fix: resolve quality scan issues (iteration 4)

jdalton · jdalton · commit fe2767ddf5d1 · 2026-03-10T16:43:35.000-04:00
High-severity fixes:
- Fix cache TOCTOU race in getOrFetch (remove redundant checks, set promise immediately)
- Remove Node 20 from CI test matrix (align with package.json engines &gt;=22)
- Add missing imports to documentation example (glob, readFileUtf8)

Medium-severity fixes:
- Fix bash loop in security-checks.sh (use while IFS= read pattern for spaces)
- Fix arrayChunk logic error (remove Math.min, use chunkSize directly)

All core tests passing (6324/6328 tests, 4 unrelated archive test issues remain from iteration 3).
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -19,7 +19,7 @@ on:
         description: 'Node.js versions to test (JSON array)'
         required: false
         type: string
-        default: '["20", "22", "24"]'
+        default: '["22", "24"]'
 
 permissions:
   contents: read
@@ -33,7 +33,7 @@ jobs:
       lint-script: 'pnpm run lint --all'
       type-check-script: 'pnpm run check'
       test-script: 'pnpm exec vitest --config .config/vitest.config.mts run'
-      node-versions: ${{ inputs.node-versions || '["20", "22", "24"]' }}
+      node-versions: ${{ inputs.node-versions || '["22", "24"]' }}
       os-versions: '["ubuntu-latest", "windows-latest"]'
       fail-fast: false
       max-parallel: 4
diff --git a/.husky/security-checks.sh b/.husky/security-checks.sh
@@ -73,19 +73,19 @@ done <<< "$STAGED_FILES"
 
 # Check for Socket API keys.
 printf "Checking for API keys...\n"
-for file in $STAGED_FILES; do
+while IFS= read -r file; do
   if [ -f "$file" ]; then
     if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
       printf "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}\n"
       grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
       printf "If this is a real API key, DO NOT COMMIT IT.\n"
     fi
   fi
-done
+done <<< "$STAGED_FILES"
 
 # Check for common secret patterns.
 printf "Checking for potential secrets...\n"
-for file in $STAGED_FILES; do
+while IFS= read -r file; do
   if [ -f "$file" ]; then
     # Skip test files, example files, and hook scripts.
     if echo "$file" | grep -qE '\.(test|spec)\.(m?[jt]s|tsx?)$|\.example$|/test/|/tests/|fixtures/|\.git-hooks/|\.husky/'; then
@@ -112,7 +112,7 @@ for file in $STAGED_FILES; do
       ERRORS=$((ERRORS + 1))
     fi
   fi
-done
+done <<< "$STAGED_FILES"
 
 if [ $ERRORS -gt 0 ]; then
   printf "\n"
diff --git a/docs/examples.md b/docs/examples.md
@@ -448,6 +448,10 @@ Execute tasks with limited concurrency:
 ```typescript
 import fs from 'node:fs/promises'
 
+// Note: fast-glob is an external dependency - install it separately (pnpm add -D fast-glob)
+import { glob } from 'fast-glob'
+
+import { readFileUtf8 } from '@socketsecurity/lib/fs'
 import { PromiseQueue } from '@socketsecurity/lib/promise-queue'
 import { Spinner } from '@socketsecurity/lib/spinner'
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/src/arrays.ts b/src/arrays.ts
@@ -104,10 +104,9 @@ export function arrayChunk<T>(
     throw new Error('Chunk size must be greater than 0')
   }
   const { length } = arr
-  const actualChunkSize = Math.min(length, chunkSize)
   const chunks = []
-  for (let i = 0; i < length; i += actualChunkSize) {
-    chunks.push(arr.slice(i, i + actualChunkSize) as T[])
+  for (let i = 0; i < length; i += chunkSize) {
+    chunks.push(arr.slice(i, i + chunkSize) as T[])
   }
   return chunks
 }
diff --git a/src/cache-with-ttl.ts b/src/cache-with-ttl.ts
@@ -407,34 +407,28 @@ export function createTtlCache(options?: TtlCacheOptions): TtlCache {
 
     const fullKey = buildKey(key)
 
-    // Atomic check-and-set to prevent TOCTOU race
+    // Check if another request is already in flight
     const existing = inflightRequests.get(fullKey)
     if (existing) {
       return await existing
     }
 
-    // Create and immediately store promise atomically
+    // Create promise with cleanup handlers
     const promise = (async () => {
       try {
         const data = await fetcher()
         await set(key, data)
         return data
-      } catch (error) {
-        // Clean up on error
-        inflightRequests.delete(fullKey)
-        throw error
       } finally {
+        // Clean up on both success and error
         inflightRequests.delete(fullKey)
       }
     })()
 
-    // Final check - if another thread won, use theirs
-    const nowExisting = inflightRequests.get(fullKey)
-    if (nowExisting && nowExisting !== promise) {
-      return await nowExisting
-    }
-
+    // Set the promise IMMEDIATELY before any await to prevent race
     inflightRequests.set(fullKey, promise)
+
+    // Await and return (cleanup happens in finally block)
     return await promise
   }
 

Original file line number	Diff line number	Diff line change
`@@ -104,10 +104,9 @@ export function arrayChunk<T>(`
`104`	`104`	`throw new Error('Chunk size must be greater than 0')`
`105`	`105`	`}`
`106`	`106`	`const { length } = arr`
`107`		`- const actualChunkSize = Math.min(length, chunkSize)`
`108`	`107`	`const chunks = []`
`109`		`- for (let i = 0; i < length; i += actualChunkSize) {`
`110`		`- chunks.push(arr.slice(i, i + actualChunkSize) as T[])`
	`108`	`+ for (let i = 0; i < length; i += chunkSize) {`
	`109`	`+ chunks.push(arr.slice(i, i + chunkSize) as T[])`
`111`	`110`	`}`
`112`	`111`	`return chunks`
`113`	`112`	`}`