fix: limit concurrent requests

Author: danielroe

app/composables/useNpmRegistry.ts

@@ -9,6 +9,7 @@ import type {
   PackageVersionInfo,
 } from '#shared/types'
 import type { ReleaseType } from 'semver'
+import { mapWithConcurrency } from '#shared/utils/async'
 import { maxSatisfying, prerelease, major, minor, diff, gt, compare } from 'semver'
 import { isExactVersion } from '~/utils/versions'
 import { extractInstallScriptsInfo } from '~/utils/install-scripts'
@@ -546,34 +547,28 @@ export function useOrgPackages(orgName: MaybeRefOrGetter<string>) {
 
       // Fetch packuments and downloads in parallel
       const [packuments, downloads] = await Promise.all([
-        // Fetch packuments in parallel (with concurrency limit)
+        // Fetch packuments with concurrency limit
         (async () => {
-          const concurrency = 10
-          const results: MinimalPackument[] = []
-          for (let i = 0; i < packageNames.length; i += concurrency) {
-            const batch = packageNames.slice(i, i + concurrency)
-            const batchResults = await Promise.all(
-              batch.map(async name => {
-                try {
-                  const encoded = encodePackageName(name)
-                  const { data: pkg } = await cachedFetch<MinimalPackument>(
-                    `${NPM_REGISTRY}/${encoded}`,
-                    { signal },
-                  )
-                  return pkg
-                } catch {
-                  return null
-                }
-              }),
-            )
-            for (const pkg of batchResults) {
-              // Filter out any unpublished packages (missing dist-tags)
-              if (pkg && pkg['dist-tags']) {
-                results.push(pkg)
+          const results = await mapWithConcurrency(
+            packageNames,
+            async name => {
+              try {
+                const encoded = encodePackageName(name)
+                const { data: pkg } = await cachedFetch<MinimalPackument>(
+                  `${NPM_REGISTRY}/${encoded}`,
+                  { signal },
+                )
+                return pkg
+              } catch {
+                return null
               }
-            }
-          }
-          return results
+            },
+            10,
+          )
+          // Filter out any unpublished packages (missing dist-tags)
+          return results.filter(
+            (pkg): pkg is MinimalPackument => pkg !== null && !!pkg['dist-tags'],
+          )
         })(),
         // Fetch downloads in bulk
         fetchBulkDownloads(packageNames, { signal }),
@@ -772,23 +767,20 @@ export function useOutdatedDependencies(
       return
     }
 
-    const results: Record<string, OutdatedDependencyInfo> = {}
     const entries = Object.entries(deps)
-    const batchSize = 5
-
-    for (let i = 0; i < entries.length; i += batchSize) {
-      const batch = entries.slice(i, i + batchSize)
-      const batchResults = await Promise.all(
-        batch.map(async ([name, constraint]) => {
-          const info = await checkDependencyOutdated(cachedFetch, name, constraint)
-          return [name, info] as const
-        }),
-      )
+    const batchResults = await mapWithConcurrency(
+      entries,
+      async ([name, constraint]) => {
+        const info = await checkDependencyOutdated(cachedFetch, name, constraint)
+        return [name, info] as const
+      },
+      5,
+    )
 
-      for (const [name, info] of batchResults) {
-        if (info) {
-          results[name] = info
-        }
+    const results: Record<string, OutdatedDependencyInfo> = {}
+    for (const [name, info] of batchResults) {
+      if (info) {
+        results[name] = info
       }
     }
 

server/utils/dependency-analysis.ts

@@ -9,8 +9,12 @@ import type {
   VulnerabilityTreeResult,
   DeprecatedPackageInfo,
 } from '#shared/types/dependency-analysis'
+import { mapWithConcurrency } from '#shared/utils/async'
 import { resolveDependencyTree } from './dependency-resolver'
 
+/** Maximum concurrent requests for fetching vulnerability details */
+const OSV_DETAIL_CONCURRENCY = 25
+
 /** Package info needed for OSV queries */
 interface PackageQueryInfo {
   name: string
@@ -47,6 +51,15 @@ async function queryOsvBatch(
       if (result?.vulns && result.vulns.length > 0) {
         vulnerableIndices.push(i)
       }
+      // Warn if pagination token present (>1000 vulns for single query or >3000 total)
+      // This is extremely unlikely for npm packages but log for visibility
+      if (result?.next_page_token) {
+        // oxlint-disable-next-line no-console -- warn about paginated results
+        console.warn(
+          `[dep-analysis] OSV batch result has pagination token for package index ${i} ` +
+            `(${packages[i]?.name}@${packages[i]?.version}) - some vulnerabilities may be missing`,
+        )
+      }
     }
 
     return { vulnerableIndices, failed: false }
@@ -199,10 +212,10 @@ export const analyzeDependencyTree = defineCachedFunction(
     if (!batchFailed && vulnerableIndices.length > 0) {
       // Step 2: Fetch full vulnerability details only for packages with vulns
       // This is typically a small fraction of total packages
-      const vulnerablePackageInfos = vulnerableIndices.map(i => packages[i]!)
-
-      const detailResults = await Promise.all(
-        vulnerablePackageInfos.map(pkg => queryOsvDetails(pkg)),
+      const detailResults = await mapWithConcurrency(
+        vulnerableIndices,
+        i => queryOsvDetails(packages[i]!),
+        OSV_DETAIL_CONCURRENCY,
       )
 
       for (const result of detailResults) {

server/utils/dependency-resolver.ts

@@ -1,6 +1,10 @@
 import type { Packument, PackumentVersion, DependencyDepth } from '#shared/types'
+import { mapWithConcurrency } from '#shared/utils/async'
 import { maxSatisfying } from 'semver'
 
+/** Concurrency limit for fetching packuments during dependency resolution */
+const PACKUMENT_FETCH_CONCURRENCY = 20
+
 /**
  * Target platform for dependency resolution.
  * We resolve for linux-x64 with glibc as a representative platform.
@@ -142,63 +146,61 @@ export async function resolveDependencyTree(
       seen.add(name)
     }
 
-    // Process current level in batches
+    // Process current level with concurrency limit
     const entries = [...currentLevel.entries()]
-    for (let i = 0; i < entries.length; i += 20) {
-      const batch = entries.slice(i, i + 20)
-
-      await Promise.all(
-        batch.map(async ([name, { range, optional, path }]) => {
-          const packument = await fetchPackument(name)
-          if (!packument) return
+    await mapWithConcurrency(
+      entries,
+      async ([name, { range, optional, path }]) => {
+        const packument = await fetchPackument(name)
+        if (!packument) return
 
-          const versions = Object.keys(packument.versions)
-          const version = resolveVersion(range, versions)
-          if (!version) return
+        const versions = Object.keys(packument.versions)
+        const version = resolveVersion(range, versions)
+        if (!version) return
 
-          const versionData = packument.versions[version]
-          if (!versionData) return
+        const versionData = packument.versions[version]
+        if (!versionData) return
 
-          if (!matchesPlatform(versionData)) return
+        if (!matchesPlatform(versionData)) return
 
-          const size = (versionData.dist as { unpackedSize?: number })?.unpackedSize ?? 0
-          const key = `${name}@${version}`
+        const size = (versionData.dist as { unpackedSize?: number })?.unpackedSize ?? 0
+        const key = `${name}@${version}`
 
-          // Build path for this package (path to parent + this package with version)
-          const currentPath = [...path, `${name}@${version}`]
+        // Build path for this package (path to parent + this package with version)
+        const currentPath = [...path, `${name}@${version}`]
 
-          if (!resolved.has(key)) {
-            const pkg: ResolvedPackage = { name, version, size, optional }
-            if (options.trackDepth) {
-              pkg.depth = level === 0 ? 'root' : level === 1 ? 'direct' : 'transitive'
-              pkg.path = currentPath
-            }
-            if (versionData.deprecated) {
-              pkg.deprecated = versionData.deprecated
-            }
-            resolved.set(key, pkg)
+        if (!resolved.has(key)) {
+          const pkg: ResolvedPackage = { name, version, size, optional }
+          if (options.trackDepth) {
+            pkg.depth = level === 0 ? 'root' : level === 1 ? 'direct' : 'transitive'
+            pkg.path = currentPath
           }
-
-          // Collect dependencies for next level
-          if (versionData.dependencies) {
-            for (const [depName, depRange] of Object.entries(versionData.dependencies)) {
-              if (!seen.has(depName) && !nextLevel.has(depName)) {
-                nextLevel.set(depName, { range: depRange, optional: false, path: currentPath })
-              }
+          if (versionData.deprecated) {
+            pkg.deprecated = versionData.deprecated
+          }
+          resolved.set(key, pkg)
+        }
+
+        // Collect dependencies for next level
+        if (versionData.dependencies) {
+          for (const [depName, depRange] of Object.entries(versionData.dependencies)) {
+            if (!seen.has(depName) && !nextLevel.has(depName)) {
+              nextLevel.set(depName, { range: depRange, optional: false, path: currentPath })
             }
           }
+        }
 
-          // Collect optional dependencies
-          if (versionData.optionalDependencies) {
-            for (const [depName, depRange] of Object.entries(versionData.optionalDependencies)) {
-              if (!seen.has(depName) && !nextLevel.has(depName)) {
-                nextLevel.set(depName, { range: depRange, optional: true, path: currentPath })
-              }
+        // Collect optional dependencies
+        if (versionData.optionalDependencies) {
+          for (const [depName, depRange] of Object.entries(versionData.optionalDependencies)) {
+            if (!seen.has(depName) && !nextLevel.has(depName)) {
+              nextLevel.set(depName, { range: depRange, optional: true, path: currentPath })
             }
           }
-        }),
-      )
-    }
+        }
+      },
+      PACKUMENT_FETCH_CONCURRENCY,
+    )
 
     currentLevel = nextLevel
     level++

shared/utils/async.ts

@@ -0,0 +1,37 @@
+/**
+ * Async utilities for controlled concurrency and parallel execution.
+ */
+
+/**
+ * Map over an array with limited concurrency.
+ * Similar to Promise.all but limits how many promises run simultaneously.
+ *
+ * @param items - Array of items to process
+ * @param fn - Async function to apply to each item
+ * @param concurrency - Maximum number of concurrent operations (default: 10)
+ * @returns Array of results in the same order as input
+ *
+ * @example
+ * const results = await mapWithConcurrency(urls, fetchUrl, 5)
+ */
+export async function mapWithConcurrency<T, R>(
+  items: T[],
+  fn: (item: T, index: number) => Promise<R>,
+  concurrency = 10,
+): Promise<R[]> {
+  const results: R[] = Array.from({ length: items.length }) as R[]
+  let currentIndex = 0
+
+  async function worker(): Promise<void> {
+    while (currentIndex < items.length) {
+      const index = currentIndex++
+      results[index] = await fn(items[index]!, index)
+    }
+  }
+
+  // Start workers up to concurrency limit
+  const workers = Array.from({ length: Math.min(concurrency, items.length) }, () => worker())
+  await Promise.all(workers)
+
+  return results
+}

test/unit/shared/utils/async.spec.ts

@@ -0,0 +1,95 @@
+import { describe, expect, it, vi } from 'vitest'
+import { mapWithConcurrency } from '../../../../shared/utils/async'
+
+describe('mapWithConcurrency', () => {
+  it('processes all items and returns results in order', async () => {
+    const items = [1, 2, 3, 4, 5]
+    const results = await mapWithConcurrency(items, async x => x * 2)
+
+    expect(results).toEqual([2, 4, 6, 8, 10])
+  })
+
+  it('respects concurrency limit', async () => {
+    let concurrent = 0
+    let maxConcurrent = 0
+
+    const items = Array.from({ length: 10 }, (_, i) => i)
+
+    await mapWithConcurrency(
+      items,
+      async () => {
+        concurrent++
+        maxConcurrent = Math.max(maxConcurrent, concurrent)
+        await new Promise(resolve => setTimeout(resolve, 10))
+        concurrent--
+      },
+      3,
+    )
+
+    expect(maxConcurrent).toBe(3)
+  })
+
+  it('handles empty array', async () => {
+    const results = await mapWithConcurrency([], async x => x)
+    expect(results).toEqual([])
+  })
+
+  it('handles single item', async () => {
+    const results = await mapWithConcurrency([42], async x => x * 2)
+    expect(results).toEqual([84])
+  })
+
+  it('passes index to callback', async () => {
+    const items = ['a', 'b', 'c']
+    const results = await mapWithConcurrency(items, async (item, index) => `${item}${index}`)
+
+    expect(results).toEqual(['a0', 'b1', 'c2'])
+  })
+
+  it('propagates errors', async () => {
+    const items = [1, 2, 3]
+    const fn = vi.fn(async (x: number) => {
+      if (x === 2) throw new Error('test error')
+      return x
+    })
+
+    await expect(mapWithConcurrency(items, fn)).rejects.toThrow('test error')
+  })
+
+  it('uses default concurrency of 10', async () => {
+    let concurrent = 0
+    let maxConcurrent = 0
+
+    const items = Array.from({ length: 20 }, (_, i) => i)
+
+    await mapWithConcurrency(items, async () => {
+      concurrent++
+      maxConcurrent = Math.max(maxConcurrent, concurrent)
+      await new Promise(resolve => setTimeout(resolve, 5))
+      concurrent--
+    })
+
+    expect(maxConcurrent).toBe(10)
+  })
+
+  it('handles fewer items than concurrency limit', async () => {
+    let concurrent = 0
+    let maxConcurrent = 0
+
+    const items = [1, 2, 3]
+
+    await mapWithConcurrency(
+      items,
+      async () => {
+        concurrent++
+        maxConcurrent = Math.max(maxConcurrent, concurrent)
+        await new Promise(resolve => setTimeout(resolve, 10))
+        concurrent--
+      },
+      10,
+    )
+
+    // Should only have 3 concurrent since we only have 3 items
+    expect(maxConcurrent).toBe(3)
+  })
+})