Nodejs Best Practices

1---
2name: nodejs-best-practices
3description: Node.js development principles and decision-making. Framework selection, async patterns, security, and architecture. Teaches thinking, not copying.
4allowed-tools: Read, Write, Edit, Glob, Grep
5---
6 
7# Node.js Best Practices
8 
9> Principles and decision-making for Node.js development in 2025.
10> **Learn to THINK, not memorize code patterns.**
11 
12---
13 
14## ⚠️ How to Use This Skill
15 
16This skill teaches **decision-making principles**, not fixed code to copy.
17 
18- ASK user for preferences when unclear
19- Choose framework/pattern based on CONTEXT
20- Don't default to same solution every time
21 
22---
23 
24## 1. Framework Selection (2025)
25 
26### Decision Tree
27 
28```
29What are you building?
30│
31├── Edge/Serverless (Cloudflare, Vercel)
32│   └── Hono (zero-dependency, ultra-fast cold starts)
33│
34├── High Performance API
35│   └── Fastify (2-3x faster than Express)
36│
37├── Enterprise/Team familiarity
38│   └── NestJS (structured, DI, decorators)
39│
40├── Legacy/Stable/Maximum ecosystem
41│   └── Express (mature, most middleware)
42│
43└── Full-stack with frontend
44    └── Next.js API Routes or tRPC
45```
46 
47### Comparison Principles
48 
49| Factor | Hono | Fastify | Express |
50|--------|------|---------|---------|
51| **Best for** | Edge, serverless | Performance | Legacy, learning |
52| **Cold start** | Fastest | Fast | Moderate |
53| **Ecosystem** | Growing | Good | Largest |
54| **TypeScript** | Native | Excellent | Good |
55| **Learning curve** | Low | Medium | Low |
56 
57### Selection Questions to Ask:
581. What's the deployment target?
592. Is cold start time critical?
603. Does team have existing experience?
614. Is there legacy code to maintain?
62 
63---
64 
65## 2. Runtime Considerations (2025)
66 
67### Native TypeScript
68 
69```
70Node.js 22+: --experimental-strip-types
71├── Run .ts files directly
72├── No build step needed for simple projects
73└── Consider for: scripts, simple APIs
74```
75 
76### Module System Decision
77 
78```
79ESM (import/export)
80├── Modern standard
81├── Better tree-shaking
82├── Async module loading
83└── Use for: new projects
84 
85CommonJS (require)
86├── Legacy compatibility
87├── More npm packages support
88└── Use for: existing codebases, some edge cases
89```
90 
91### Runtime Selection
92 
93| Runtime | Best For |
94|---------|----------|
95| **Node.js** | General purpose, largest ecosystem |
96| **Bun** | Performance, built-in bundler |
97| **Deno** | Security-first, built-in TypeScript |
98 
99---
100 
101## 3. Architecture Principles
102 
103### Layered Structure Concept
104 
105```
106Request Flow:
107│
108├── Controller/Route Layer
109│   ├── Handles HTTP specifics
110│   ├── Input validation at boundary
111│   └── Calls service layer
112│
113├── Service Layer
114│   ├── Business logic
115│   ├── Framework-agnostic
116│   └── Calls repository layer
117│
118└── Repository Layer
119    ├── Data access only
120    ├── Database queries
121    └── ORM interactions
122```
123 
124### Why This Matters:
125- **Testability**: Mock layers independently
126- **Flexibility**: Swap database without touching business logic
127- **Clarity**: Each layer has single responsibility
128 
129### When to Simplify:
130- Small scripts → Single file OK
131- Prototypes → Less structure acceptable
132- Always ask: "Will this grow?"
133 
134---
135 
136## 4. Error Handling Principles
137 
138### Centralized Error Handling
139 
140```
141Pattern:
142├── Create custom error classes
143├── Throw from any layer
144├── Catch at top level (middleware)
145└── Format consistent response
146```
147 
148### Error Response Philosophy
149 
150```
151Client gets:
152├── Appropriate HTTP status
153├── Error code for programmatic handling
154├── User-friendly message
155└── NO internal details (security!)
156 
157Logs get:
158├── Full stack trace
159├── Request context
160├── User ID (if applicable)
161└── Timestamp
162```
163 
164### Status Code Selection
165 
166| Situation | Status | When |
167|-----------|--------|------|
168| Bad input | 400 | Client sent invalid data |
169| No auth | 401 | Missing or invalid credentials |
170| No permission | 403 | Valid auth, but not allowed |
171| Not found | 404 | Resource doesn't exist |
172| Conflict | 409 | Duplicate or state conflict |
173| Validation | 422 | Schema valid but business rules fail |
174| Server error | 500 | Our fault, log everything |
175 
176---
177 
178## 5. Async Patterns Principles
179 
180### When to Use Each
181 
182| Pattern | Use When |
183|---------|----------|
184| `async/await` | Sequential async operations |
185| `Promise.all` | Parallel independent operations |
186| `Promise.allSettled` | Parallel where some can fail |
187| `Promise.race` | Timeout or first response wins |
188 
189### Event Loop Awareness
190 
191```
192I/O-bound (async helps):
193├── Database queries
194├── HTTP requests
195├── File system
196└── Network operations
197 
198CPU-bound (async doesn't help):
199├── Crypto operations
200├── Image processing
201├── Complex calculations
202└── → Use worker threads or offload
203```
204 
205### Avoiding Event Loop Blocking
206 
207- Never use sync methods in production (fs.readFileSync, etc.)
208- Offload CPU-intensive work
209- Use streaming for large data
210 
211---
212 
213## 6. Validation Principles
214 
215### Validate at Boundaries
216 
217```
218Where to validate:
219├── API entry point (request body/params)
220├── Before database operations
221├── External data (API responses, file uploads)
222└── Environment variables (startup)
223```
224 
225### Validation Library Selection
226 
227| Library | Best For |
228|---------|----------|
229| **Zod** | TypeScript first, inference |
230| **Valibot** | Smaller bundle (tree-shakeable) |
231| **ArkType** | Performance critical |
232| **Yup** | Existing React Form usage |
233 
234### Validation Philosophy
235 
236- Fail fast: Validate early
237- Be specific: Clear error messages
238- Don't trust: Even "internal" data
239 
240---
241 
242## 7. Security Principles
243 
244### Security Checklist (Not Code)
245 
246- [ ] **Input validation**: All inputs validated
247- [ ] **Parameterized queries**: No string concatenation for SQL
248- [ ] **Password hashing**: bcrypt or argon2
249- [ ] **JWT verification**: Always verify signature and expiry
250- [ ] **Rate limiting**: Protect from abuse
251- [ ] **Security headers**: Helmet.js or equivalent
252- [ ] **HTTPS**: Everywhere in production
253- [ ] **CORS**: Properly configured
254- [ ] **Secrets**: Environment variables only
255- [ ] **Dependencies**: Regularly audited
256 
257### Security Mindset
258 
259```
260Trust nothing:
261├── Query params → validate
262├── Request body → validate
263├── Headers → verify
264├── Cookies → validate
265├── File uploads → scan
266└── External APIs → validate response
267```
268 
269---
270 
271## 8. Testing Principles
272 
273### Test Strategy Selection
274 
275| Type | Purpose | Tools |
276|------|---------|-------|
277| **Unit** | Business logic | node:test, Vitest |
278| **Integration** | API endpoints | Supertest |
279| **E2E** | Full flows | Playwright |
280 
281### What to Test (Priorities)
282 
2831. **Critical paths**: Auth, payments, core business
2842. **Edge cases**: Empty inputs, boundaries
2853. **Error handling**: What happens when things fail?
2864. **Not worth testing**: Framework code, trivial getters
287 
288### Built-in Test Runner (Node.js 22+)
289 
290```
291node --test src/**/*.test.ts
292├── No external dependency
293├── Good coverage reporting
294└── Watch mode available
295```
296 
297---
298 
299## 10. Anti-Patterns to Avoid
300 
301### ❌ DON'T:
302- Use Express for new edge projects (use Hono)
303- Use sync methods in production code
304- Put business logic in controllers
305- Skip input validation
306- Hardcode secrets
307- Trust external data without validation
308- Block event loop with CPU work
309 
310### ✅ DO:
311- Choose framework based on context
312- Ask user for preferences when unclear
313- Use layered architecture for growing projects
314- Validate all inputs
315- Use environment variables for secrets
316- Profile before optimizing
317 
318---
319 
320## 11. Decision Checklist
321 
322Before implementing:
323 
324- [ ] **Asked user about stack preference?**
325- [ ] **Chosen framework for THIS context?** (not just default)
326- [ ] **Considered deployment target?**
327- [ ] **Planned error handling strategy?**
328- [ ] **Identified validation points?**
329- [ ] **Considered security requirements?**
330 
331---
332 
333> **Remember**: Node.js best practices are about decision-making, not memorizing patterns. Every project deserves fresh consideration based on its requirements.
334