fix(dsn): prevent hang during DSN auto-detection in repos with test fixtures (#445)

BYK · web-flow · commit dfc21007ef3b · 2026-03-17T12:57:11.000Z
Running `sentry issues` without explicit flags in repos containing test fixture DSNs (e.g., the CLI repo itself) caused the process to hang. PR #420 bumped scan depth from 2→3, causing `test/` directories to be scanned — finding ~86 fake DSNs that were all resolved via unbounded `Promise.all`, triggering 190+ concurrent API requests, rate limiting (429), and retry storms. ## Changes - **Skip test directories in scanner** — Add `test/`, `tests/`, `__mocks__/`, `fixtures/`, `__fixtures__/` to `ALWAYS_SKIP_DIRS`. Test directories contain fixture DSNs, not real Sentry configuration. - **Deduplicate DSNs before resolution** — Group by `(orgId, projectId)` or `publicKey`, resolving only one representative per unique pair. Reduces ~86 DSNs to ~10-20 unique API calls. - **Add concurrency limit** — `p-limit(5)` on DSN resolution API calls to prevent overwhelming the Sentry API. - **Add 15s timeout** — Race `Promise.all` against a deadline, returning partial results on timeout so the CLI never hangs indefinitely. - **In-flight dedup for `resolveOrgRegion`** — Concurrent calls for the same orgSlug share a single HTTP request via a module-level promise cache. - **Fix `getDirMtime` dynamic import** — Replace wasteful `await import("node:fs/promises")` (called 75+ times) with a static import. Relates to #420 and #414.
diff --git a/src/lib/dsn/code-scanner.ts b/src/lib/dsn/code-scanner.ts
@@ -13,7 +13,7 @@
  */
 
 import type { Dirent } from "node:fs";
-import { readdir } from "node:fs/promises";
+import { readdir, stat } from "node:fs/promises";
 import path from "node:path";
 // biome-ignore lint/performance/noNamespaceImport: Sentry SDK recommends namespace import
 import * as Sentry from "@sentry/bun";
@@ -85,6 +85,12 @@ const ALWAYS_SKIP_DIRS = [
   ".cursor",
   // Node.js
   "node_modules",
+  // Test directories (contain fixture DSNs, not real configuration)
+  "test",
+  "tests",
+  "__mocks__",
+  "fixtures",
+  "__fixtures__",
   // Python
   "__pycache__",
   ".pytest_cache",
@@ -432,7 +438,6 @@ type CollectResult = {
  */
 async function getDirMtime(dir: string): Promise<number> {
   try {
-    const { stat } = await import("node:fs/promises");
     const stats = await stat(dir);
     return Math.floor(stats.mtimeMs);
   } catch {
diff --git a/src/lib/region.ts b/src/lib/region.ts
@@ -13,21 +13,57 @@ import { withAuthGuard } from "./errors.js";
 import { getSdkConfig } from "./sentry-client.js";
 import { getSentryBaseUrl, isSentrySaasUrl } from "./sentry-urls.js";
 
+/**
+ * Promise cache for org region resolution, keyed by orgSlug.
+ *
+ * When multiple DSNs share an orgId, concurrent calls to resolveOrgRegion
+ * deduplicate into a single HTTP request. A resolved promise returns
+ * instantly on `await`, so this also serves as a warm in-memory cache.
+ *
+ * Rejected promises (e.g., AuthError) are automatically evicted so that
+ * retries after re-authentication can succeed without restarting the CLI.
+ */
+const regionCache = new Map<string, Promise<string>>();
+
 /**
  * Resolve the region URL for an organization.
  *
+ * Deduplicates concurrent calls for the same orgSlug — only one HTTP
+ * request fires per unique org, even when many DSNs trigger resolution
+ * in parallel.
+ *
  * Resolution order:
- * 1. Check SQLite cache
- * 2. Fetch organization details via SDK to get region URL
- * 3. Fall back to default URL if resolution fails
+ * 1. Return in-flight or previously resolved promise (instant)
+ * 2. Check SQLite cache
+ * 3. Fetch organization details via SDK to get region URL
+ * 4. Fall back to default URL if resolution fails
  *
  * Uses the SDK directly (not api-client) to avoid circular dependency.
  *
  * @param orgSlug - The organization slug
  * @returns The region URL for the organization
  */
-export async function resolveOrgRegion(orgSlug: string): Promise<string> {
-  // 1. Check cache first
+export function resolveOrgRegion(orgSlug: string): Promise<string> {
+  const existing = regionCache.get(orgSlug);
+  if (existing) {
+    return existing;
+  }
+
+  const promise = resolveOrgRegionUncached(orgSlug);
+  regionCache.set(orgSlug, promise);
+  // Evict on rejection (AuthError) so retries after re-login work.
+  // Non-auth errors already resolve to baseUrl fallback, so only
+  // AuthError re-throws can leave a rejected promise in the cache.
+  promise.catch(() => regionCache.delete(orgSlug));
+  return promise;
+}
+
+/**
+ * Resolve org region from SQLite cache or API.
+ * Called at most once per orgSlug per process lifetime.
+ */
+async function resolveOrgRegionUncached(orgSlug: string): Promise<string> {
+  // 1. Check SQLite cache first
   const cached = await getOrgRegion(orgSlug);
   if (cached) {
     return cached;
diff --git a/src/lib/resolve-target.ts b/src/lib/resolve-target.ts
@@ -14,6 +14,7 @@
  */
 
 import { basename } from "node:path";
+import pLimit from "p-limit";
 import {
   findProjectByDsnKey,
   findProjectsByPattern,
@@ -29,7 +30,7 @@ import {
   setCachedProject,
   setCachedProjectByDsnKey,
 } from "./db/project-cache.js";
-import type { DetectedDsn } from "./dsn/index.js";
+import type { DetectedDsn, DsnDetectionResult } from "./dsn/index.js";
 import {
   detectAllDsns,
   detectDsn,
@@ -578,11 +579,79 @@ export async function fetchProjectId(
   return toNumericId(projectResult.value.id);
 }
 
+/**
+ * Maximum concurrent DSN resolution API calls.
+ * Prevents overwhelming the Sentry API with parallel requests when
+ * many DSNs are detected (e.g., monorepos or repos with test fixtures).
+ */
+const DSN_RESOLVE_CONCURRENCY = 5;
+
+/**
+ * Maximum time (ms) to spend resolving DSNs before returning partial results.
+ * Prevents indefinite hangs when the API is slow or rate-limiting.
+ */
+const DSN_RESOLVE_TIMEOUT_MS = 15_000;
+
+/**
+ * Resolve DSNs with a concurrency limit and overall timeout.
+ *
+ * Uses p-limit's `map` helper for concurrency control and races it
+ * against `AbortSignal.timeout` so the CLI never hangs indefinitely.
+ * Queued tasks check the abort signal before doing work (same pattern
+ * as code-scanner's earlyExit flag from PR #414). In-flight tasks that
+ * already started are abandoned on timeout — their individual HTTP
+ * timeouts (30s in sentry-client.ts) bound them independently.
+ *
+ * Results are written to a shared array so that tasks completing before
+ * the deadline are captured even when the overall operation times out.
+ *
+ * @param dsns - Deduplicated DSNs to resolve
+ * @returns Array of resolved targets (null for failures/timeouts)
+ */
+async function resolveDsnsWithTimeout(
+  dsns: DetectedDsn[]
+): Promise<(ResolvedTarget | null)[]> {
+  const limit = pLimit(DSN_RESOLVE_CONCURRENCY);
+  const signal = AbortSignal.timeout(DSN_RESOLVE_TIMEOUT_MS);
+
+  // Shared results array — tasks write their result as they complete,
+  // so partial results survive timeout.
+  const results: (ResolvedTarget | null)[] = new Array(dsns.length).fill(null);
+
+  const mapDone = limit.map(dsns, (dsn, i) => {
+    if (signal.aborted) {
+      return Promise.resolve(null);
+    }
+    return resolveDsnToTarget(dsn).then((target) => {
+      results[i] = target;
+      return target;
+    });
+  });
+
+  // Race limit.map against the abort signal so in-flight tasks
+  // don't block the timeout.
+  const aborted = new Promise<"timeout">((resolve) => {
+    signal.addEventListener("abort", () => resolve("timeout"), { once: true });
+  });
+  const raceResult = await Promise.race([
+    mapDone.then(() => "done" as const),
+    aborted,
+  ]);
+
+  if (raceResult === "timeout") {
+    log.warn(
+      `DSN resolution timed out after ${DSN_RESOLVE_TIMEOUT_MS / 1000}s, returning partial results`
+    );
+  }
+
+  return results;
+}
+
 /**
  * Resolve all targets for monorepo-aware commands.
  *
  * When multiple DSNs are detected, resolves all of them in parallel
- * and returns a footer message for display.
+ * (with concurrency limiting) and returns a footer message for display.
  *
  * Resolution priority:
  * 1. Explicit org and project - returns single target
@@ -662,13 +731,46 @@ export async function resolveAllTargets(
     return inferFromDirectoryName(cwd);
   }
 
-  // Resolve all DSNs in parallel
-  const resolvedTargets = await Promise.all(
-    detection.all.map((dsn) => resolveDsnToTarget(dsn))
+  return resolveDetectedDsns(detection);
+}
+
+/**
+ * Deduplicate detected DSNs and resolve them with concurrency limiting.
+ *
+ * Groups DSNs by (orgId, projectId) or publicKey, resolves one per unique
+ * combination, then deduplicates resolved targets by org+project slug.
+ *
+ * @param detection - DSN detection result with all found DSNs
+ * @returns Resolved targets with optional footer message
+ */
+async function resolveDetectedDsns(
+  detection: DsnDetectionResult
+): Promise<ResolvedTargets> {
+  // Deduplicate DSNs by (orgId, projectId) or publicKey before resolution.
+  // Multiple DSNs in test fixtures or monorepos can share the same org+project
+  // — resolving each unique pair once avoids redundant API calls.
+  const uniqueDsnMap = new Map<string, DetectedDsn>();
+  for (const dsn of detection.all) {
+    const dedupeKey = dsn.orgId
+      ? `${dsn.orgId}:${dsn.projectId}`
+      : `key:${dsn.publicKey}`;
+    if (!uniqueDsnMap.has(dedupeKey)) {
+      uniqueDsnMap.set(dedupeKey, dsn);
+    }
+  }
+  const uniqueDsns = [...uniqueDsnMap.values()];
+
+  log.debug(
+    `Resolving ${uniqueDsns.length} unique DSN targets (${detection.all.length} total detected)`
   );
 
+  // Resolve with concurrency limit to avoid overwhelming the Sentry API.
+  // Without this, large repos can fire 100+ concurrent HTTP requests,
+  // triggering rate limiting (429) and retry storms.
+  const resolvedTargets = await resolveDsnsWithTimeout(uniqueDsns);
+
   // Filter out failed resolutions and deduplicate by org+project
-  // (multiple DSNs with different keys can point to same project)
+  // (different orgId forms can resolve to the same org slug)
   const seen = new Set<string>();
   const targets = resolvedTargets.filter((t): t is ResolvedTarget => {
     if (t === null) {
diff --git a/test/lib/dsn/code-scanner.test.ts b/test/lib/dsn/code-scanner.test.ts
@@ -299,6 +299,64 @@ describe("Code Scanner", () => {
       expect(result).toBeNull();
     });
 
+    test("skips test directories", async () => {
+      // DSNs in test/ should be ignored (they contain test fixtures, not real config)
+      mkdirSync(join(testDir, "test/lib"), { recursive: true });
+      writeFileSync(
+        join(testDir, "test/lib/scanner.test.ts"),
+        'const DSN = "https://testkey@o123.ingest.sentry.io/456";'
+      );
+
+      const result = await scanCodeForFirstDsn(testDir);
+      expect(result).toBeNull();
+
+      // Also test tests/ directory
+      mkdirSync(join(testDir, "tests/unit"), { recursive: true });
+      writeFileSync(
+        join(testDir, "tests/unit/app.test.ts"),
+        'const DSN = "https://testkey@o999.ingest.sentry.io/789";'
+      );
+
+      const allResult = await scanCodeForDsns(testDir);
+      expect(allResult.dsns).toHaveLength(0);
+    });
+
+    test("skips __mocks__ and fixtures directories", async () => {
+      mkdirSync(join(testDir, "__mocks__"), { recursive: true });
+      writeFileSync(
+        join(testDir, "__mocks__/sentry.ts"),
+        'export const DSN = "https://mock@o123.ingest.sentry.io/111";'
+      );
+      mkdirSync(join(testDir, "fixtures"), { recursive: true });
+      writeFileSync(
+        join(testDir, "fixtures/config.ts"),
+        'export const DSN = "https://fixture@o123.ingest.sentry.io/222";'
+      );
+
+      const result = await scanCodeForDsns(testDir);
+      expect(result.dsns).toHaveLength(0);
+    });
+
+    test("still finds DSNs in src/ when test/ is skipped", async () => {
+      // Ensure test/ skipping doesn't affect real source directories
+      mkdirSync(join(testDir, "src"), { recursive: true });
+      writeFileSync(
+        join(testDir, "src/config.ts"),
+        'const DSN = "https://realkey@o123.ingest.sentry.io/456";'
+      );
+      mkdirSync(join(testDir, "test"), { recursive: true });
+      writeFileSync(
+        join(testDir, "test/fixture.ts"),
+        'const DSN = "https://fakekey@o999.ingest.sentry.io/999";'
+      );
+
+      const result = await scanCodeForDsns(testDir);
+      expect(result.dsns).toHaveLength(1);
+      expect(result.dsns[0].raw).toBe(
+        "https://realkey@o123.ingest.sentry.io/456"
+      );
+    });
+
     test("respects gitignore", async () => {
       writeFileSync(join(testDir, ".gitignore"), "ignored/");
       mkdirSync(join(testDir, "ignored"), { recursive: true });
diff --git a/test/lib/region.test.ts b/test/lib/region.test.ts
@@ -258,4 +258,58 @@ describe("resolveOrgRegion", () => {
     expect(await resolveOrgRegion("org-a")).toBe("https://us.sentry.io");
     expect(await resolveOrgRegion("org-b")).toBe("https://de.sentry.io");
   });
+
+  test("deduplicates concurrent API calls for the same org", async () => {
+    let fetchCount = 0;
+
+    // Mock fetch to track call count
+    const originalFetch = globalThis.fetch;
+    globalThis.fetch = async (input: RequestInfo | URL, init?: RequestInit) => {
+      const req = new Request(input, init);
+      if (req.url.includes("/organizations/dedup-org/")) {
+        fetchCount += 1;
+        // Small delay to ensure concurrency overlap
+        await Bun.sleep(50);
+        return new Response(
+          JSON.stringify({
+            id: "789",
+            slug: "dedup-org",
+            name: "Dedup Organization",
+            links: {
+              organizationUrl: "https://us.sentry.io/organizations/dedup-org/",
+              regionUrl: "https://us.sentry.io",
+            },
+          }),
+          {
+            status: 200,
+            headers: { "Content-Type": "application/json" },
+          }
+        );
+      }
+      return new Response(JSON.stringify({ detail: "Not found" }), {
+        status: 404,
+      });
+    };
+
+    try {
+      // Fire 5 concurrent calls for the same org
+      const results = await Promise.all([
+        resolveOrgRegion("dedup-org"),
+        resolveOrgRegion("dedup-org"),
+        resolveOrgRegion("dedup-org"),
+        resolveOrgRegion("dedup-org"),
+        resolveOrgRegion("dedup-org"),
+      ]);
+
+      // All should return the same result
+      for (const result of results) {
+        expect(result).toBe("https://us.sentry.io");
+      }
+
+      // Only one fetch should have been made (in-flight dedup)
+      expect(fetchCount).toBe(1);
+    } finally {
+      globalThis.fetch = originalFetch;
+    }
+  });
 });
