Testing cgo-free jsluice

[Mzack9999]

Proposed changes

Closes #1367

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Summary by CodeRabbit

• Chores

  • Updated Go toolchain version and refreshed package dependencies for compatibility and performance improvements.

• Refactor

  • Optimized internal string formatting operations to reduce memory allocations.

[neo-by-projectdiscovery-dev]

Neo - PR Security Review

No security issues found

Highlights

• Consolidates goreleaser configuration from separate platform files into single .goreleaser.yml with CGO_ENABLED=0
• Adds SetBaseURL() function to capsolver package for test mocking (not exposed to user input)
• Refactors healthcheck and type formatting to use fmt.Fprintf with strings.Builder
• Updates jsluice dependency to Mzack9999 fork (CGO-free version)

Hardening Notes

• The SetBaseURL function in pkg/engine/headless/captcha/capsolver/capsolver.go is exported but only used in tests. Consider making it unexported (setBaseURL) or adding a build tag to restrict it to test builds only
• MD5 is used for DOM element hashing in pkg/engine/headless/types/types.go (lines 166, 209). While acceptable for fingerprinting, consider documenting that this is intentionally non-cryptographic to prevent future confusion

_{Comment @neo help for available commands. · Open in Neo}

[coderabbitai]

Walkthrough

Go module updated from 1.24.1 to 1.25.0. Dependencies refactored: jsluice replaced from BishopFox to Mzack9999 fork, and go-tree-sitter library swapped from smacker's CGO-dependent implementation to odvcencio's pure Go alternative. Multiple files optimized to use fmt.Fprintf directly instead of fmt.Sprintf intermediate allocations.

Changes

Cohort / File(s)	Summary
Dependency Management go.mod, pkg/utils/jsluice.go	Go toolchain upgraded to 1.25.0. Replaced github.com/smacker/go-tree-sitter (indirect) with pure-Go github.com/odvcencio/gotreesitter v0.6.1. Swapped jsluice dependency from BishopFox fork to Mzack9999 fork. Updated multiple indirect dependencies including golang.org/x modules.
String Building Optimizations internal/runner/healthcheck.go, pkg/engine/headless/types/types.go, pkg/engine/headless/captcha/helpers_test.go	Refactored string formatting from fmt.Sprintf() + WriteString() pattern to direct fmt.Fprintf() writes into strings.Builder objects, eliminating intermediate string allocations while preserving output identically.
HTTP Response Handling pkg/engine/headless/captcha/capsolver/capsolver.go	Refactored defer closure for response body close to explicitly ignore errors using blank identifiers in createTask and getTaskResult paths. Minor type declaration formatting alignment with no semantic changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Hop-hop through dependencies so fine,
Pure Go solutions now align,
No CGO chains to bind us tight,
And Fprintf makes strings dance just right!
Cross-platform builds take lighter flight. ✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Testing cgo-free jsluice' is vague and lacks context about the broader scope of changes, including Go version upgrades and dependency replacements beyond just jsluice testing.	Consider a more descriptive title such as 'Replace jsluice dependency and upgrade Go to support cgo-free builds' to better reflect all significant changes in this PR.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	The PR addresses the core requirement from issue #1367 by replacing the CGO-dependent go-tree-sitter with github.com/odvcencio/gotreesitter (pure-Go alternative) and updating related dependencies to enable CGO-free builds.
Out of Scope Changes check	✅ Passed	While the PR includes Go version bumps and other dependency updates beyond jsluice replacement, these appear to be necessary supporting changes for the CGO-free migration rather than unrelated modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat-tmp

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/runner/healthcheck.go (1)

72-80: ⚠️ Potential issue | 🟡 Minor

Fix the UDP/IPv4 port in the healthcheck output.

Line 72 probes scanme.sh:53, but Line 80 reports scanme.sh:80. That makes failures point users at the wrong endpoint.

Suggested fix

-	_, _ = fmt.Fprintf(&test, "UDP IPv4 connectivity to scanme.sh:80 => %s\n", testResult)
+	_, _ = fmt.Fprintf(&test, "UDP IPv4 connectivity to scanme.sh:53 => %s\n", testResult)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/runner/healthcheck.go` around lines 72 - 80, The healthcheck dials
UDP IPv4 to "scanme.sh:53" (net.Dial and u4), but the fmt.Fprintf line reports
":80"; update the healthcheck output string so it matches the actual probe
port—change the message in fmt.Fprintf that writes "UDP IPv4 connectivity to
scanme.sh:80" to report "scanme.sh:53" (leaving the probe logic using net.Dial
and variables u4/testResult unchanged).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@internal/runner/healthcheck.go`:
- Around line 72-80: The healthcheck dials UDP IPv4 to "scanme.sh:53" (net.Dial
and u4), but the fmt.Fprintf line reports ":80"; update the healthcheck output
string so it matches the actual probe port—change the message in fmt.Fprintf
that writes "UDP IPv4 connectivity to scanme.sh:80" to report "scanme.sh:53"
(leaving the probe logic using net.Dial and variables u4/testResult unchanged).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bceedeb5-11a3-4495-ad76-da944dbf3222

📥 Commits

Reviewing files that changed from the base of the PR and between 41299e4 and 52ec1b0.

⛔ Files ignored due to path filters (9)

• .github/workflows/build-test.yml is excluded by !**/*.yml
• .github/workflows/functional-test.yml is excluded by !**/*.yml
• .github/workflows/release-binary.yml is excluded by !**/*.yml
• .github/workflows/release-test.yml is excluded by !**/*.yml
• .github/workflows/security-crawl-maze-score.yaml is excluded by !**/*.yaml
• .goreleaser.yml is excluded by !**/*.yml
• .goreleaser/mac.yml is excluded by !**/*.yml
• .goreleaser/windows.yml is excluded by !**/*.yml
• go.sum is excluded by !**/*.sum

📒 Files selected for processing (6)

• go.mod
• internal/runner/healthcheck.go
• pkg/engine/headless/captcha/capsolver/capsolver.go
• pkg/engine/headless/captcha/helpers_test.go
• pkg/engine/headless/types/types.go
• pkg/utils/jsluice.go