fix: comprehensive quality scan fixes across codebase (#111)

Critical fixes:
- process-lock: atomic mkdir without recursive to prevent TOCTOU race
- http-request: add res.on('error') handler to prevent hanging promises
- dlx/manifest: atomic writes via renameSync in all write paths
- promise-queue: clear() rejects pending tasks, event-driven onIdle()

Security fixes:
- json-parser: deep prototype pollution check via JSON.parse reviver
- esbuild-config: bundle shared deps inline (no extraneous devDeps in dist)

Bug fixes:
- abort: use AbortSignal.timeout() to prevent timer leaks
- cache-with-ttl: guard JSON.parse for corrupted cache entries
- isolation: wrap JSON.parse with file-path context in error
- memoization: fix expired entry cleanup, implement clearAllCaches,
  prevent thundering herd in memoizeAsync, fix memoizeWeak undefined
- ansi: fix ST pattern to correctly separate BEL|ESC\|0x9C
- argv/parse: remove ambiguous short-flag inference from hasFlag
- progress: guard division by zero when total=0
- promise-queue: maxQueueLength check uses !== undefined
- promises: pRetry captures latest error instead of first
- github: remove double JSON.stringify/parse in cacheFetchGhsa
- ipc: unref waitForIpc timer to prevent blocking exit

Script fixes:
- fix/commonjs-exports, fix/path-aliases, test/filter: fix parent
  directory traversal (off-by-one in __dirname resolution)
- test/main: deduplicate NODE_OPTIONS in runIsolatedTests
- test/cover: clean exit on build failure
- validate/no-extraneous-deps: add .catch() on main()
- orchestrator: use logger instead of console.log
- esbuild-config: remove console from drop list, add node18 comment

Author: jdalton

scripts/build-externals/esbuild-config.mjs

@@ -177,21 +177,6 @@ function createStubPlugin(stubMap = STUB_MAP) {
   }
 }
 
-// Shared dependencies that exist as standalone bundle files in dist/external/.
-// These must be marked external in bundles that would otherwise inline them,
-// so that at runtime they resolve to the existing bundle wrappers.
-const SHARED_EXTERNAL_DEPS = [
-  'debug',
-  'has-flag',
-  'p-map',
-  'signal-exit',
-  'spdx-correct',
-  'spdx-expression-parse',
-  'supports-color',
-  'which',
-  'yoctocolors-cjs',
-]
-
 /**
  * Get package-specific esbuild options.
  *
@@ -209,12 +194,6 @@ export function getPackageSpecificOptions(packageName) {
   } else if (packageName === 'zod') {
     // Zod has localization files we don't need.
     opts.external = [...(opts.external || []), './locales/*']
-  } else if (packageName === 'debug') {
-    // Mark supports-color as external - it exists as a standalone bundle wrapper.
-    opts.external = [...(opts.external || []), 'supports-color']
-  } else if (packageName === 'pico-pack') {
-    // Mark p-map as external - it has its own standalone bundle.
-    opts.external = [...(opts.external || []), 'p-map']
   } else if (packageName === 'external-pack') {
     // Inquirer packages have heavy dependencies we can exclude.
     opts.external = [...(opts.external || []), 'rxjs/operators']
@@ -223,10 +202,6 @@ export function getPackageSpecificOptions(packageName) {
     opts.footer = {
       js: 'if (module.exports && module.exports.default && Object.keys(module.exports).length === 1) { module.exports = module.exports.default; }',
     }
-  } else if (packageName === 'npm-pack') {
-    // Mark shared deps as external - they exist as standalone bundle wrappers.
-    // This eliminates ~100KB of duplication in the npm-pack bundle.
-    opts.external = [...(opts.external || []), ...SHARED_EXTERNAL_DEPS]
   } else if (packageName === '@socketregistry/packageurl-js') {
     // packageurl-js imports from socket-lib, creating a circular dependency.
     // Mark socket-lib imports as external to avoid bundling issues.
@@ -256,6 +231,8 @@ export function getEsbuildConfig(entryPoint, outfile, packageOpts = {}) {
     entryPoints: [entryPoint],
     bundle: true,
     platform: 'node',
+    // Intentionally conservative: node18 ensures maximum compatibility
+    // for bundled externals consumed by downstream packages.
     target: 'node18',
     format: 'cjs',
     outfile,
@@ -296,7 +273,7 @@ export function getEsbuildConfig(entryPoint, outfile, packageOpts = {}) {
     keepNames: true,
     // Additional optimizations:
     pure: ['console.log', 'console.debug', 'console.warn'],
-    drop: ['debugger', 'console'],
+    drop: ['debugger'],
     ignoreAnnotations: false,
     // Define compile-time constants for dead code elimination.
     define: {

scripts/build-externals/orchestrator.mjs

@@ -7,10 +7,14 @@ import { promises as fs } from 'node:fs'
 import path from 'node:path'
 import { fileURLToPath } from 'node:url'
 
+import { getDefaultLogger } from '@socketsecurity/lib-stable/logger'
+
 import { bundlePackage } from './bundler.mjs'
 import { externalPackages, scopedPackages } from './config.mjs'
 import { ensureDir } from './copy-files.mjs'
 
+const logger = getDefaultLogger()
+
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
 const rootDir = path.resolve(__dirname, '..', '..')
 const distExternalDir = path.join(rootDir, 'dist', 'external')
@@ -84,7 +88,7 @@ async function bundleAllPackages(options = {}) {
           }
         } catch {
           if (!quiet) {
-            console.log(`  Skipping optional package ${scope}/${name}`)
+            logger.log(`  Skipping optional package ${scope}/${name}`)
           }
         }
       } else {
@@ -123,7 +127,7 @@ async function bundleAllPackages(options = {}) {
             }
           } catch {
             if (!quiet) {
-              console.log(`  Skipping optional package ${scope}/${pkg}`)
+              logger.log(`  Skipping optional package ${scope}/${pkg}`)
             }
           }
         } else {
@@ -226,7 +230,7 @@ async function fixNodeGypStrings(dir, options = {}) {
         await fs.writeFile(filePath, fixed, 'utf8')
 
         if (!quiet) {
-          console.log(
+          logger.log(
             `  Fixed node-gyp string in ${path.relative(path.join(dir, '..', '..'), filePath)}`,
           )
         }

scripts/fix/commonjs-exports.mjs

@@ -17,7 +17,7 @@ import { getDefaultLogger } from '@socketsecurity/lib-stable/logger'
 const logger = getDefaultLogger()
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
-const distDir = path.resolve(__dirname, '..', 'dist')
+const distDir = path.resolve(__dirname, '..', '..', 'dist')
 
 /**
  * Process files in a directory and fix CommonJS exports.

scripts/fix/path-aliases.mjs

@@ -14,8 +14,8 @@ import { getDefaultLogger } from '@socketsecurity/lib-stable/logger'
 const logger = getDefaultLogger()
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
-const distDir = path.resolve(__dirname, '..', 'dist')
-const _srcDir = path.resolve(__dirname, '..', 'src')
+const distDir = path.resolve(__dirname, '..', '..', 'dist')
+const _srcDir = path.resolve(__dirname, '..', '..', 'src')
 
 // Map of path aliases to their actual directories
 const pathAliases = {

scripts/test/cover.mjs

@@ -43,7 +43,10 @@ const buildResult = await spawn('node', ['scripts/build/main.mjs'], {
   },
 })
 if (buildResult.code !== 0) {
-  throw new Error('Build with source maps failed')
+  logger.error('Build with source maps failed')
+  process.exitCode = 1
+  // eslint-disable-next-line unicorn/no-process-exit
+  process.exit()
 }
 
 // Run vitest with coverage enabled, capturing output

scripts/test/filter.mjs

@@ -15,7 +15,7 @@ import { getDefaultLogger } from '@socketsecurity/lib-stable/logger'
 
 const logger = getDefaultLogger()
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
-const projectRoot = path.resolve(__dirname, '..')
+const projectRoot = path.resolve(__dirname, '..', '..')
 
 // Find all coverage JSON files
 const coverageDir = path.join(projectRoot, 'coverage')

scripts/test/main.mjs

@@ -324,8 +324,13 @@ async function runIsolatedTests(options) {
     cwd: rootPath,
     env: {
       ...process.env,
-      NODE_OPTIONS:
-        `${process.env.NODE_OPTIONS || ''} --max-old-space-size=${process.env.CI ? 8192 : 4096} --unhandled-rejections=warn`.trim(),
+      NODE_OPTIONS: [
+        ...(process.env.NODE_OPTIONS || '')
+          .split(/\s+/)
+          .filter(opt => opt && !opt.startsWith('--max-old-space-size')),
+        `--max-old-space-size=${process.env.CI ? 8192 : 4096}`,
+        '--unhandled-rejections=warn',
+      ].join(' '),
       VITEST: '1',
     },
     stdio: 'inherit',

scripts/validate/no-extraneous-dependencies.mjs

@@ -328,4 +328,7 @@ async function main() {
   }
 }
 
-main()
+main().catch(error => {
+  logger.fail(`Validation failed: ${error.message}`)
+  process.exitCode = 1
+})

src/abort.ts

@@ -44,7 +44,5 @@ export function createTimeoutSignal(ms: number): AbortSignal {
   if (ms <= 0) {
     throw new TypeError('timeout must be a positive number')
   }
-  const controller = new AbortController()
-  setTimeout(() => controller.abort(), ms)
-  return controller.signal
+  return AbortSignal.timeout(Math.ceil(ms))
 }

src/ansi.ts

@@ -27,7 +27,7 @@ const ANSI_REGEX = /\x1b\[[0-9;]*m/g
 export function ansiRegex(options?: { onlyFirst?: boolean }): RegExp {
   const { onlyFirst } = options ?? {}
   // Valid string terminator sequences are BEL, ESC\, and 0x9c.
-  const ST = '(?:\\u0007\\u001B\\u005C|\\u009C)'
+  const ST = '(?:\\u0007|\\u001B\\u005C|\\u009C)'
   // OSC sequences only: ESC ] ... ST (non-greedy until the first ST).
   const osc = `(?:\\u001B\\][\\s\\S]*?${ST})`
   // CSI and related: ESC/C1, optional intermediates, optional params (supports ; and :) then final byte.