From edac74d0ad526e09292c060fd148c559e3afc8ca Mon Sep 17 00:00:00 2001
From: GENTILHOMME Thomas <gentilhomme.thomas@gmail.com>
Date: Sat, 21 Mar 2026 16:07:17 +0100
Subject: [PATCH] feat(scanner/depWalker): configure locker.concurrency with
 new maxConcurrency options

---
 .changeset/orange-teeth-appear.md   | 5 +++++
 README.md                           | 8 +++++++-
 workspaces/scanner/src/depWalker.ts | 5 +++--
 workspaces/scanner/src/types.ts     | 6 ++++++
 4 files changed, 21 insertions(+), 3 deletions(-)
 create mode 100644 .changeset/orange-teeth-appear.md

diff --git a/.changeset/orange-teeth-appear.md b/.changeset/orange-teeth-appear.md
new file mode 100644
index 00000000..8b89e930
--- /dev/null
+++ b/.changeset/orange-teeth-appear.md
@@ -0,0 +1,5 @@
+---
+"@nodesecure/scanner": minor
+---
+
+Implement a new maxConcurrency options to configure how much NPM tarballs we scan/limit in depWalker
diff --git a/README.md b/README.md
index 612bcc1a..7b15ed73 100644
--- a/README.md
+++ b/README.md
@@ -99,7 +99,13 @@ interface Options {
    *
    * @default Infinity
    */
-  maxDepth?: number;
+  readonly maxDepth?: number;
+
+  /**
+   * Maximum concurrency to fetch and scan NPM tarballs
+   * @default 8
+   */
+  readonly maxConcurrency?: number;
 
   /**
    * Includes development dependencies in the walk.
diff --git a/workspaces/scanner/src/depWalker.ts b/workspaces/scanner/src/depWalker.ts
index 2874d963..5ad92c9e 100644
--- a/workspaces/scanner/src/depWalker.ts
+++ b/workspaces/scanner/src/depWalker.ts
@@ -121,7 +121,8 @@ export async function depWalker(
     location,
     vulnerabilityStrategy = Vulnera.strategies.NONE,
     registry,
-    npmRcConfig
+    npmRcConfig,
+    maxConcurrency = 8
   } = options;
 
   const statsCollector = new StatsCollector({ logger }, { isVerbose });
@@ -205,7 +206,7 @@ export async function depWalker(
     const fetchedMetadataPackages = new Set<string>();
     const operationsQueue: Promise<void>[] = [];
 
-    const locker = new Mutex({ concurrency: 5 });
+    const locker = new Mutex({ concurrency: maxConcurrency });
     locker.on(
       MutexRelease,
       () => logger.tick(ScannerLoggerEvents.analysis.tarball)
diff --git a/workspaces/scanner/src/types.ts b/workspaces/scanner/src/types.ts
index 7db79cf3..e0b85588 100644
--- a/workspaces/scanner/src/types.ts
+++ b/workspaces/scanner/src/types.ts
@@ -282,6 +282,12 @@ export interface Options {
    */
   readonly maxDepth?: number;
 
+  /**
+   * Maximum concurrency to fetch and scan NPM tarballs
+   * @default 8
+   */
+  readonly maxConcurrency?: number;
+
   readonly registry?: string | URL;
 
   /**