feat: parallel test-dep-graph requests

[dantarian]

• Follows CONTRIBUTING rules

What does this PR do?

Allows up to five requests to the /test-dep-graph endpoint to be run at a time, reducing snyk test wall-clock run times.

There should be no change to outputs or the running order of operations.

Where should the reviewer start?

There's only one changed file - src/lib/snyk-test/run-test.ts.

How should this be manually tested?

On a sample repository with multiple Open Source projects within it (ideally ones for which the /test-dep-graph API call takes non-trivial amount of time to complete - nuget projects seem to be good for this), run snyk test --all-projects for this version of the CLI and compare with snyk test --all-projects for another version. The outputs should be identical, but this version should run significantly quicker - specifically in the phase where the spinner displays "Querying vulnerabilities database...".

Any background context you want to provide?

We've had support requests (linked below) where customers are complaining about the amount of time taken to scan large monorepos using the --all-projects argument while using the Azure Pipelines Snyk task. While there is a separate focus on speeding up the underlying requests (which in the linked example are taking 30-90s each), this approach seemed to be a simple way to reduce the wall-clock duration of the overall task. I've picked 5 for the concurrency level arbitrarily - it can be adjusted as needed.

What are the relevant tickets?

https://snyk.zendesk.com/agent/tickets/35462

[github-actions]

	Warnings
⚠️	You've modified files in src/ directory, but haven't updated anything in test folder. Is there something that could be tested?

Generated by 🚫 dangerJS against e985a76

[dotkas]

I am not very familiar with this, but does this handle "bubbling" up errors to the user if some of the requests fail?

[dantarian]

Yes - in this case, the first error thrown will bubble back up to the user. Any requests that are still in flight will continue to be processed at the Snyk Platform end, but the responses to those will be ignored.

[gitphill]

how about when --json is used? do we collect all that info and return it as we did when it was all synchronous?

[dantarian]

It should do - this is essentially just an order of operations change. Where before we were taking each request, executing the request then processing the response, then moving onto the next request, here we perform all of the requests and gather the responses, then process the responses one-by-one (in the same order as before). The actual data and how it is processed are unchanged.

[dantarian]

Confirmed this running locally, with a CLI built from master and a CLI built from this branch - both produce identical output on the java-goof project when running snyk test --all-projects --json.

[dantarian]

To address a couple of comments that have been raised here and on Slack:

• No additional tests because I haven't really changed how this works, just the order of operations inside a function boundary.
• I've manually implemented the concurrency rather than using p-map because (a) it means no additional dependencies, and (b) when I tried to add p-map as a dependency, a lot of things broke.
• I've chosen 5 as the number of concurrent requests in order to provide a reasonable amount of concurrency without spamming Snyk with requests (for example, if this gets run against a monorepo with a ton of sub-projects). The number is otherwise plucked from thin air.