Migrate to registry's downloadWithLock for binary downloads

Replace custom download logic with @socketsecurity/registry/lib/download-lock:

Benefits:
- Cross-process download locking prevents race conditions
- Automatic retry logic with exponential backoff (3 retries)
- Configurable timeouts for large files
- Stale lock detection and cleanup
- Better reliability in CI/CD environments with parallel builds

Files updated:
- src/utils/dlx-binary.mts: Binary downloads now use downloadWithLock
- src/utils/python-standalone.mts: Python runtime downloads use downloadWithLock

Configuration:
- dlx-binary: 2min lock timeout, 5min download timeout
- python-standalone: 3min lock timeout, 10min download timeout (larger files)

Note: Requires @socketsecurity/registry@1.4.0+ for download-lock module

Author: jdalton

src/utils/dlx-binary.mts

@@ -26,13 +26,13 @@ import { existsSync, promises as fs } from 'node:fs'
 import os from 'node:os'
 import path from 'node:path'
 
+import { downloadWithLock } from '@socketsecurity/registry/lib/download-lock'
 import { readJson, remove } from '@socketsecurity/registry/lib/fs'
 import { getSocketDlxDir } from '@socketsecurity/registry/lib/paths'
 import { spawn } from '@socketsecurity/registry/lib/spawn'
 
 import constants from '../constants.mts'
 import { InputError } from './errors.mts'
-import { httpRequest } from './http.mts'
 
 import type {
   SpawnExtra,
@@ -111,39 +111,33 @@ async function isCacheValid(
 }
 
 /**
- * Download a file from a URL with integrity checking.
+ * Download a file from a URL with integrity checking and download locking.
+ * Uses registry's downloadWithLock to prevent concurrent downloads.
  */
 async function downloadBinary(
   url: string,
   destPath: string,
   checksum?: string,
 ): Promise<string> {
-  const result = await httpRequest(url)
-
-  if (!result.ok) {
-    throw new InputError(`Failed to download binary: ${result.message}`)
-  }
-
-  const response = result.data!
-
-  if (!response.ok) {
-    throw new InputError(
-      `Failed to download binary: ${response.status} ${response.statusText}`,
-    )
-  }
-
-  // Create a temporary file first.
+  // Create a temporary file first for integrity checking.
   const tempPath = `${destPath}.download`
-  const hasher = createHash('sha256')
 
   try {
     // Ensure directory exists.
     await fs.mkdir(path.dirname(destPath), { recursive: true })
 
-    // Get the response as a buffer and compute hash.
-    const buffer = response.body
-
-    // Compute hash.
+    // Download with locking and automatic retries.
+    // This prevents concurrent downloads and provides retry logic.
+    await downloadWithLock(url, tempPath, {
+      lockTimeout: 120_000, // Wait up to 2 minutes for concurrent downloads
+      retries: 3, // Retry up to 3 times with exponential backoff
+      retryDelay: 1000, // Start with 1 second delay
+      timeout: 300_000, // 5 minute timeout per attempt
+    })
+
+    // Read file for checksum verification.
+    const buffer = await fs.readFile(tempPath)
+    const hasher = createHash('sha256')
     hasher.update(buffer)
     const actualChecksum = hasher.digest('hex')
 
@@ -154,9 +148,6 @@ async function downloadBinary(
       )
     }
 
-    // Write to temp file.
-    await fs.writeFile(tempPath, buffer)
-
     // Make executable on POSIX systems.
     if (os.platform() !== 'win32') {
       await fs.chmod(tempPath, 0o755)
@@ -173,7 +164,9 @@ async function downloadBinary(
     } catch {
       // Ignore cleanup errors.
     }
-    throw error
+    throw error instanceof Error
+      ? error
+      : new InputError(`Failed to download binary: ${String(error)}`)
   }
 }
 

src/utils/python-standalone.mts

@@ -46,13 +46,13 @@ import path from 'node:path'
 import semver from 'semver'
 
 import { whichBin } from '@socketsecurity/registry/lib/bin'
+import { downloadWithLock } from '@socketsecurity/registry/lib/download-lock'
 import { remove } from '@socketsecurity/registry/lib/fs'
 import { spawn } from '@socketsecurity/registry/lib/spawn'
 
 import constants from '../constants.mts'
 import { getDlxCachePath } from './dlx-binary.mts'
 import { InputError, getErrorCause } from './errors.mts'
-import { httpDownload } from './http.mts'
 
 import type { CResult } from '../types.mts'
 
@@ -188,6 +188,7 @@ export async function checkSystemPython(): Promise<string | null> {
 
 /**
  * Download and extract Python from python-build-standalone.
+ * Uses downloadWithLock to prevent concurrent downloads.
  */
 async function downloadPython(pythonDir: string): Promise<void> {
   const url = getPythonStandaloneUrl()
@@ -196,10 +197,19 @@ async function downloadPython(pythonDir: string): Promise<void> {
   // Ensure directory exists
   await fs.mkdir(pythonDir, { recursive: true })
 
-  // Download with Node's native http module
-  const result = await httpDownload(url, tarballPath)
-  if (!result.ok) {
-    throw new InputError(`Failed to download Python: ${result.message}`)
+  // Download with locking and automatic retries
+  // This prevents concurrent downloads and provides retry logic
+  try {
+    await downloadWithLock(url, tarballPath, {
+      lockTimeout: 180_000, // Wait up to 3 minutes for concurrent downloads
+      retries: 3, // Retry up to 3 times with exponential backoff
+      retryDelay: 1000, // Start with 1 second delay
+      timeout: 600_000, // 10 minute timeout per attempt (large file)
+    })
+  } catch (error) {
+    throw new InputError(
+      `Failed to download Python: ${error instanceof Error ? error.message : String(error)}`,
+    )
   }
 
   // Extract using system tar command