muaddib-scanner 2.10.84 → 2.10.85

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/monitor/adaptive-concurrency.js +22 -10
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "muaddib-scanner",
3
- "version": "2.10.84",
3
+ "version": "2.10.85",
4
4
  "description": "Supply-chain threat detection & response for npm & PyPI/Python",
5
5
  "main": "src/index.js",
6
6
  "bin": {
package/src/monitor/adaptive-concurrency.js CHANGED
@@ -37,11 +37,14 @@ const TIMEOUT_RATE_MIN_SAMPLES = 20;
37
37
  let _prevScanned = 0;
38
38
  let _prevTimeouts = 0;
39
39
 
40
- // Throughput plateau detection: if we scaled up but throughput didn't increase,
41
- // we've hit I/O saturation (npm registry rate limiting, disk contention).
42
- // More workers would make it worsescale back instead.
40
+ // Throughput plateau detection: if we scaled up but throughput didn't increase
41
+ // over MULTIPLE consecutive windows, we've hit I/O saturation.
42
+ // Requires 2 consecutive flat windows to trigger a single 30s window has too
43
+ // much variance from sandbox timeouts (90-270s) to be reliable.
43
44
  let _prevThroughput = 0;
44
45
  let _lastScaleDirection = 0; // +1 = scaled up, -1 = scaled down, 0 = stable
46
+ let _plateauStreak = 0; // consecutive windows where throughput didn't improve after scale-up
47
+ const PLATEAU_STREAK_REQUIRED = 2; // must see flat throughput N times before triggering
45
48
 
46
49
  /**
47
50
  * Compute new target concurrency from system signals.
@@ -85,16 +88,24 @@ function computeTarget(current, queueDepth, stats) {
85
88
  return { target, reason: `high_timeout_rate (${(timeoutRate * 100).toFixed(0)}%, ${timeoutDelta}/${scannedDelta})` };
86
89
  }
87
90
 
88
- // Priority 3: Throughput plateau — scaled up last tick but throughput flat/down.
89
- // This catches I/O saturation: more workers = more concurrent HTTP to npm registry
90
- // = rate limiting + contention = scan times 10s→90s = throughput drops.
91
- // Scale back instead of continuing to add workers.
91
+ // Priority 3: Throughput plateau — scaled up recently but throughput flat/down.
92
+ // Requires PLATEAU_STREAK_REQUIRED consecutive flat windows to trigger.
93
+ // A single bad window (sandbox timeout finishing in wrong 30s slot) is noise, not saturation.
92
94
  if (_lastScaleDirection > 0 && _prevThroughput > 0 && scannedDelta > 0 && scannedDelta <= _prevThroughput) {
93
- const prevTp = _prevThroughput;
95
+ _plateauStreak++;
96
+ if (_plateauStreak >= PLATEAU_STREAK_REQUIRED) {
97
+ const prevTp = _prevThroughput;
98
+ _prevThroughput = scannedDelta;
99
+ _lastScaleDirection = -1;
100
+ _plateauStreak = 0;
101
+ return { target: clamp(current - 2), reason: `throughput_plateau (${prevTp}→${scannedDelta} scans/30s × ${PLATEAU_STREAK_REQUIRED} windows)` };
102
+ }
103
+ // Not enough consecutive flat windows yet — keep current level, don't scale up further
94
104
  _prevThroughput = scannedDelta;
95
- _lastScaleDirection = -1;
96
- return { target: clamp(current - 2), reason: `throughput_plateau (${prevTp}→${scannedDelta} scans/30s, more workers didn't help)` };
105
+ return { target: current, reason: `plateau_warning (${_plateauStreak}/${PLATEAU_STREAK_REQUIRED}, ${scannedDelta} scans/30s)` };
97
106
  }
107
+ // Throughput improved or no scale-up context — reset streak
108
+ _plateauStreak = 0;
98
109
 
99
110
  // Priority 4: Queue depth — scale up for backlog, down toward base when idle
100
111
  if (queueDepth > QUEUE_BACKLOG_THRESHOLD) {
@@ -128,6 +139,7 @@ function resetDeltas() {
128
139
  _prevTimeouts = 0;
129
140
  _prevThroughput = 0;
130
141
  _lastScaleDirection = 0;
142
+ _plateauStreak = 0;
131
143
  }
132
144
 
133
145
  module.exports = {