clean up pools after 24hours inactivity

[Mzack9999]

Proposed changes

Closes #6329

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Summary by CodeRabbit

• Chores
  • Updated multiple third-party dependencies to newer patch/minor versions for compatibility and security.
• Performance / Stability
  • Improved HTTP client resource management by introducing an eviction-aware client pool to reduce leakage and improve stability and performance.
• Compatibility
  • No changes to public APIs or exported signatures.

[coderabbitai]

Walkthrough

Replaced a plain HTTP client map with an eviction-aware sync-lock map (24‑hour TTL) for retryablehttp.Client instances and updated dependency pins in go.mod. No public API signatures changed.

Changes

Cohort / File(s)	Summary
Dependency updates go.mod	Updated multiple direct and indirect dependency versions (examples: mholt/archives v0.1.3→v0.1.5, projectdiscovery/utils v0.6.0→v0.6.1-..., nwaples/rardecode/v2 v2.1.0→v2.2.1). Added/removed several indirect requirements; no public API signature changes.
HTTP client pool (eviction-aware) pkg/protocols/common/protocolstate/state.go	Added time import and replaced the previous HTTP client map with mapsutil.NewSyncLockMap, initialized with a 24‑hour inactivity TTL and a 12‑hour eviction interval; assigned to HTTPClientPool used by Dialers to allow automatic eviction of unused retryablehttp.Client instances.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Engine as Engine / Runner
    participant Pool as mapsutil.SyncLockMap\n(24h TTL, 12h interval)
    participant Client as retryablehttp.Client
    rect rgba(0,128,96,0.06)
    Note over Pool: Eviction operates asynchronously\nidle entries removed after 24h
    end
    Engine->>Pool: Get client by config key
    alt client exists
        Pool-->>Engine: return existing Client
    else client missing
        Pool->>Client: create new Client
        Pool-->>Engine: return new Client
    end
    Engine->>Client: perform HTTP requests
    Note right of Pool: Evicted entries are cleaned up\nand can be recreated on demand

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰
I swapped the old map for a cozy bed,
Twenty-four hours, then out it’s shed.
Clients nap, then wake when called,
No more clutter in the hall.
Hop on — the pool stays light and fed.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Linked Issues Check	⚠️ Warning	The linked issue #6329 specifies two requirements: include ExecutionId in configuration hashing for per-execution client cleanup, and implement an LRU policy to evict unused clients after inactivity. The code changes implement the LRU eviction policy requirement through the httpClientPool with 24-hour inactivity and 12-hour eviction intervals. However, there is no evidence in the changeset that ExecutionId has been incorporated into the configuration hashing mechanism as required. The PR only addresses one of the two stated objectives from the linked issue, leaving the execution-specific cleanup requirement unaddressed.	To fully resolve issue #6329, the PR should also incorporate ExecutionId into the configuration hashing mechanism alongside the implemented eviction policy. The current implementation addresses only the LRU policy aspect, not the per-execution client association and cleanup aspect specified in the issue's expected behavior.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "clean up pools after 24hours inactivity" is concise, clear, and directly describes the main change implemented in this pull request. The code changes show the addition of an httpClientPool with a 24-hour inactivity eviction policy and 12-hour eviction interval, which precisely matches what the title conveys. The title is specific enough for teammates to understand the primary change when scanning the commit history.
Out of Scope Changes Check	✅ Passed	The code changes consist of dependency updates in go.mod and modifications to pkg/protocols/common/protocolstate/state.go to implement the httpClientPool eviction mechanism. Both types of changes are directly related to implementing the 24-hour inactivity cleanup policy described in the linked issue. The dependency updates appear to be supporting dependencies (archives utilities, compression libraries) that likely enable the eviction policy functionality, and the state.go changes directly implement the core feature.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix-6329-clientpool

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between da316df and b9ce0c2.

📒 Files selected for processing (1)

• pkg/protocols/common/protocolstate/state.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.go: Format Go code using go fmt
Run static analysis with go vet

Files:

• pkg/protocols/common/protocolstate/state.go

pkg/protocols/**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

Each protocol implementation must provide a Request interface with methods Compile(), ExecuteWithResults(), Match(), and Extract()

Files:

• pkg/protocols/common/protocolstate/state.go

🧬 Code graph analysis (1)

pkg/protocols/common/protocolstate/state.go (1)

pkg/protocols/common/protocolstate/dialers.go (1)

• Dialers (13-23)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Lint

🔇 Additional comments (2)

pkg/protocols/common/protocolstate/state.go (2)

8-8: LGTM! Import is necessary for eviction timing.

The time import is correctly added to support the time.Hour constants used in the eviction policy configuration.

---

187-187: Assignment is correct.

The httpClientPool is properly assigned to the HTTPClientPool field in the Dialers struct, matching the expected type from the struct definition.

Note: The resource cleanup issue with the pool itself is flagged separately above.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2db03a9 and 5557f4e.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod (2 hunks)
• pkg/protocols/common/protocolstate/state.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.go: Format Go code using go fmt
Run static analysis with go vet

Files:

• pkg/protocols/common/protocolstate/state.go

pkg/protocols/**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

Each protocol implementation must provide a Request interface with methods Compile(), ExecuteWithResults(), Match(), and Extract()

Files:

• pkg/protocols/common/protocolstate/state.go

🧬 Code graph analysis (1)

pkg/protocols/common/protocolstate/state.go (1)

pkg/protocols/common/protocolstate/dialers.go (1)

• Dialers (13-23)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Tests (ubuntu-latest)
• GitHub Check: Tests (macOS-latest)
• GitHub Check: Tests (windows-latest)

🔇 Additional comments (3)

pkg/protocols/common/protocolstate/state.go (1)

8-8: LGTM!

The time import is necessary for the 24-hour eviction duration constant.

go.mod (2)

112-112: No issues found with the pseudo-version dependency.

The commit 27dede511f26 exists in the projectdiscovery/utils repository and corresponds to PR #686 ("Adding Evict Functionality"). No security advisories were detected. The dependency update is valid.

---

306-306: No action required—update fixes a moderate security vulnerability.

The version v2.2.1 exists and the update from v2.1.0 is beneficial. A moderate severity DoS vulnerability ("unrestricted RAR dictionary sizes") affected versions < 2.2.0 and was fixed in v2.2.0. The PR updates to v2.2.1, which includes this security patch.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify that evicted HTTP clients are properly cleaned up.

The implementation correctly creates a SyncLockMap with 24-hour eviction for HTTP client pooling. However, retryablehttp.Client instances may hold underlying resources (connections, goroutines) that require explicit cleanup.

Verify whether the eviction automatically closes the client's resources or if an eviction callback is needed:

If retryablehttp.Client requires explicit cleanup, consider adding an eviction callback:

httpClientPool := mapsutil.NewSyncLockMap(
	mapsutil.WithEviction[string, *retryablehttp.Client](24 * time.Hour),
	mapsutil.WithOnEviction[string, *retryablehttp.Client](func(key string, client *retryablehttp.Client) {
		if client != nil {
			client.HTTPClient.CloseIdleConnections()
		}
	}),
)

---

🏁 Script executed:

#!/bin/bash
# Search for Close methods and resource management in retryablehttp.Client

echo "Checking retryablehttp.Client for cleanup methods..."
ast-grep --pattern $'type Client struct {
  $$$
}'

echo -e "\nSearching for Close or cleanup methods..."
rg -nP --type=go -C3 'func.*Close|func.*Shutdown' -g 'retryablehttp*'

echo -e "\nChecking mapsutil.SyncLockMap eviction callback support..."
ast-grep --pattern $'func NewSyncLockMap($$$) {
  $$$
}'

rg -nP --type=go -C5 'eviction.*callback|OnEvict' -g '**/mapsutil/**' -g '**/utils/maps/**'

Length of output: 2638

---