fix(osv): ensure singleton database instance (#41512)

* fix(osv): ensure singleton database instance

* Update lib/workers/repository/process/vulnerabilities.spec.ts

Co-authored-by: Jamie Tanna <jamie.tanna@mend.io>

---------

Co-authored-by: Jamie Tanna <jamie.tanna@mend.io>

Author: viceice

lib/workers/repository/process/vulnerabilities.spec.ts

@@ -24,8 +24,15 @@ vi.mock('@renovatebot/osv-offline', () => {
 
 describe('workers/repository/process/vulnerabilities', () => {
   describe('create()', () => {
-    it('works', async () => {
+    beforeEach(resetOsv);
+
+    it('works, and is a singleton', async () => {
+      createMock.mockResolvedValue({
+        getVulnerabilities: getVulnerabilitiesMock,
+      });
+      await expect(Vulnerabilities.create()).resolves.not.toThrow();
       await expect(Vulnerabilities.create()).resolves.not.toThrow();
+      expect(createMock).toHaveBeenCalledTimes(1);
     });
 
     it('throws when osv-offline error', async () => {
@@ -40,6 +47,7 @@ describe('workers/repository/process/vulnerabilities', () => {
     let vulnerabilities: Vulnerabilities;
 
     beforeAll(async () => {
+      resetOsv();
       createMock.mockResolvedValue({
         getVulnerabilities: getVulnerabilitiesMock,
       });
@@ -144,6 +152,7 @@ describe('workers/repository/process/vulnerabilities', () => {
     };
 
     beforeAll(async () => {
+      resetOsv();
       createMock.mockResolvedValue({
         getVulnerabilities: getVulnerabilitiesMock,
       });
@@ -1551,3 +1560,8 @@ describe('workers/repository/process/vulnerabilities', () => {
     });
   });
 });
+
+function resetOsv() {
+  // @ts-expect-error - reset the cached OSV client to avoid state leak between tests
+  Vulnerabilities.osvOffline = undefined;
+}

lib/workers/repository/process/vulnerabilities.ts

@@ -35,7 +35,9 @@ const { fromVector } = (_aeCvss as unknown as { default: typeof _aeCvss })
   .default;
 
 export class Vulnerabilities {
-  private osvOffline: OsvOffline | undefined;
+  private static osvOffline: Promise<OsvOffline> | undefined;
+
+  private osvOffline: OsvOffline;
 
   private static readonly datasourceEcosystemMap: Record<
     string,
@@ -53,17 +55,21 @@ export class Vulnerabilities {
     rubygems: 'RubyGems',
   };
 
-  private constructor() {
-    // private constructor
+  private constructor(osvOffline: OsvOffline) {
+    this.osvOffline = osvOffline;
   }
 
-  private async initialize(): Promise<void> {
-    this.osvOffline = await OsvOffline.create();
+  private static initialize(): Promise<OsvOffline> {
+    // no async here, so osv promise will only be created once
+    Vulnerabilities.osvOffline ??= OsvOffline.create();
+    return Vulnerabilities.osvOffline;
   }
 
   static async create(): Promise<Vulnerabilities> {
-    const instance = new Vulnerabilities();
-    await instance.initialize();
+    // intialize osv only once
+    const osvOffline = await Vulnerabilities.initialize();
+
+    const instance = new Vulnerabilities(osvOffline);
     return instance;
   }
 
@@ -180,7 +186,7 @@ export class Vulnerabilities {
     try {
       const osvVulnerabilities = await instrument(
         'get OSV vulnerabilities',
-        () => this.osvOffline?.getVulnerabilities(ecosystem, packageName),
+        () => this.osvOffline.getVulnerabilities(ecosystem, packageName),
         {
           attributes: {
             packageName,