fix: 修复CodeQL检测到的代码问题

scripts/update-module-sizes.mjs

@@ -36,25 +36,33 @@ function updateModuleSizes() {
         }
 
         try {
-            // Read module.json first
+            // Get actual file size first (independent of module.json)
-            const content = fs.readFileSync(moduleJsonPath, 'utf-8');
-            const moduleJson = JSON.parse(content);
-            const oldSize = moduleJson.estimatedSize;
-
-            // Get actual file size
             const stat = fs.statSync(distIndexPath);
             const actualSize = stat.size;
 
+            // Use file descriptor to atomically read and write module.json
+            // This prevents TOCTOU race condition
+            const fd = fs.openSync(moduleJsonPath, 'r+');
+            try {
+                const content = fs.readFileSync(fd, 'utf-8');
+                const moduleJson = JSON.parse(content);
+                const oldSize = moduleJson.estimatedSize;
+
                 // Update if different
                 if (oldSize !== actualSize) {
                     moduleJson.estimatedSize = actualSize;
                     const newContent = JSON.stringify(moduleJson, null, 2) + '\n';
-                fs.writeFileSync(moduleJsonPath, newContent, 'utf-8');
+                    // Truncate and write using the same file descriptor
+                    fs.ftruncateSync(fd, 0);
+                    fs.writeSync(fd, newContent, 0, 'utf-8');
                     const oldKB = oldSize ? (oldSize / 1024).toFixed(1) : 'N/A';
                     const newKB = (actualSize / 1024).toFixed(1);
                     console.log(`  ${pkg}: ${oldKB} KB -> ${newKB} KB`);
                     updated++;
                 }
+            } finally {
+                fs.closeSync(fd);
+            }
         } catch (err) {
             console.error(`  Error processing ${pkg}:`, err.message);
         }