Analysis failing because of resources hoard when node_modules/ is present with lots of dependencies

[ilia-kebets-sonarsource]

It seems that our current implementation of dependencies inspection is quite resource hungry and could be optimized. When there are many of them, the analysis can timeout and fail as reported in this community ticket.

The current workaround is to analyze the code without its dependencies by simply deleting the node_modules/ folder before running the analysis.

However, we must optimize the dependencies inspection element. Some fixes can be:

• respect the sonar.exclusions for the dependencies folder traversal
• limit the dependencies search:
  • by depth: hardcoded or parametrizable
  • by some heuristic: ignore transitive ones

[vdiez]

package.json lookup already respects exclusions. Format to make it work should have been sonar.exclusions=**/node_modules/**, but it's already in the default exclusions

[vdiez]

reopen because minimatch was not matching against hidden folders (ie. .scannerwork). Most of the listed package.json files in the logs where from the bridge. In some cases from .pnpm.