fix: prevent temp directory leak in node-modules-utils

[parker-snyk]

What does this PR do?

• Fixes a variable shadowing bug that caused temporary directories to leak when node_modules persistence failed
• Adds type annotations to the createFile function

Problem

persistNodeModules() creates a temporary directory to write extracted node_modules files for dependency resolution. The function had a scoping bug:

async function persistNodeModules(...): Promise<ScanPaths> {
  const tmpDir: string = "";           // outer scope — always empty
  const tempProjectRoot: string = "";  // outer scope — always empty

  if (!modules || modules.size === 0) {
    return { tempDir: tmpDir, tempProjectPath: tempProjectRoot };  // OK, legitimately empty
  }

  try {
    // BUG: This creates NEW block-scoped variables that shadow the outer ones
    const { tmpDir, tempProjectRoot } = await createTempProjectDir(project);
    //     ^^^^^^  ^^^^^^^^^^^^^^^^^ — these are different variables!

    await saveOnDisk(tmpDir, modules, filePathToContent);  // uses inner vars ✓
    // ... more work with inner vars ...
    return result;  // uses inner vars ✓
  } catch (error) {
    return {
      tempDir: tmpDir,            // uses OUTER empty string ✗
      tempProjectPath: tempProjectRoot,  // uses OUTER empty string ✗
    };
  }
}

If createTempProjectDir succeeds (creating a real directory on disk) but saveOnDisk or any later step throws, the catch block returns the outer empty strings instead of the actual temp directory path. The caller checks:

if (!tempDir) {   // "" is falsy → skips cleanup
  continue;
}

This skips cleanup, leaving the temp directory orphaned on disk. Over many scans (especially in CI), these leaked directories accumulate.

Fix

Changed from const destructuring (which creates new block-scoped variables) to assigning to let variables declared in the function scope:

let tmpDir = "";
let tempProjectRoot = "";

try {
  const created = await createTempProjectDir(project);
  tmpDir = created.tmpDir;              // updates outer scope
  tempProjectRoot = created.tempProjectRoot;  // updates outer scope
  // ...
} catch (error) {
  return {
    tempDir: tmpDir,            // now has real path if dir was created
    tempProjectPath: tempProjectRoot,
  };
}

Also

Added string type annotations to createFile(filePath, fileContent) parameters (were implicit any).

Risk

Low. The fix changes variable scoping to prevent shadowing. The happy path behavior is identical. The error path now correctly returns the temp directory path so the caller can clean it up.

How should this be manually tested?

• Verify node_modules scanning works for images with package.json + node_modules
• Verify temp directories are cleaned up after scanning
• Verify empty module directories are handled gracefully

Any background context you want to provide?

What are the relevant tickets?

https://snyksec.atlassian.net/browse/CN-1040

Additional questions

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

🔒 No security concerns identified

⚡ No major issues detected

📚 Repository Context Analyzed This review considered 8 relevant code sections from 7 files (average relevance: 0.92) lib/analyzer/applications/node.ts (2 segments, lines 271-522) lib/analyzer/applications/php.ts (lines 1-116) lib/analyzer/applications/python/pip.ts (lines 1-178) lib/analyzer/applications/python/poetry.ts (lines 1-93) lib/go-parser/index.ts (lines 1-221) lib/go-parser/go-binary.ts (lines 1-207) lib/analyzer/applications/node-modules-utils.ts (lines 1-253)