fix(api): improve CVE to GHSA conversion caching and error messaging

Author: jdalton

src/utils/cve-to-ghsa.mts

@@ -5,6 +5,7 @@ import type { CResult } from '../types.mts'
 
 /**
  * Converts CVE IDs to GHSA IDs using GitHub API.
+ * CVE to GHSA mappings are permanent, so we cache for 30 days.
  */
 export async function convertCveToGhsa(
   cveId: string,
@@ -13,11 +14,17 @@ export async function convertCveToGhsa(
     const cacheKey = `cve-to-ghsa-${cveId}`
     const octokit = getOctokit()
 
-    const response = await cacheFetch(cacheKey, () =>
-      octokit.rest.securityAdvisories.listGlobalAdvisories({
-        cve_id: cveId,
-        per_page: 1,
-      }),
+    // CVE to GHSA mappings don't change, cache for 30 days (in milliseconds).
+    const THIRTY_DAYS_MS = 2_592_000_000
+
+    const response = await cacheFetch(
+      cacheKey,
+      () =>
+        octokit.rest.securityAdvisories.listGlobalAdvisories({
+          cve_id: cveId,
+          per_page: 1,
+        }),
+      THIRTY_DAYS_MS,
     )
 
     if (!response.data.length) {
@@ -32,9 +39,19 @@ export async function convertCveToGhsa(
       data: response.data[0]!.ghsa_id,
     }
   } catch (e) {
+    const errorCause = getErrorCause(e)
+    // Detect GitHub API rate limit errors.
+    const isGitHubRateLimit =
+      errorCause.includes('rate limit') ||
+      errorCause.includes('EPIPE') ||
+      errorCause.includes('ECONNRESET') ||
+      errorCause.includes('403')
+
     return {
       ok: false,
-      message: `Failed to convert CVE to GHSA: ${getErrorCause(e)}`,
+      message: isGitHubRateLimit
+        ? 'GitHub API rate limit exceeded while converting CVE to GHSA. Wait an hour or set SOCKET_CLI_GITHUB_TOKEN environment variable with a personal access token for higher limits.'
+        : `Failed to convert CVE to GHSA: ${errorCause}`,
     }
   }
 }