From cc4f1d5947335c961d5c4dad2e15614234647ddd Mon Sep 17 00:00:00 2001
From: mesutoezdil <mesudozdil@gmail.com>
Date: Sat, 13 Jun 2026 12:00:26 +0200
Subject: [PATCH] fix(sbom): release lock before sleeping in _rate_limit

time.sleep was called inside the _rate_lock block, blocking all threads
from checking their own domain rate limit while one thread slept.
With _MAX_WORKERS=12 querying crates.io, npm, and pypi concurrently,
this made the thread pool effectively serial.

Move the sleep outside the lock so threads for different domains
can proceed concurrently.
---
 deploy/sbom/resolve_licenses.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/deploy/sbom/resolve_licenses.py b/deploy/sbom/resolve_licenses.py
index fbdfc5fa5..56d76ff2f 100644
--- a/deploy/sbom/resolve_licenses.py
+++ b/deploy/sbom/resolve_licenses.py
@@ -211,9 +211,9 @@ def _rate_limit(domain: str, interval: float = 0.15) -> None:
         now = time.time()
         last = _last_request.get(domain, 0)
         wait = interval - (now - last)
-        if wait > 0:
-            time.sleep(wait)
-        _last_request[domain] = time.time()
+        _last_request[domain] = now
+    if wait > 0:
+        time.sleep(wait)
 
 
 def _get_json(url: str, domain: str) -> dict | None: