Remove buffer pool

[ije]

No description provided.

[Copilot]

Pull request overview

Removes object pooling (buffers, build tasks, and fetch clients) across the server and updates call sites accordingly, simplifying lifecycle management and eliminating recycle/defer patterns.

Changes:

• Replaced newBuffer() (pooled bytes.Buffer) usages with direct &bytes.Buffer{} / bytes.NewBufferString(...) allocations.
• Removed BuildTask pooling in BuildQueue and switched to allocating tasks per request.
• Simplified internal/fetch.NewClient by removing client pooling and changing its signature (and removing the optional host allowlist logic).

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
server/server.go	Updates custom landing page fetch client creation to new fetch.NewClient signature.
server/router.go	Replaces pooled buffers with direct bytes.Buffer allocations and updates fetch client creation.
server/path.go	Updates PR version resolver to new fetch.NewClient signature (removes recycle defer).
server/npmrc.go	Updates registry fetch client creation to new fetch.NewClient signature.
server/legacy_router.go	Updates legacy fetch client creation to new fetch.NewClient signature.
server/git.go	Replaces pooled buffers used for exec.Cmd output capture; updates fetch client creation.
server/dts_transform.go	Switches DTS transform buffer creation to direct bytes.Buffer.
server/dts_lexer.go	Switches temporary buffer creation to direct bytes.Buffer.
server/cjs_module_lexer.go	Replaces pooled stdout/stderr buffers with direct bytes.Buffer allocations.
server/cache.go	Removes the global bufferPool and newBuffer() helper entirely.
server/build_queue.go	Removes BuildTask pooling and task recycling logic; allocates tasks directly.
server/build.go	Replaces pooled buffers with direct bytes.Buffer allocations when assembling output.
internal/fetch/fetch.go	Removes FetchClient pooling, changes NewClient signature, and removes host allowlist logic.

Comments suppressed due to low confidence (1)

server/build_queue.go:181

• These comments still refer to "recycling" the task and to task.ctx potentially being nil due to recycling, but the pooling/recycle logic was removed. Please update or remove the comments to reflect the new lifecycle so future readers aren't misled.

	// store wait channels before recycling the task
	waitChans := task.waitChans

	// send the build output
	output := BuildOutput{meta, err}
	for _, ch := range waitChans {
		if ch != nil {
			select {
			case ch <- output:
				// successfully sent
			default:
				// channel is full or closed, log the drop
				// Note: task.ctx might be nil here due to recycling, so we can't log the path
			}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

PR title indicates buffer pool removal, but this hunk also changes the internal/fetch API and removes the (optional) host allowlist/redirect restrictions. If this is intentional, it should be called out explicitly in the PR description/title since it changes security-related behavior and the fetch package surface area.

[Copilot]

NewClient no longer accepts/records an allowedHosts allowlist, and the host checks in both CheckRedirect and Fetch were removed. This drops the only built-in host restriction mechanism in internal/fetch (previously used as an SSRF mitigation); if host allowlisting is still desired anywhere, consider restoring this option (or adding an explicit host validation layer at call sites / a separate "restricted" client constructor).