Nodejs Best Practices

1---2name: nodejs-best-practices3description: "Node.js development principles and decision-making. Framework selection, async patterns, security, and architecture. Teaches thinking, not copying."4risk: unknown5source: community6date_added: "2026-02-27"7---8 9# Node.js Best Practices10 11> Principles and decision-making for Node.js development in 2025.12> **Learn to THINK, not memorize code patterns.**13 14## When to Use15Use this skill when making Node.js architecture decisions, choosing frameworks, designing async patterns, or applying security and deployment best practices.16 17---18 19## ⚠️ How to Use This Skill20 21This skill teaches **decision-making principles**, not fixed code to copy.22 23- ASK user for preferences when unclear24- Choose framework/pattern based on CONTEXT25- Don't default to same solution every time26 27---28 29## 1. Framework Selection (2025)30 31### Decision Tree32 33```34What are you building?35│36├── Edge/Serverless (Cloudflare, Vercel)37│   └── Hono (zero-dependency, ultra-fast cold starts)38│39├── High Performance API40│   └── Fastify (2-3x faster than Express)41│42├── Enterprise/Team familiarity43│   └── NestJS (structured, DI, decorators)44│45├── Legacy/Stable/Maximum ecosystem46│   └── Express (mature, most middleware)47│48└── Full-stack with frontend49    └── Next.js API Routes or tRPC50```51 52### Comparison Principles53 54| Factor | Hono | Fastify | Express |55|--------|------|---------|---------|56| **Best for** | Edge, serverless | Performance | Legacy, learning |57| **Cold start** | Fastest | Fast | Moderate |58| **Ecosystem** | Growing | Good | Largest |59| **TypeScript** | Native | Excellent | Good |60| **Learning curve** | Low | Medium | Low |61 62### Selection Questions to Ask:631. What's the deployment target?642. Is cold start time critical?653. Does team have existing experience?664. Is there legacy code to maintain?67 68---69 70## 2. Runtime Considerations (2025)71 72### Native TypeScript73 74```75Node.js 22+: --experimental-strip-types76├── Run .ts files directly77├── No build step needed for simple projects78└── Consider for: scripts, simple APIs79```80 81### Module System Decision82 83```84ESM (import/export)85├── Modern standard86├── Better tree-shaking87├── Async module loading88└── Use for: new projects89 90CommonJS (require)91├── Legacy compatibility92├── More npm packages support93└── Use for: existing codebases, some edge cases94```95 96### Runtime Selection97 98| Runtime | Best For |99|---------|----------|100| **Node.js** | General purpose, largest ecosystem |101| **Bun** | Performance, built-in bundler |102| **Deno** | Security-first, built-in TypeScript |103 104---105 106## 3. Architecture Principles107 108### Layered Structure Concept109 110```111Request Flow:112│113├── Controller/Route Layer114│   ├── Handles HTTP specifics115│   ├── Input validation at boundary116│   └── Calls service layer117│118├── Service Layer119│   ├── Business logic120│   ├── Framework-agnostic121│   └── Calls repository layer122│123└── Repository Layer124    ├── Data access only125    ├── Database queries126    └── ORM interactions127```128 129### Why This Matters:130- **Testability**: Mock layers independently131- **Flexibility**: Swap database without touching business logic132- **Clarity**: Each layer has single responsibility133 134### When to Simplify:135- Small scripts → Single file OK136- Prototypes → Less structure acceptable137- Always ask: "Will this grow?"138 139---140 141## 4. Error Handling Principles142 143### Centralized Error Handling144 145```146Pattern:147├── Create custom error classes148├── Throw from any layer149├── Catch at top level (middleware)150└── Format consistent response151```152 153### Error Response Philosophy154 155```156Client gets:157├── Appropriate HTTP status158├── Error code for programmatic handling159├── User-friendly message160└── NO internal details (security!)161 162Logs get:163├── Full stack trace164├── Request context165├── User ID (if applicable)166└── Timestamp167```168 169### Status Code Selection170 171| Situation | Status | When |172|-----------|--------|------|173| Bad input | 400 | Client sent invalid data |174| No auth | 401 | Missing or invalid credentials |175| No permission | 403 | Valid auth, but not allowed |176| Not found | 404 | Resource doesn't exist |177| Conflict | 409 | Duplicate or state conflict |178| Validation | 422 | Schema valid but business rules fail |179| Server error | 500 | Our fault, log everything |180 181---182 183## 5. Async Patterns Principles184 185### When to Use Each186 187| Pattern | Use When |188|---------|----------|189| `async/await` | Sequential async operations |190| `Promise.all` | Parallel independent operations |191| `Promise.allSettled` | Parallel where some can fail |192| `Promise.race` | Timeout or first response wins |193 194### Event Loop Awareness195 196```197I/O-bound (async helps):198├── Database queries199├── HTTP requests200├── File system201└── Network operations202 203CPU-bound (async doesn't help):204├── Crypto operations205├── Image processing206├── Complex calculations207└── → Use worker threads or offload208```209 210### Avoiding Event Loop Blocking211 212- Never use sync methods in production (fs.readFileSync, etc.)213- Offload CPU-intensive work214- Use streaming for large data215 216---217 218## 6. Validation Principles219 220### Validate at Boundaries221 222```223Where to validate:224├── API entry point (request body/params)225├── Before database operations226├── External data (API responses, file uploads)227└── Environment variables (startup)228```229 230### Validation Library Selection231 232| Library | Best For |233|---------|----------|234| **Zod** | TypeScript first, inference |235| **Valibot** | Smaller bundle (tree-shakeable) |236| **ArkType** | Performance critical |237| **Yup** | Existing React Form usage |238 239### Validation Philosophy240 241- Fail fast: Validate early242- Be specific: Clear error messages243- Don't trust: Even "internal" data244 245---246 247## 7. Security Principles248 249### Security Checklist (Not Code)250 251- [ ] **Input validation**: All inputs validated252- [ ] **Parameterized queries**: No string concatenation for SQL253- [ ] **Password hashing**: bcrypt or argon2254- [ ] **JWT verification**: Always verify signature and expiry255- [ ] **Rate limiting**: Protect from abuse256- [ ] **Security headers**: Helmet.js or equivalent257- [ ] **HTTPS**: Everywhere in production258- [ ] **CORS**: Properly configured259- [ ] **Secrets**: Environment variables only260- [ ] **Dependencies**: Regularly audited261 262### Security Mindset263 264```265Trust nothing:266├── Query params → validate267├── Request body → validate268├── Headers → verify269├── Cookies → validate270├── File uploads → scan271└── External APIs → validate response272```273 274---275 276## 8. Testing Principles277 278### Test Strategy Selection279 280| Type | Purpose | Tools |281|------|---------|-------|282| **Unit** | Business logic | node:test, Vitest |283| **Integration** | API endpoints | Supertest |284| **E2E** | Full flows | Playwright |285 286### What to Test (Priorities)287 2881. **Critical paths**: Auth, payments, core business2892. **Edge cases**: Empty inputs, boundaries2903. **Error handling**: What happens when things fail?2914. **Not worth testing**: Framework code, trivial getters292 293### Built-in Test Runner (Node.js 22+)294 295```296node --test src/**/*.test.ts297├── No external dependency298├── Good coverage reporting299└── Watch mode available300```301 302---303 304## 10. Anti-Patterns to Avoid305 306### ❌ DON'T:307- Use Express for new edge projects (use Hono)308- Use sync methods in production code309- Put business logic in controllers310- Skip input validation311- Hardcode secrets312- Trust external data without validation313- Block event loop with CPU work314 315### ✅ DO:316- Choose framework based on context317- Ask user for preferences when unclear318- Use layered architecture for growing projects319- Validate all inputs320- Use environment variables for secrets321- Profile before optimizing322 323---324 325## 11. Decision Checklist326 327Before implementing:328 329- [ ] **Asked user about stack preference?**330- [ ] **Chosen framework for THIS context?** (not just default)331- [ ] **Considered deployment target?**332- [ ] **Planned error handling strategy?**333- [ ] **Identified validation points?**334- [ ] **Considered security requirements?**335 336---337 338> **Remember**: Node.js best practices are about decision-making, not memorizing patterns. Every project deserves fresh consideration based on its requirements.339 340## Limitations341- Use this skill only when the task clearly matches the scope described above.342- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.343- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.