fix(guided remediation): reduce memory footprint by computing dependency subgraphs instead of chains

[michaelkedar]

Guided remediation had been using DependencyChains to track paths to a vulnerable package (for computing things like depth and which direct dependencies to relax). It was computing every possible path in the graph to a dependency, which grows roughly exponentially with depth / connectivity. This was using an unreasonable amount of memory on some particularly large/complex projects.

I've changed the logic to instead compute one DependencySubgraph - the set of nodes and edges that would contain every path to a dependency. This should significantly reduce memory usage (and cpu usage from allocs) when running on larger projects.

This change has touched quite a few places in the code, and the logic is a bit complex. I've tried my best to check that everything still behaves as expected.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 72.61905% with 69 lines in your changes missing coverage. Please review.

Project coverage is 69.31%. Comparing base (2821e79) to head (99cb285).

Files with missing lines	Patch %	Lines
internal/tui/dependency-graph.go	0.00%	49 Missing ⚠️
internal/resolution/dependency_subgraph.go	90.90%	10 Missing and 4 partials ⚠️
internal/resolution/resolve.go	50.00%	5 Missing ⚠️
internal/tui/vuln-info.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1538      +/-   ##
==========================================
+ Coverage   69.18%   69.31%   +0.12%     
==========================================
  Files         200      200              
  Lines       18989    19038      +49     
==========================================
+ Hits        13138    13196      +58     
+ Misses       5141     5135       -6     
+ Partials      710      707       -3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[cuixq]

Any statistics about how much memory usage improves?

[michaelkedar]

Any statistics about how much memory usage improves?

For a particularly gnarly package-lock.json (with almost 6000 packages), the old ComputeChains was allocating 130 GB (!!) vs new ComputeSubgraphs allocating 4.5 MB - around 1/30000th. The total allocations is 137 GB vs 5GB, mostly from writing the lockfile in-place.
(not sure about how much was in use at any given time, just total allocations)

[cuixq]

LGTM

[oliverchang]

awesome optimization!