fix: race condition where artifacts from late resolving flights could be silently dropped

Author: billxinli

bun.lock

@@ -12,7 +12,7 @@ export default function (apiKey: string): ScannerImplementation {
   return createScanner({
     maxSending: 30,
     maxBatchLength: 1,
-    fetchStrategy: async (purls, artifacts) => {
+    fetchStrategy: async (purls) => {
       const body = JSON.stringify({
         components: purls.map(purl => ({ purl }))
       } satisfies SocketBatchEndpointBody)
@@ -33,7 +33,7 @@ export default function (apiKey: string): ScannerImplementation {
 
       const data = await res.text()
 
-      artifacts.push(...data.split('\n').filter(Boolean).map(line => JSON.parse(line)))
+      return data.split('\n').filter(Boolean).map(line => JSON.parse(line))
     }
   })
 }

src/modes/authenticated.ts

@@ -1,13 +1,14 @@
-import type { ScannerImplementation } from '../types'
+import type { ScannerImplementation, SocketArtifact } from '../types'
 import { createScanner } from '../scanner-factory'
 import { userAgent } from './user-agent'
 
 export default function (): ScannerImplementation {
   return createScanner({
     maxSending: 20,
     maxBatchLength: 50,
-    fetchStrategy: async (purls, artifacts) => {
+    fetchStrategy: async (purls) => {
       const urls = purls.map(purl => `https://firewall-api.socket.dev/purl/${encodeURIComponent(purl)}`)
+      const results: SocketArtifact[] = []
       await Promise.all(urls.map(async url => {
         const res = await fetch(url, {
           headers: {
@@ -18,8 +19,9 @@ export default function (): ScannerImplementation {
           throw new Error(`Socket Security Scanner: Received ${res.status} from server`)
         }
         const data = await res.text()
-        artifacts.push(...data.split('\n').filter(Boolean).map(line => JSON.parse(line)))
+        results.push(...data.split('\n').filter(Boolean).map(line => JSON.parse(line)))
       }))
+      return results
     }
   })
 }

src/modes/unauthenticated.ts

@@ -3,36 +3,38 @@ import type { SocketArtifact, ScannerImplementation } from './types'
 type ScannerConfig = {
   maxSending: number
   maxBatchLength: number
-  fetchStrategy: (purls: string[], artifacts: SocketArtifact[]) => Promise<void>
+  fetchStrategy: (purls: string[]) => Promise<SocketArtifact[]>
 }
 
 export function createScanner({ maxSending, maxBatchLength, fetchStrategy }: ScannerConfig): ScannerImplementation {
   return async function*(packages) {
     let artifacts: SocketArtifact[] = []
     let batch: Bun.Security.Package[] = []
-    let in_flight = 0
+    let inFlight = 0
 
     const pending: Set<Promise<void>> = new Set()
 
     async function startFlight() {
       const purls = batch.map(p => `pkg:npm/${p.name}@${p.version}`)
       batch = []
-      in_flight += purls.length
+      inFlight += purls.length
 
-      if (in_flight >= maxSending) {
+      if (inFlight >= maxSending) {
         if (pending.size !== 0) {
           await Promise.race([...pending])
         } else {
           // bug if we get here
         }
       }
 
-      const flight = fetchStrategy(purls, artifacts)
+      const flight = fetchStrategy(purls).then(results => {
+        artifacts.push(...results)
+      })
 
       pending.add(flight)
 
       flight.finally(() => {
-        in_flight -= purls.length
+        inFlight -= purls.length
         pending.delete(flight)
       })
     }