Node.js Best Practices

<h1 align="center"> <img src="assets/images/banner-2.jpg" alt="Node.js Best Practices"/> </h1> <br/> <div align="center"> <img src="https://img.shields.io/badge/⚙%20Item%20count%20-%20102%20Best%20Practices-blue.svg" alt="102 items"/> <img id="last-update-badge" src="https://img.shields.io/badge/%F0%9F%93%85%20Last%20update%20-%20January%2024%2C%202023-green.svg" alt="Last update: January 3rd, 2024" /> <img src="https://img.shields.io/badge/ %E2%9C%94%20Updated%20For%20Version%20-%20Node%2022.0.0-brightgreen.svg" alt="Updated for Node 22.0.0"/> </div> <br/>

<img src="assets/images/twitter.svg" width="16" height="16" alt="" /> Follow us on Twitter! @nodepractices

<br/>

Read in a different language: CN, FR, BR, RU, PL, JA, EU (ES, HE, KR and TR in progress! )

<br/>

🎊 2024 edition is here!

• 🛰 Modernized to 2024: Tons of text edits, new recommended libraries, and some new best practices

• ✨ Easily focus on new content: Already visited before? Search for #new or #updated tags for new content only

• 🔖 Curious to see examples? We have a starter: Visit Practica.js, our application example and boilerplate (beta) to see some practices in action

<br/><br/>

Welcome! 3 Things You Ought To Know First

1. You are reading dozens of the best Node.js articles - this repository is a summary and curation of the top-ranked content on Node.js best practices, as well as content written here by collaborators

2. It is the largest compilation, and it is growing every week - currently, more than 80 best practices, style guides, and architectural tips are presented. New issues and pull requests are created every day to keep this live book updated. We'd love to see you contributing here, whether that is fixing code mistakes, helping with translations, or suggesting brilliant new ideas. See our writing guidelines here

3. Best practices have additional info - most bullets include a 🔗Read More link that expands on the practice with code examples, quotes from selected blogs, and more information

<br/><br/>

By Yoni Goldberg

Learn with me: As a consultant, I engage with worldwide teams on various activities like workshops and code reviews. 🎉AND... Hold on, I've just launched my beyond-the-basics testing course, which is on a 🎁 limited-time sale until August 7th

<br/><br/>

Table of Contents

<details> <summary> <a href="#1-project-architecture-practices">1. Project Architecture Practices (6)</a> </summary>

  1.1 Structure your solution by components #strategic #updated</br>   1.2 Layer your components, keep the web layer within its boundaries #strategic #updated</br>   1.3 Wrap common utilities as packages, consider publishing</br>   1.4 Use environment aware, secure and hierarchical config #updated</br>   1.5 Consider all the consequences when choosing the main framework #new</br>   1.6 Use TypeScript sparingly and thoughtfully #new</br>

</details> <details> <summary> <a href="#2-error-handling-practices">2. Error Handling Practices (12)</a> </summary>

  2.1 Use Async-Await or promises for async error handling</br>   2.2 Extend the built-in Error object #strategic #updated</br>   2.3 Distinguish operational vs programmer errors #strategic #updated</br>   2.4 Handle errors centrally, not within a middleware #strategic</br>   2.5 Document API errors using OpenAPI or GraphQL</br>   2.6 Exit the process gracefully when a stranger comes to town #strategic</br>   2.7 Use a mature logger to increase errors visibility #updated</br>   2.8 Test error flows using your favorite test framework #updated</br>   2.9 Discover errors and downtime using APM products</br>   2.10 Catch unhandled promise rejections #updated</br>   2.11 Fail fast, validate arguments using a dedicated library</br>   2.12 Always await promises before returning to avoid a partial stacktrace #new</br>   2.13 Subscribe to event emitters 'error' event #new</br>

</details> <details> <summary> <a href="#3-code-patterns-and-style-practices">3. Code Style Practices (12)</a> </summary>

  3.1 Use ESLint #strategic</br>   3.2 Use Node.js eslint extension plugins #updated</br>   3.3 Start a Codeblock's Curly Braces on the Same Line</br>   3.4 Separate your statements properly</br>   3.5 Name your functions</br>   3.6 Use naming conventions for variables, constants, functions and classes</br>   3.7 Prefer const over let. Ditch the var</br>   3.8 Require modules first, not inside functions</br>   3.9 Set an explicit entry point to a module/folder #updated</br>   3.10 Use the === operator</br>   3.11 Use Async Await, avoid callbacks #strategic</br>   3.12 Use arrow function expressions (=>)</br>   3.13 Avoid effects outside of functions #new</br>

</details> <details> <summary> <a href="#4-testing-and-overall-quality-practices">4. Testing And Overall Quality Practices (13)</a> </summary>

  4.1 At the very least, write API (component) testing #strategic</br>   4.2 Include 3 parts in each test name #new</br>   4.3 Structure tests by the AAA pattern #strategic</br>   4.4 Ensure Node version is unified #new</br>   4.5 Avoid global test fixtures and seeds, add data per-test #strategic</br>   4.6 Tag your tests #advanced</br>   4.7 Check your test coverage, it helps to identify wrong test patterns</br>   4.8 Use production-like environment for e2e testing</br>   4.9 Refactor regularly using static analysis tools</br>   4.10 Mock responses of external HTTP services #advanced #new #advanced</br>   4.11 Test your middlewares in isolation</br>   4.12 Specify a port in production, randomize in testing #new</br>   4.13 Test the five possible outcomes #strategic #new</br>

</details> <details> <summary> <a href="#5-going-to-production-practices">5. Going To Production Practices (19)</a> </summary>

  5.1. Monitoring #strategic</br>   5.2. Increase the observability using smart logging #strategic</br>   5.3. Delegate anything possible (e.g. gzip, SSL) to a reverse proxy #strategic</br>   5.4. Lock dependencies</br>   5.5. Guard process uptime using the right tool</br>   5.6. Utilize all CPU cores</br>   5.7. Create a ‘maintenance endpoint’</br>   5.8. Discover the unknowns using APM products #advanced #updated</br>   5.9. Make your code production-ready</br>   5.10. Measure and guard the memory usage #advanced</br>   5.11. Get your frontend assets out of Node</br>   5.12. Strive to be stateless #strategic</br>   5.13. Use tools that automatically detect vulnerabilities</br>   5.14. Assign a transaction id to each log statement #advanced</br>   5.15. Set NODE_ENV=production</br>   5.16. Design automated, atomic and zero-downtime deployments #advanced</br>   5.17. Use an LTS release of Node.js</br>   5.18. Log to stdout, avoid specifying log destination within the app #updated</br>   5.19. Install your packages with npm ci #new</br>

</details> <details> <summary> <a href="#6-security-best-practices">6. Security Practices (25)</a> </summary>

  6.1. Embrace linter security rules</br>   6.2. Limit concurrent requests using a middleware</br>   6.3 Extract secrets from config files or use packages to encrypt them #strategic</br>   6.4. Prevent query injection vulnerabilities with ORM/ODM libraries #strategic</br>   6.5. Collection of generic security best practices</br>   6.6. Adjust the HTTP response headers for enhanced security</br>   6.7. Constantly and automatically inspect for vulnerable dependencies #strategic</br>   6.8. Protect Users' Passwords/Secrets using bcrypt or scrypt #strategic</br>   6.9. Escape HTML, JS and CSS output</br>   6.10. Validate incoming JSON schemas #strategic</br>   6.11. Support blocklisting JWTs</br>   6.12. Prevent brute-force attacks against authorization #advanced</br>   6.13. Run Node.js as non-root user</br>   6.14. Limit payload size using a reverse-proxy or a middleware</br>   6.15. Avoid JavaScript eval statements</br>   6.16. Prevent evil RegEx from overloading your single thread execution</br>   [6.17. Avoid module loading using a