, redirectCount) {
@@ -2109,27 +2115,42 @@ function _httpsRequestFetch(url, init, agent, redirectCount) {
         }, agent, redirectCount + 1));
         return;
       }
-      const chunks = [];
-      res.on('data', chunk => chunks.push(chunk));
-      res.on('end', () => {
-        const body = Buffer.concat(chunks);
-        const responseHeaders = new Headers();
-        for (const [key, value] of Object.entries(res.headers)) {
-          if (typeof value === 'string') {
-            responseHeaders.set(key, value);
-          } else if (Array.isArray(value)) {
-            for (const v of value) {
-              responseHeaders.append(key, v);
-            }
+      // Build response headers immediately on receipt.
+      const responseHeaders = new Headers();
+      for (const [key, value] of Object.entries(res.headers)) {
+        if (typeof value === 'string') {
+          responseHeaders.set(key, value);
+        } else if (Array.isArray(value)) {
+          for (const v of value) {
+            responseHeaders.append(key, v);
           }
         }
-        resolve(new Response(body, {
-          status: statusCode ?? 0,
-          statusText: res.statusMessage ?? '',
-          headers: responseHeaders
-        }));
+      }
+      // Resolve with a streaming body as soon as headers are available,
+      // matching fetch() semantics. Callers that pipe response.body (e.g.
+      // streamDownloadWithFetch) receive a live ReadableStream rather than
+      // a fully-buffered Buffer.
+      const body = new web.ReadableStream({
+        start(controller) {
+          res.on('data', chunk => {
+            controller.enqueue(chunk);
+          });
+          res.on('end', () => {
+            controller.close();
+          });
+          res.on('error', err => {
+            controller.error(err);
+          });
+        },
+        cancel() {
+          res.destroy();
+        }
       });
-      res.on('error', reject);
+      resolve(new Response(body, {
+        status: statusCode ?? 0,
+        statusText: res.statusMessage ?? '',
+        headers: responseHeaders
+      }));
     });
     if (init.body) {
       req.write(init.body);
@@ -2139,11 +2160,7 @@ function _httpsRequestFetch(url, init, agent, redirectCount) {
   });
 }
 async function apiFetch(url, init = {}) {
-  const agent = getHttpsAgent();
-  if (!agent) {
-    return await fetch(url, init);
-  }
-  return await _httpsRequestFetch(url, init, agent, 0);
+  return await _httpsRequestFetch(url, init, getHttpsAgent(), 0);
 }
 /**
  * Get command requirements from requirements.json based on command path.
@@ -4724,6 +4741,11 @@ function* walkNestedMap(map, keys = []) {
  * Manages reachability analysis via Coana tech CLI.
  *
  * Key Functions:
+ * - compressSocketFactsForUpload: Brotli-compress any .socket.facts.json
+ *   entries in scanPaths just before upload, returning swapped paths plus a
+ *   cleanup callback. Coana keeps writing plain JSON; the on-the-wire form
+ *   to depscan is brotli (api-v0 decodes at the multipart boundary).
+ * - extractReachabilityErrors: Extract per-component reachability errors
  * - extractTier1ReachabilityScanId: Extract scan ID from socket facts file
  *
  * Integration:
@@ -4732,6 +4754,86 @@ function* walkNestedMap(map, keys = []) {
  * - Extracts tier 1 reachability scan identifiers
  */
 
+const {
+  DOT_SOCKET_DOT_FACTS_JSON
+} = constants.default;
+/**
+ * For each `.socket.facts.json` in `scanPaths`, stream-brotli-compress a
+ * sibling `.socket.facts.json.br` next to the original file and swap its
+ * path in. Other paths pass through unchanged. Missing files also pass
+ * through unchanged (the upload will fail downstream with the same error
+ * it would have).
+ *
+ * Streaming + worker-thread compression keeps the event loop responsive:
+ * default brotli quality (11) on a 60+MB facts file takes multiple seconds
+ * of CPU, which would otherwise freeze the spinner / signal handlers /
+ * any concurrent work.
+ *
+ * The `.br` lives next to the source rather than under the OS temp dir
+ * because depscan's multipart ingest (`addStreamEntry`) rejects entries
+ * whose names contain `..` traversal segments. The SDK computes the
+ * multipart entry name via `path.relative(cwd, brPath)`, so an OS-tmpdir
+ * temp path turns into `../../../var/folders/...` and gets dropped as
+ * `unmatchedFiles`. Sibling-write keeps the relative path inside cwd, and
+ * keeps the directory shape symmetric with the plain `.socket.facts.json`
+ * upload (depscan strips only the `.br` suffix at ingest, so
+ * `<dir>/.socket.facts.json.br` and `<dir>/.socket.facts.json` resolve to
+ * the same storage path).
+ *
+ * Concurrent scans against the same source directory are already racy on
+ * `.socket.facts.json` itself (coana writes to a single path), so the
+ * sibling `.br` doesn't introduce a new race.
+ *
+ * Caller MUST `await cleanup()` (typically in a `finally` block) once the
+ * upload completes — successful or not — to remove the sibling files.
+ */
+async function compressSocketFactsForUpload(scanPaths) {
+  const brPaths = [];
+  const cleanup = async () => {
+    const targets = brPaths.splice(0);
+    // `recursive: true` defends against the (defensive) case where a sibling
+    // path was somehow created as a directory — `rm` would otherwise throw
+    // on the first such entry and skip the rest. `force: true` no-ops on
+    // missing paths so the function stays idempotent.
+    await Promise.all(targets.map(t => fs$2.rm(t, {
+      recursive: true,
+      force: true
+    })));
+  };
+  // Use `allSettled` (not `all`) so a failure in one entry doesn't leak the
+  // others' in-flight pipelines past our `catch`. If we used `all`, the
+  // first rejection would bubble out while sibling pipelines were still
+  // writing bytes — `cleanup()` would race with those writes and could
+  // remove a `.br` only to have it re-created after we returned.
+  const results = await Promise.allSettled(scanPaths.map(async p => {
+    if (path.basename(p) !== DOT_SOCKET_DOT_FACTS_JSON) {
+      return p;
+    }
+    if (!fs.existsSync(p)) {
+      return p;
+    }
+    const brPath = `${p}.br`;
+    // Track the sibling path BEFORE the pipeline starts so a
+    // partially-written `.br` is removed even if the pipeline rejects.
+    // `rm({ force: true })` no-ops on missing files, so tracking before
+    // creation is safe.
+    brPaths.push(brPath);
+    await promises$1.pipeline(fs.createReadStream(p), node_zlib.createBrotliCompress(), fs.createWriteStream(brPath));
+    return brPath;
+  }));
+  const failure = results.find(r => r.status === 'rejected');
+  if (failure) {
+    // All pipelines have settled, so cleanup() can safely remove every
+    // `.br` we tracked (succeeded or partial) without racing live writes.
+    await cleanup();
+    throw failure.reason;
+  }
+  const paths = results.map(r => r.value);
+  return {
+    paths,
+    cleanup
+  };
+}
 function extractReachabilityErrors(socketFactsFile) {
   const json = fs$1.readJsonSync(socketFactsFile, {
     throws: false
@@ -7822,6 +7924,7 @@ exports.checkCommandInput = checkCommandInput;
 exports.cmdFlagValueToArray = cmdFlagValueToArray;
 exports.cmdFlagsToString = cmdFlagsToString;
 exports.cmdPrefixMessage = cmdPrefixMessage;
+exports.compressSocketFactsForUpload = compressSocketFactsForUpload;
 exports.convertCveToGhsa = convertCveToGhsa;
 exports.convertPurlToGhsas = convertPurlToGhsas;
 exports.createEnum = createEnum;
@@ -7946,5 +8049,5 @@ exports.updateConfigValue = updateConfigValue;
 exports.walkNestedMap = walkNestedMap;
 exports.webLink = webLink;
 exports.writeSocketJson = writeSocketJson;
-//# debugId=2070e850-060e-4077-8aaa-c4564f5f74e5
+//# debugId=e3aec7ef-9385-4b5c-be2e-ba11a8c6f580
 //# sourceMappingURL=utils.js.map