mobbdev 1.0.87 → 1.0.90

package/dist/index.mjs

@@ -11,14 +11,15 @@ import Debug21 from "debug";
 import { hideBin } from "yargs/helpers";
 
 // src/args/commands/convert_to_sarif.ts
-import fs4 from "node:fs";
+import fs4 from "fs";
 
 // src/commands/convert_to_sarif.ts
-import fs3 from "node:fs";
-import path3 from "node:path";
+import fs3 from "fs";
+import path3 from "path";
 
 // src/commands/fpr_stream_parser.ts
-import fs from "node:fs";
+import fs from "fs";
+import readline from "readline";
 import sax from "sax";
 var BaseStreamParser = class {
   constructor(parser) {
@@ -134,14 +135,17 @@ var UnifiedNodePoolParser = class extends BaseStreamParser {
   }
 };
 var VulnerabilityParser = class extends BaseStreamParser {
-  constructor() {
-    super(...arguments);
-    __publicField(this, "vulnerabilities", []);
+  constructor(parser, tmpStorageFilePath) {
+    super(parser);
     __publicField(this, "isInVulnerability", false);
     __publicField(this, "codePoints", []);
     __publicField(this, "metadata", {});
     __publicField(this, "metaInfo", {});
     __publicField(this, "groupName", "");
+    __publicField(this, "tmpStorageFileWriter");
+    __publicField(this, "tmpStorageFilePath");
+    this.tmpStorageFilePath = tmpStorageFilePath;
+    this.tmpStorageFileWriter = fs.createWriteStream(tmpStorageFilePath);
   }
   onOpenTag(tag) {
     super.onOpenTag(tag);
@@ -195,25 +199,43 @@ var VulnerabilityParser = class extends BaseStreamParser {
   onCloseTag() {
     if (this.getPathString() === "FVDL > Vulnerabilities > Vulnerability") {
       this.isInVulnerability = false;
-      this.vulnerabilities.push({
-        nodes: this.codePoints,
-        instanceID: this.metadata["InstanceID"] ?? "",
-        instanceSeverity: this.metadata["InstanceSeverity"] ?? "",
-        confidence: this.metadata["Confidence"] ?? "",
-        classID: this.metadata["ClassID"] ?? "",
-        type: this.metadata["Type"] ?? "",
-        subtype: this.metadata["Subtype"] ?? "",
-        metaInfo: this.metaInfo
-      });
+      this.tmpStorageFileWriter.write(
+        JSON.stringify({
+          nodes: this.codePoints,
+          instanceID: this.metadata["InstanceID"] ?? "",
+          instanceSeverity: this.metadata["InstanceSeverity"] ?? "",
+          confidence: this.metadata["Confidence"] ?? "",
+          classID: this.metadata["ClassID"] ?? "",
+          type: this.metadata["Type"] ?? "",
+          subtype: this.metadata["Subtype"] ?? "",
+          metaInfo: this.metaInfo
+        }) + "\n"
+      );
     }
     super.onCloseTag();
   }
-  getVulnerabilities() {
-    return this.vulnerabilities;
+  async *getVulnerabilities() {
+    await new Promise((r) => this.tmpStorageFileWriter.end(r));
+    const rl = readline.createInterface({
+      input: fs.createReadStream(this.tmpStorageFilePath),
+      crlfDelay: Infinity
+    });
+    for await (const line of rl) {
+      if (line) {
+        yield JSON.parse(line);
+      }
+    }
   }
 };
 function initSaxParser(filepath) {
-  const parser = sax.createStream(true);
+  const parser = sax.createStream(true, {
+    // All these flags help to improve parsing speed a lot.
+    trim: false,
+    normalize: false,
+    lowercase: false,
+    xmlns: false,
+    position: false
+  });
   const awaiter = new Promise((resolve, reject) => {
     parser.on("end", () => resolve(true));
     parser.on("error", (e) => reject(e));
@@ -221,7 +243,10 @@ function initSaxParser(filepath) {
   return {
     parser,
     parse: async () => {
-      fs.createReadStream(filepath).pipe(parser);
+      fs.createReadStream(filepath, {
+        // Set chunk size to 100 MB. The default is 16 KB, which makes the process too slow.
+        highWaterMark: 100 * 1024 * 1024
+      }).pipe(parser);
       await awaiter;
     }
   };
@@ -409,6 +434,7 @@ var IssueType_Enum = /* @__PURE__ */ ((IssueType_Enum2) => {
   IssueType_Enum2["SystemExitShouldReraise"] = "SYSTEM_EXIT_SHOULD_RERAISE";
   IssueType_Enum2["SystemInformationLeak"] = "SYSTEM_INFORMATION_LEAK";
   IssueType_Enum2["SystemInformationLeakExternal"] = "SYSTEM_INFORMATION_LEAK_EXTERNAL";
+  IssueType_Enum2["TarSlip"] = "TAR_SLIP";
   IssueType_Enum2["TrustBoundaryViolation"] = "TRUST_BOUNDARY_VIOLATION";
   IssueType_Enum2["TypeConfusion"] = "TYPE_CONFUSION";
   IssueType_Enum2["UncheckedLoopCondition"] = "UNCHECKED_LOOP_CONDITION";
@@ -947,71 +973,71 @@ var GetMcpFixesDocument = `
 var defaultWrapper = (action, _operationName, _operationType, _variables) => action();
 function getSdk(client, withWrapper = defaultWrapper) {
   return {
-    Me(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(MeDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "Me", "query", variables);
+    Me(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: MeDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "Me", "query", variables);
     },
-    getOrgAndProjectId(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(GetOrgAndProjectIdDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "getOrgAndProjectId", "query", variables);
+    getOrgAndProjectId(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: GetOrgAndProjectIdDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "getOrgAndProjectId", "query", variables);
     },
-    GetEncryptedApiToken(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(GetEncryptedApiTokenDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "GetEncryptedApiToken", "query", variables);
+    GetEncryptedApiToken(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: GetEncryptedApiTokenDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "GetEncryptedApiToken", "query", variables);
     },
-    FixReportState(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(FixReportStateDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "FixReportState", "query", variables);
+    FixReportState(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: FixReportStateDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "FixReportState", "query", variables);
     },
-    GetVulnerabilityReportPaths(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(GetVulnerabilityReportPathsDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "GetVulnerabilityReportPaths", "query", variables);
+    GetVulnerabilityReportPaths(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: GetVulnerabilityReportPathsDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "GetVulnerabilityReportPaths", "query", variables);
     },
-    getAnalysisSubscription(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(GetAnalysisSubscriptionDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "getAnalysisSubscription", "subscription", variables);
+    getAnalysisSubscription(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: GetAnalysisSubscriptionDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "getAnalysisSubscription", "subscription", variables);
     },
-    getAnalysis(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(GetAnalysisDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "getAnalysis", "query", variables);
+    getAnalysis(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: GetAnalysisDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "getAnalysis", "query", variables);
     },
-    getFixes(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(GetFixesDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "getFixes", "query", variables);
+    getFixes(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: GetFixesDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "getFixes", "query", variables);
     },
-    getVulByNodesMetadata(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(GetVulByNodesMetadataDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "getVulByNodesMetadata", "query", variables);
+    getVulByNodesMetadata(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: GetVulByNodesMetadataDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "getVulByNodesMetadata", "query", variables);
     },
-    getFalsePositive(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(GetFalsePositiveDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "getFalsePositive", "query", variables);
+    getFalsePositive(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: GetFalsePositiveDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "getFalsePositive", "query", variables);
     },
-    updateScmToken(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(UpdateScmTokenDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "updateScmToken", "mutation", variables);
+    updateScmToken(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: UpdateScmTokenDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "updateScmToken", "mutation", variables);
     },
-    uploadS3BucketInfo(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(UploadS3BucketInfoDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "uploadS3BucketInfo", "mutation", variables);
+    uploadS3BucketInfo(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: UploadS3BucketInfoDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "uploadS3BucketInfo", "mutation", variables);
     },
-    DigestVulnerabilityReport(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(DigestVulnerabilityReportDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "DigestVulnerabilityReport", "mutation", variables);
+    DigestVulnerabilityReport(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: DigestVulnerabilityReportDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "DigestVulnerabilityReport", "mutation", variables);
     },
-    SubmitVulnerabilityReport(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(SubmitVulnerabilityReportDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "SubmitVulnerabilityReport", "mutation", variables);
+    SubmitVulnerabilityReport(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: SubmitVulnerabilityReportDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "SubmitVulnerabilityReport", "mutation", variables);
     },
-    CreateCommunityUser(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(CreateCommunityUserDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "CreateCommunityUser", "mutation", variables);
+    CreateCommunityUser(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: CreateCommunityUserDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "CreateCommunityUser", "mutation", variables);
     },
-    CreateCliLogin(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(CreateCliLoginDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "CreateCliLogin", "mutation", variables);
+    CreateCliLogin(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: CreateCliLoginDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "CreateCliLogin", "mutation", variables);
     },
-    performCliLogin(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(PerformCliLoginDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "performCliLogin", "mutation", variables);
+    performCliLogin(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: PerformCliLoginDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "performCliLogin", "mutation", variables);
     },
-    CreateProject(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(CreateProjectDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "CreateProject", "mutation", variables);
+    CreateProject(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: CreateProjectDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "CreateProject", "mutation", variables);
     },
-    validateRepoUrl(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(ValidateRepoUrlDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "validateRepoUrl", "query", variables);
+    validateRepoUrl(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: ValidateRepoUrlDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "validateRepoUrl", "query", variables);
     },
-    gitReference(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(GitReferenceDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "gitReference", "query", variables);
+    gitReference(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: GitReferenceDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "gitReference", "query", variables);
     },
-    autoPrAnalysis(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(AutoPrAnalysisDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "autoPrAnalysis", "mutation", variables);
+    autoPrAnalysis(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: AutoPrAnalysisDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "autoPrAnalysis", "mutation", variables);
     },
-    GetMCPFixes(variables, requestHeaders) {
-      return withWrapper((wrappedRequestHeaders) => client.request(GetMcpFixesDocument, variables, { ...requestHeaders, ...wrappedRequestHeaders }), "GetMCPFixes", "query", variables);
+    GetMCPFixes(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: GetMcpFixesDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "GetMCPFixes", "query", variables);
     }
   };
 }
@@ -1445,7 +1471,8 @@ var issueTypeMap = {
   ["WILDCARD_IMPORTS" /* WildcardImports */]: "Wildcard Imports should not be used",
   ["AVOID_IDENTITY_COMPARISON_CACHED_TYPES" /* AvoidIdentityComparisonCachedTypes */]: "Avoid Identity Comparison of Cached Types",
   ["AVOID_BUILTIN_SHADOWING" /* AvoidBuiltinShadowing */]: "Avoid Builtin Shadowing",
-  ["IMPROPER_STRING_FORMATTING" /* ImproperStringFormatting */]: "Improper String Formatting"
+  ["IMPROPER_STRING_FORMATTING" /* ImproperStringFormatting */]: "Improper String Formatting",
+  ["TAR_SLIP" /* TarSlip */]: "Tar Slip"
 };
 var issueTypeZ = z5.nativeEnum(IssueType_Enum);
 var getIssueTypeFriendlyString = (issueType) => {
@@ -1908,7 +1935,7 @@ var ConvertToSarifInputFileFormat = /* @__PURE__ */ ((ConvertToSarifInputFileFor
 var DEFUALT_ADO_ORIGIN = scmCloudUrl.Ado;
 
 // src/features/analysis/scm/ado/utils.ts
-import querystring from "node:querystring";
+import querystring from "querystring";
 import * as api from "azure-devops-node-api";
 import Debug from "debug";
 import { z as z17 } from "zod";
@@ -2178,7 +2205,8 @@ var fixDetailsData = {
   ["AVOID_IDENTITY_COMPARISON_CACHED_TYPES" /* AvoidIdentityComparisonCachedTypes */]: void 0,
   ["AVOID_BUILTIN_SHADOWING" /* AvoidBuiltinShadowing */]: void 0,
   ["IMPROPER_STRING_FORMATTING" /* ImproperStringFormatting */]: void 0,
-  ["WILDCARD_IMPORTS" /* WildcardImports */]: void 0
+  ["WILDCARD_IMPORTS" /* WildcardImports */]: void 0,
+  ["TAR_SLIP" /* TarSlip */]: void 0
 };
 
 // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
@@ -4862,7 +4890,7 @@ async function getAdoRepoList({
 }
 
 // src/features/analysis/scm/ado/AdoSCMLib.ts
-import { setTimeout as setTimeout2 } from "node:timers/promises";
+import { setTimeout as setTimeout2 } from "timers/promises";
 
 // src/features/analysis/scm/scmSubmit/index.ts
 import { simpleGit } from "simple-git";
@@ -5143,7 +5171,7 @@ var AdoSCMLib = class extends SCMLib {
 };
 
 // src/features/analysis/scm/bitbucket/bitbucket.ts
-import querystring2 from "node:querystring";
+import querystring2 from "querystring";
 import * as bitbucketPkgNode from "bitbucket";
 import bitbucketPkg from "bitbucket";
 import Debug2 from "debug";
@@ -5463,7 +5491,7 @@ async function getRepositoriesByWorkspace(bitbucketClient, { workspaceSlug }) {
 }
 
 // src/features/analysis/scm/bitbucket/BitbucketSCMLib.ts
-import { setTimeout as setTimeout3 } from "node:timers/promises";
+import { setTimeout as setTimeout3 } from "timers/promises";
 import { z as z20 } from "zod";
 function getUserAndPassword(token) {
   const [username, password] = token.split(":");
@@ -6500,7 +6528,7 @@ var GithubSCMLib = class extends SCMLib {
 };
 
 // src/features/analysis/scm/gitlab/gitlab.ts
-import querystring3 from "node:querystring";
+import querystring3 from "querystring";
 import {
   createRequesterFn
 } from "@gitbeaker/requester-utils";
@@ -7206,8 +7234,8 @@ __export(utils_exports, {
 });
 
 // src/utils/dirname.ts
-import path from "node:path";
-import { fileURLToPath } from "node:url";
+import path from "path";
+import { fileURLToPath } from "url";
 function getDirName() {
   return path.dirname(fileURLToPath(import.meta.url));
 }
@@ -7216,9 +7244,9 @@ function getTopLevelDirName(fullPath) {
 }
 
 // src/utils/keypress.ts
-import readline from "node:readline";
+import readline2 from "readline";
 async function keypress() {
-  const rl = readline.createInterface({
+  const rl = readline2.createInterface({
     input: process.stdin,
     output: process.stdout
   });
@@ -7275,8 +7303,8 @@ function Spinner({ ci = false } = {}) {
 }
 
 // src/utils/check_node_version.ts
-import fs2 from "node:fs";
-import path2 from "node:path";
+import fs2 from "fs";
+import path2 from "path";
 import semver from "semver";
 function getPackageJson() {
   let manifestPath = path2.join(getDirName(), "../package.json");
@@ -7300,8 +7328,8 @@ var CliError = class extends Error {
 };
 
 // src/commands/convert_to_sarif.ts
-import AdmZip from "adm-zip";
 import multimatch from "multimatch";
+import StreamZip from "node-stream-zip";
 import tmp from "tmp";
 async function convertToSarif(options) {
   switch (options.inputFileFormat) {
@@ -7315,8 +7343,9 @@ async function convertToSarif(options) {
   }
 }
 async function convertFprToSarif(inputFilePath, outputFilePath, codePathPatterns) {
-  const zipIn = new AdmZip(inputFilePath);
-  if (!zipIn.getEntry("audit.fvdl")) {
+  const zipIn = new StreamZip.async({ file: inputFilePath });
+  const zipInEntries = await zipIn.entries();
+  if (!("audit.fvdl" in zipInEntries)) {
     throw new CliError(
       "\nError: the input file should be in a valid Fortify FPR format."
     );
@@ -7325,12 +7354,12 @@ async function convertFprToSarif(inputFilePath, outputFilePath, codePathPatterns
     unsafeCleanup: true
   });
   try {
-    zipIn.extractEntryTo("audit.fvdl", tmpObj.name);
-    const auditFvdlSaxParser = initSaxParser(
-      path3.join(tmpObj.name, "audit.fvdl")
-    );
+    const auditFvdlPath = path3.join(tmpObj.name, "audit.fvdl");
+    await zipIn.extract("audit.fvdl", auditFvdlPath);
+    const auditFvdlSaxParser = initSaxParser(auditFvdlPath);
     const vulnerabilityParser = new VulnerabilityParser(
-      auditFvdlSaxParser.parser
+      auditFvdlSaxParser.parser,
+      path3.join(tmpObj.name, "vulns.json")
     );
     const unifiedNodePoolParser = new UnifiedNodePoolParser(
       auditFvdlSaxParser.parser
@@ -7340,17 +7369,16 @@ async function convertFprToSarif(inputFilePath, outputFilePath, codePathPatterns
     );
     let auditMetadataParser = null;
     await auditFvdlSaxParser.parse();
-    if (zipIn.getEntry("audit.xml")) {
-      zipIn.extractEntryTo("audit.xml", tmpObj.name);
-      const auditXmlSaxParser = initSaxParser(
-        path3.join(tmpObj.name, "audit.xml")
-      );
+    if ("audit.xml" in zipInEntries) {
+      const auditXmlPath = path3.join(tmpObj.name, "audit.xml");
+      await zipIn.extract("audit.xml", auditXmlPath);
+      const auditXmlSaxParser = initSaxParser(auditXmlPath);
       auditMetadataParser = new AuditMetadataParser(auditXmlSaxParser.parser);
       await auditXmlSaxParser.parse();
     }
-    fs3.writeFileSync(
-      outputFilePath,
-      `{
+    await zipIn.close();
+    const writer = fs3.createWriteStream(outputFilePath);
+    writer.write(`{
   "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
   "version": "2.1.0",
   "runs": [
@@ -7361,23 +7389,26 @@ async function convertFprToSarif(inputFilePath, outputFilePath, codePathPatterns
       }
     },
     "results": [
-`
-    );
-    const filteredVulns = vulnerabilityParser.getVulnerabilities().map(
-      (vulnerability) => fortifyVulnerabilityToSarifResult(
+`);
+    let isFirstVuln = true;
+    for await (const vulnerability of vulnerabilityParser.getVulnerabilities()) {
+      const sarifResult = fortifyVulnerabilityToSarifResult(
         vulnerability,
         auditMetadataParser,
         reportMetadataParser,
         unifiedNodePoolParser
-      )
-    ).filter((sarifResult) => filterSarifResult(sarifResult, codePathPatterns));
-    filteredVulns.forEach((sarifResult, index) => {
-      fs3.appendFileSync(outputFilePath, JSON.stringify(sarifResult, null, 2));
-      if (index !== filteredVulns.length - 1) {
-        fs3.appendFileSync(outputFilePath, ",\n");
+      );
+      if (filterSarifResult(sarifResult, codePathPatterns)) {
+        if (isFirstVuln) {
+          isFirstVuln = false;
+        } else {
+          writer.write(",\n");
+        }
+        writer.write(JSON.stringify(sarifResult, null, 2));
       }
-    });
-    fs3.appendFileSync(outputFilePath, "\n]}]}");
+    }
+    writer.write("\n]}]}");
+    await new Promise((r) => writer.end(r));
   } finally {
     tmpObj.removeCallback();
   }
@@ -7451,8 +7482,8 @@ function fortifyNodesToSarifLocations(nodes, unifiedNodePoolParser) {
 import chalk2 from "chalk";
 
 // src/constants.ts
-import path4 from "node:path";
-import { fileURLToPath as fileURLToPath2 } from "node:url";
+import path4 from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
 import chalk from "chalk";
 import Debug4 from "debug";
 import * as dotenv from "dotenv";
@@ -7706,18 +7737,18 @@ import chalk10 from "chalk";
 import yargs from "yargs/yargs";
 
 // src/args/commands/analyze.ts
-import fs7 from "node:fs";
+import fs7 from "fs";
 
 // src/commands/index.ts
-import crypto from "node:crypto";
-import os from "node:os";
+import crypto from "crypto";
+import os from "os";
 
 // src/features/analysis/index.ts
-import fs6 from "node:fs";
-import fsPromises from "node:fs/promises";
-import path7 from "node:path";
-import { env as env2 } from "node:process";
-import { pipeline } from "node:stream/promises";
+import fs6 from "fs";
+import fsPromises from "fs/promises";
+import path7 from "path";
+import { env as env2 } from "process";
+import { pipeline } from "stream/promises";
 import chalk5 from "chalk";
 import Configstore from "configstore";
 import Debug18 from "debug";
@@ -8905,9 +8936,9 @@ var GQLClient = class {
 };
 
 // src/features/analysis/pack.ts
-import fs5 from "node:fs";
-import path5 from "node:path";
-import AdmZip2 from "adm-zip";
+import fs5 from "fs";
+import path5 from "path";
+import AdmZip from "adm-zip";
 import Debug13 from "debug";
 import { globby } from "globby";
 import { isBinary } from "istextorbinary";
@@ -8969,7 +9000,7 @@ async function pack(srcDirPath, vulnFiles, isIncludeAllFiles = false) {
     dot: true
   });
   debug13("files found %d", filepaths.length);
-  const zip = new AdmZip2();
+  const zip = new AdmZip();
   debug13("compressing files");
   for (const filepath of filepaths) {
     const absFilepath = path5.join(srcDirPath, filepath.toString());
@@ -8999,8 +9030,8 @@ async function pack(srcDirPath, vulnFiles, isIncludeAllFiles = false) {
 }
 async function repackFpr(fprPath) {
   debug13("repack fpr file %s", fprPath);
-  const zipIn = new AdmZip2(fprPath);
-  const zipOut = new AdmZip2();
+  const zipIn = new AdmZip(fprPath);
+  const zipOut = new AdmZip();
   const mappingXML = zipIn.readAsText("src-archive/index.xml", "utf-8");
   const filesMapping = FPR_SOURCE_CODE_FILE_MAPPING_SCHEMA.parse(
     await parseStringPromise(mappingXML)
@@ -9082,14 +9113,14 @@ async function snykArticlePrompt() {
 }
 
 // src/features/analysis/scanners/checkmarx.ts
-import { createRequire } from "node:module";
+import { createRequire } from "module";
 
 // src/post_install/constants.mjs
 var cxOperatingSystemSupportMessage = `Your operating system does not support checkmarx.
   You can see the list of supported operating systems here: https://github.com/Checkmarx/ast-cli#releases`;
 
 // src/utils/child_process.ts
-import cp from "node:child_process";
+import cp from "child_process";
 import Debug14 from "debug";
 import * as process2 from "process";
 function createFork({ args, processPath, name }, options) {
@@ -9258,7 +9289,7 @@ async function validateCheckamxCredentials() {
 }
 
 // src/features/analysis/scanners/snyk.ts
-import { createRequire as createRequire2 } from "node:module";
+import { createRequire as createRequire2 } from "module";
 import chalk4 from "chalk";
 import Debug16 from "debug";
 import { createSpinner as createSpinner3 } from "nanospinner";
@@ -10662,8 +10693,8 @@ var GitService = class {
 };
 
 // src/mcp/services/PathValidation.ts
-import fs8 from "node:fs";
-import path10 from "node:path";
+import fs8 from "fs";
+import path10 from "path";
 var PathValidation = class {
   /**
    * Validates a path for MCP usage - combines security and existence checks
@@ -10707,9 +10738,9 @@ var PathValidation = class {
 };
 
 // src/mcp/services/FilePacking.ts
-import fs9 from "node:fs";
-import path11 from "node:path";
-import AdmZip3 from "adm-zip";
+import fs9 from "fs";
+import path11 from "path";
+import AdmZip2 from "adm-zip";
 import { isBinary as isBinary2 } from "istextorbinary";
 var MAX_FILE_SIZE2 = 1024 * 1024 * 5;
 var EXCLUDED_FILE_PATTERNS = [
@@ -10895,7 +10926,7 @@ var FilePacking = class {
   }
   async packFiles(sourceDirectoryPath, filesToPack) {
     logInfo(`FilePacking: packing files from ${sourceDirectoryPath}`);
-    const zip = new AdmZip3();
+    const zip = new AdmZip2();
     let packedFilesCount = 0;
     logInfo("FilePacking: compressing files");
     for (const filepath of filesToPack) {
@@ -11739,7 +11770,7 @@ var mcpHandler = async (_args) => {
 };
 
 // src/args/commands/review.ts
-import fs10 from "node:fs";
+import fs10 from "fs";
 import chalk9 from "chalk";
 function reviewBuilder(yargs2) {
   return yargs2.option("f", {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.0.87",
+  "version": "1.0.90",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.js",
@@ -55,7 +55,7 @@
     "chalk-animation": "2.0.3",
     "configstore": "6.0.0",
     "cross-fetch": "4.1.0",
-    "debug": "4.4.0",
+    "debug": "4.4.1",
     "dotenv": "16.5.0",
     "extract-zip": "2.0.1",
     "globby": "14.1.0",
@@ -71,26 +71,27 @@
     "multimatch": "7.0.0",
     "nanospinner": "1.1.0",
     "node-fetch": "3.3.2",
+    "node-stream-zip": "1.15.0",
     "octokit": "3.2.1",
     "open": "8.4.2",
     "parse-diff": "0.11.1",
     "sax": "1.4.1",
-    "semver": "7.7.1",
+    "semver": "7.7.2",
     "simple-git": "3.27.0",
-    "snyk": "1.1296.2",
+    "snyk": "1.1297.1",
     "tar": "6.2.1",
     "tmp": "0.2.3",
-    "undici": "6.21.1",
+    "undici": "6.21.3",
     "uuid": "11.1.0",
     "ws": "8.18.2",
     "xml2js": "0.6.2",
     "yargs": "17.7.2",
-    "zod": "3.24.4"
+    "zod": "3.25.36"
   },
   "devDependencies": {
     "@graphql-codegen/cli": "5.0.6",
     "@graphql-codegen/typescript": "4.1.6",
-    "@graphql-codegen/typescript-graphql-request": "6.2.0",
+    "@graphql-codegen/typescript-graphql-request": "6.3.0",
     "@graphql-codegen/typescript-operations": "4.6.1",
     "@octokit/types": "13.10.0",
     "@types/adm-zip": "0.5.7",
@@ -108,18 +109,19 @@
     "@types/yargs": "17.0.33",
     "@typescript-eslint/eslint-plugin": "7.17.0",
     "@typescript-eslint/parser": "7.17.0",
-    "@vitest/coverage-istanbul": "3.1.3",
-    "@vitest/ui": "3.1.3",
+    "@vitest/coverage-istanbul": "3.1.4",
+    "@vitest/ui": "3.1.4",
     "eslint": "8.57.0",
     "eslint-plugin-import": "2.31.0",
     "eslint-plugin-prettier": "5.4.0",
     "eslint-plugin-simple-import-sort": "10.0.0",
-    "msw": "2.7.6",
+    "msw": "2.8.5",
     "nock": "14.0.4",
+    "pino-pretty": "13.0.0",
     "prettier": "3.5.3",
-    "tsup": "8.4.0",
+    "tsup": "8.5.0",
     "typescript": "4.9.5",
-    "vitest": "3.1.3"
+    "vitest": "3.1.4"
   },
   "engines": {
     "node": ">=18.20.4"