npm - muaddib-scanner - Versions diffs - 2.10.18 → 2.10.19 - Mend

muaddib-scanner 2.10.18 → 2.10.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +1 -1
package/src/scanner/npm-registry.js +17 -3
package/src/temporal-analysis.js +59 -6

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.10.18",
+  "version": "2.10.19",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/scanner/npm-registry.js CHANGED Viewed

@@ -79,9 +79,23 @@ async function getPackageMetadata(packageName) {
   // Validate package name before building URL
   if (!NPM_PACKAGE_REGEX.test(packageName)) return null;
-  // 1. Registry metadata
-  const registryUrl = REGISTRY_URL + '/' + encodeURIComponent(packageName);
-  const meta = await fetchWithRetry(registryUrl);
+  // 1. Registry metadata — read from temporal-analysis cache if warm (monitor pipeline
+  // pre-fetches metadata for temporal checks). Only reads the Map, never fires HTTP.
+  // Falls back to own fetchWithRetry (with retries + 429 handling) on cache miss.
+  let meta = null;
+  try {
+    const { _metadataCache, METADATA_CACHE_TTL } = require('../temporal-analysis.js');
+    const cached = _metadataCache.get(packageName);
+    if (cached && (Date.now() - cached.fetchedAt) < METADATA_CACHE_TTL) {
+      meta = cached.data;
+    }
+  } catch {
+    // temporal-analysis not available — fall through to fetchWithRetry
+  }
+  if (!meta) {
+    const registryUrl = REGISTRY_URL + '/' + encodeURIComponent(packageName);
+    meta = await fetchWithRetry(registryUrl);
+  }
   if (!meta) return null;
   const createdAt = meta.time?.created || null;

package/src/temporal-analysis.js CHANGED Viewed

@@ -4,6 +4,13 @@ const REGISTRY_URL = 'https://registry.npmjs.org';
 const TIMEOUT_MS = 10_000;
 const MAX_RESPONSE_SIZE = 50 * 1024 * 1024; // 50MB (some packages have lots of versions)
+// Metadata cache: avoids duplicate HTTP requests when multiple temporal modules
+// fetch the same package metadata within a short window (monitor pipeline).
+const _metadataCache = new Map(); // packageName → { data, fetchedAt }
+const _inflightRequests = new Map(); // packageName → Promise
+const METADATA_CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+const METADATA_CACHE_MAX = 200;
 const LIFECYCLE_SCRIPTS = [
   'preinstall',
   'install',
@@ -16,11 +23,10 @@ const LIFECYCLE_SCRIPTS = [
 ];
 /**
- * Fetch full package metadata from the npm registry.
- * @param {string} packageName - npm package name (scoped or unscoped)
- * @returns {Promise<object>} Full registry metadata (versions, time, maintainers, etc.)
+ * Raw HTTP fetch — always hits the npm registry. Use fetchPackageMetadata() instead,
+ * which adds caching and inflight dedup.
  */
-function fetchPackageMetadata(packageName) {
+function _fetchPackageMetadataImpl(packageName) {
   const encodedName = encodeURIComponent(packageName).replace('%40', '@');
   const url = `${REGISTRY_URL}/${encodedName}`;
   const urlObj = new URL(url);
@@ -68,7 +74,15 @@ function fetchPackageMetadata(packageName) {
       res.on('end', () => {
         if (destroyed) return;
         try {
-          resolve(JSON.parse(data));
+          const parsed = JSON.parse(data);
+          // Store in cache on successful fetch
+          if (_metadataCache.size >= METADATA_CACHE_MAX) {
+            // Evict oldest entry
+            const oldestKey = _metadataCache.keys().next().value;
+            _metadataCache.delete(oldestKey);
+          }
+          _metadataCache.set(packageName, { data: parsed, fetchedAt: Date.now() });
+          resolve(parsed);
         } catch (e) {
           reject(new Error(`Invalid JSON from registry for ${packageName}: ${e.message}`));
         }
@@ -88,6 +102,39 @@ function fetchPackageMetadata(packageName) {
   });
 }
+/**
+ * Fetch full package metadata from the npm registry with caching and inflight dedup.
+ * Multiple callers requesting the same package within 5 minutes share one HTTP request.
+ * @param {string} packageName - npm package name (scoped or unscoped)
+ * @returns {Promise<object>} Full registry metadata (versions, time, maintainers, etc.)
+ */
+function fetchPackageMetadata(packageName) {
+  // Check cache first (TTL-based)
+  const cached = _metadataCache.get(packageName);
+  if (cached && (Date.now() - cached.fetchedAt) < METADATA_CACHE_TTL) {
+    return Promise.resolve(cached.data);
+  }
+  // Dedup inflight requests — if the same package is already being fetched, reuse that Promise
+  if (_inflightRequests.has(packageName)) {
+    return _inflightRequests.get(packageName);
+  }
+  const promise = _fetchPackageMetadataImpl(packageName).finally(() => {
+    _inflightRequests.delete(packageName);
+  });
+  _inflightRequests.set(packageName, promise);
+  return promise;
+}
+/**
+ * Clear the metadata cache. Exported for tests and monitor reset.
+ */
+function clearMetadataCache() {
+  _metadataCache.clear();
+  _inflightRequests.clear();
+}
 /**
  * Extract lifecycle scripts from a package.json object.
  * @param {object} packageJson - A package.json object (or a version entry from registry metadata)
@@ -253,8 +300,14 @@ async function detectSuddenLifecycleChange(packageName) {
 module.exports = {
   fetchPackageMetadata,
+  clearMetadataCache,
   getLifecycleScripts,
   compareLifecycleScripts,
   getLatestVersions,
-  detectSuddenLifecycleChange
+  detectSuddenLifecycleChange,
+  // Exposed for tests only
+  _metadataCache,
+  _inflightRequests,
+  METADATA_CACHE_TTL,
+  METADATA_CACHE_MAX
 };