":j.tabReplace?n.replace(/\t/g,j.tabReplace):""}):e}function d(e,n,t){var r=n?y[n]:t,a=[e.trim()];return e.match(/\bhljs\b/)||a.push("hljs"),-1===e.indexOf(r)&&a.push(r),a.join(" ").trim()}function h(e){var n,t,r,o,s,l=i(e);a(l)||(j.useBR?(n=document.createElementNS("http://www.w3.org/1999/xhtml","div"),n.innerHTML=e.innerHTML.replace(/\n/g,"").replace(/
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/README.hebrew.md b/README.hebrew.md
new file mode 100644
index 000000000..22d5ce0ba
--- /dev/null
+++ b/README.hebrew.md
@@ -0,0 +1,1927 @@
+[โ]: assets/images/checkbox-small-blue.png
+
+# ืฉืืืืช ืขืืืื ืืืืืฆืืช ื Node.js
+
+
+ 
+
+
++ +
+ 
+
+
+
++ +[
](https://twitter.com/nodepractices/) **ืขืืงืื ืืืจืื ื ืืืืืืืจ!** [**@nodepractices**](https://twitter.com/nodepractices/)
++**:writing_hand: ืชืืจืื ืขื ืืื [ืืื ืืืืจ](https://github.com/hodbauer)** +
+ +ืืงืจืืื ืืฉืคืืช ื ืืกืคืืช: [**ืกืื ืืช**](./README.chinese.md), [**ืฆืจืคืชืืช**](./README.french.md), [**ืคืืจืืืืืืช**](./README.brazilian-portuguese.md), [**ืจืืกืืช**](./README.russian.md), [**ืคืืื ืืช**](./README.polish.md), [**ืืคื ืืช**](./README.japanese.md), [**ืืืกืงืืช**](./README.basque.md) [(**ืกืคืจืืืช**, **ืขืืจืืช**, **ืงืืจืืื ืืช** ื **ืืืจืงืืช** ืืชืืืื! )](#translations) + +
+ +# Latest Best Practices and News + +- **๐ฐ 2023 edition is released soon**: We're now writing the next edition, stay tuned? + +- **โจ 89,000 stars**: Blushing, surprised and proud! + +- **๐ New menu and tags**: Our menu is collapsible now and includes `#tags`. New visitors can read `#strategic` items first. Returning visitors can focus on `#new` content. Seniors can filter for `#advanced` items. Courtesy of the one and only [Rubek Joshi](https://github.com/rubek-joshi) + +- ** French translation!1! :** The latest translation that joins our international guide is French. Bienvenue + +
+ +# ืืจืืืื ืืืืื! ืฉืืืฉื ืืืจืื ืฉืืืื ืืืขืช ืืคื ื ืฉืืืืืื ืืื + +**1. ืื ืื ืงืืจืืื ืขืฉืจืืช ืืืืจืื ืฉื ืฉืืืืช ืืขืืืื ืืืืืืฆืืช ื Node.js -** ืืืืืจ ืืื ืืื ืกืืืื ืื ืืกืืื ืืคื ืฉื ืฉืืืืช ืืขืืืื ืืืืืืฆืืช ื Node.js , ืืื ืื ืืื ื ืขืฉื ืขื ืืฉืืชืืฃ ืคืขืืื. + +**2. ืืื ืืืืกืฃ ืืืืื ืืืืชืจ, ืืืื ืืืฉืื ืืืืื ืื ืฉืืืข -** ื ืืื ืืจืืข ืื, ืืฉ ืืืขืื ื 100 ืฉืืืืช ืขืืืื ืืืืืฆืืช, ืืืืฆืืช ืืจืืืืงืืืจื ืืืืืฆืืช ืกืื ืื ืืชืืื. ื ืืฉืืื ืืืฉืื ืืืงืฉืืช ืืืฉืืช (PR's) ืืชืืืกืคืื ืื ืืื ืืืืจื ืืฉืืืจ ืืช ืืชืืื ืืขืืืื. ืื ืื ื ื ืฉืื ืืจืืืชืื ืชืืจืืื ืืคื, ืืื ืื ืืชืงื ืฉืืืืืช ืงืื, ืขืืจื ืืชืจืืื, ืื ืืืฆืืข ืจืขืืื ืืช ืืืจืืงืื ืืืฉืื. ืจืื ืืช [ืืืืจืื ืืืชืืืช ืื ืืืืช](./.operations/writing-guidelines.md). + +**3. ืฉืืืืช ืืขืืืื ืืืืืืช ืืืืข ื ืืกืฃ -** ืจืื ืื ืงืืืืช ืืืืืืช ืงืืฉืืจ **๐ืืงืจืืื ื ืืกืคืช** ืฉืืจืืื ืขื ืืื ืืืืืืืช ืงืื, ืฆืืืืืื ืืืืืืื ื ืืืจืื ืืืืืข ื ืืกืฃ. + +
+ +# ืืืช ืืื ื ืืืืืืจื + +### ืืืืื ืืืชื: ืืืืขืฅ, ืื ื ื ืคืืฉ ืขื ืงืืืฆืืช ืืื ืืขืืื ืืืืืื ืคืขืืืืช ืืื ืกืื ืืืช ืืืขืืจ ืขื ืงืื. ๐ ืืืืจืื ื ืคืจืกืืชื ืืช [ืืงืืจืก ืืืชืงืื ืืืชืืืช ืืืืงืืช](https://testjavascript.com/) + +
+## ืชืืื ืืขื ืืื ืื + +
+
+
++ 1. ืืื ื ืืคืจืืืืงื (6) +
+ + [1.1 ืื ื ืืช ืืคืจืืืืงื ืืคื ืจืืืืื ืขืกืงืืื `#strategic` `#updated`](#-11-structure-your-solution-by-business-components) + [1.2 ืืืืงืช ืืจืืืืื ื3 ืฉืืืืช, ืฉืืืจื ืขื ืฉืืืช ืืืื ืืืืืืืชืื `#strategic` `#updated`](#-12-layer-your-components-with-3-tiers-keep-the-web-layer-within-its-boundaries) + [1.3 ืขืืคื ืืืื ืืฉืืชืคืื ืืืืืืืช, ืฉืงืื ืืช ืืคืฆืชื](#-13-wrap-common-utilities-as-packages-consider-publishing) + [1.4 ืืฉืชืืฉื ืืงืื ืคืืืืจืฆืื ืขื ืืฉืชื ื ืกืืืื ืืืืคื ืืืืข, ืืืืืื ืืืืจืจืื `#updated`](#-14-use-environment-aware-secure-and-hierarchical-config) + [1.5 ืฉืงืื ืืช ืื ืืืฉืืืืช ืืขืช ืืืืจืช ืืกืืจืช `#new`](#-15-consider-all-the-consequences-when-choosing-the-main-framework) + [1.6 ืืฉืชืืฉื ื-TypeScript ืืืืืชืืืช ืืืฆืืจื ืืืฉืืืช `#new`](#-16-use-typescript-sparingly-and-thoughtfully) + +
+
+
++ 2. ื ืืืื ืฉืืืืืช (12) +
+ + [2.1 ืืฉืชืืฉื ื Async-Await ืื ืืืืืืช ืื ืืืื ืฉืืืืืช ืืกืื ืืจืื ืืืช](#-21-use-async-await-or-promises-for-async-error-handling) + [2.2 ืืจืืืื ืืช ืืื ื ืืืืืงื ืืฉืืืื ืืืืื ื Error `#strategic` `#updated`](#-22-extend-the-built-in-error-object) + [2.3 ืืืืื ื ืืื ืฉืืืืืช ืงืืกืืจืืคืืืืช ืืืื ืฉืืืืืช ืชืคืขืืืืืช `#strategic` `#updated`](#-23-distinguish-catastrophic-errors-from-operational-errors) + [2.4 ื ืืื ืืช ืืฉืืืืืช ืืืจืืื ืืื ืืืืฆืขืืช ืืื ืืื ืืื `#strategic`](#-24-handle-errors-centrally-not-within-a-middleware) + [2.5 ืชืขืื ืืช ืฉืืืืืช ื-API ืืืืฆืขืืช OpenAPI ืื GraphQL](#-25-document-api-errors-using-openapi-or-graphql) + [2.6 ืืืจืืื ืืช ืืชืืืื ืืฆืืจื ืืกืืืจืช ืืืฉืจ ืืจ ืื ืืืงืจ `#strategic`](#-26-exit-the-process-gracefully-when-a-stranger-comes-to-town) + [2.7 ืืฉืชืืฉื ื-Logger ืืืืจ ืืืืื ืืื ืืืืืื ืืช ืืงึฐืจึดืืืึผืช ืฉื ืืฉืืืืืช `#updated`](#-27-use-a-mature-logger-to-increase-errors-visibility) + [2.8 ืืืืงื ืืช ืชืืืืช ืืืขืจืืช ืืฉืืืืืช ืขื ืืื ืฉืืืืฉ ืืืื ืืืืืงืืช ืืืืื ืขืืืื `#updated`](#-28-test-error-flows-using-your-favorite-test-framework) + [2.9 ืืื ืฉืืืืืช ืืืื ื ืืฉืืชื ืขื ืืื ืฉืืืืฉ ืืืื APM](#-29-discover-errors-and-downtime-using-apm-products) + [2.10 ืชืคืกื ืืงืจืื ืื ืืืืคืืื ืฉื ืืืืืช ืฉื ืืืืืืช `#updated`](#-210-catch-unhandled-promise-rejections) + [2.11 ืืืืฉืื ืืืจ, ืืืื ืืช ืืฉืชื ื ืืงืื ืืืืฆืขืืช ืกืคืจืื ืืขืืืืช](#-211-fail-fast-validate-arguments-using-a-dedicated-library) + [2.12 ืชืืื ืืืชืื ื ืืชืฉืืื ืืืืืืืืช ืืคื ื ืฉืืชื ืืขืืืจืื ืืช ืืชืฉืืื ืืืื ืืื ืืืืื ืข ืืืขืงื ืืืงื `#new`](#-212-always-await-promises-before-returning-to-avoid-a-partial-stacktrace) + +
+
+
++ 3. ืชืื ืืืช ืงืื ืืกืื ืื ืขืืฆืื (13) +
+ + [3.1 ืืฉืชืืฉื ื-ESLint `#strategic`](#-31-use-eslint) + [3.2 ืืฉืชืืฉื ืืชืืกืคืื ืฉื Node.js ืฉืืจืืืืื ืืช ESLint `#updated`](#-32-use-nodejs-eslint-extension-plugins) + [3.3 ืืชืืืื ืืืืง ืฉื ืงืื ืขื ืกืืืจืืื ืืกืืืกืืื ืืืืชื ืืฉืืจื](#-33-start-a-codeblocks-curly-braces-on-the-same-line) + [3.4 ืืคืจืืื ืืื ืืืฆืืจืืช ืืฉืื ืืช ืืฆืืจื ืชืงื ืืช](#-34-separate-your-statements-properly) + [3.5 ืชื ื ืืคืื ืงืฆืื ืฉื](#-35-name-your-functions) + [3.6 ืืฉืชืืฉื ืืืืกืืืืช ืงืืืขืืช ืืืชื ืฉืืืช ืืืฉืชื ืื, ืืงืืืขืื, ืืคืื ืงืฆืืืช ืืืืืืงืืช](#-36-use-naming-conventions-for-variables-constants-functions-and-classes) + [3.7 ืืขืืืคื const ืขื ืคื ื let. ื ืืืฉื ืืช var](#-37-prefer-const-over-let-ditch-the-var) + [3.8 ืืขื ื ืืืืืืื ืืชืืืื, ืืื ืืงืจืืื ืืคืื ืงืฆืืืช](#-38-require-modules-first-not-inside-functions) + [3.9 ืืืืืจื ืื ืืกื ืืกืืืจืช ืืกืคืจืื ืฉืืื `#updated`](#-39-set-an-explicit-entry-point-to-a-modulefolder) + [3.10 ืืฉืชืืฉื ืืืืคืจืืืจ `===`](#-310-use-the--operator) + [3.11 ืืฉืชืืฉื ื-Async Await, ืืื ืขื ื-callbacks `#strategic`](#-311-use-async-await-avoid-callbacks) + [3.12 ืืฉืชืืฉื ืืคืื ืงืฆืืืช ืืฅ (=>)](#-312-use-arrow-function-expressions-) + [3.13 ืืืื ืขื ืืืฉืคืขืืช ืฆืืืืืช ืืืืฅ ืืคืื ืงืฆืืืช `#new`](#-313-avoid-effects-outside-of-functions) + +
+
+
++ 4. ืืืืงืืช ืืืงืจืช ืืืืืช (13) +
+ + [4.1 ืืคืืืช, ืืืชืื ืืืืงืืช API ืืจืืืืื ืืฉืื ืื `#strategic`](#-41-at-the-very-least-write-api-component-testing) + [4.2 ืกืืืื 3 ืืืงืื ืืืชื ืฉื ืืื ืืืืงื `#new`](#-42-include-3-parts-in-each-test-name) + [4.3 ืืืงื ืืช ืืืืืงืืช ืืคื ืชืื ืืช ื-AAA `#strategic`](#-43-structure-tests-by-the-aaa-pattern) + [4.4 ืืืืื ืื ืืจืกืช ื-Node ืืืืื `#new`](#-44-ensure-node-version-is-unified) + [4.5 ืืืื ืขื ืืืชืืื ืืืืข ืืจืขืื ื ืืฉืืชืฃ, ืืืืืจื ืืคื ืฆืืจื ืฉื ืืืืงื `#strategic`](#-45-avoid-global-test-fixtures-and-seeds-add-data-per-test) + [4.6 ืชืืืื ืืช ืืืืืงืืช `#advanced`](#-46-tag-your-tests) + [4.7 ืืืืงื ืืช ืจืืช ืืืกืื ืืืืืงืืช ืฉืืื, ืื ืืขืืืจ ืืืืืช ืืคืืกื ืืืืงืืช ืฉืืืืื](#-47-check-your-test-coverage-it-helps-to-identify-wrong-test-patterns) + [4.8 Use production-like environment for e2e testing](#-48-use-production-like-environment-for-e2e-testing) + [4.9 ืฉืืชืื ืืช ืืงืื ืืืืคื ืงืืืข ืืขืืจืช ืืื ื ืืชืื ืกืืื](#-49-refactor-regularly-using-static-analysis-tools) + [4.10 ืืืืืืช ืชืฉืืืืช ืฉื ืฉืจืชื HTTP ืืืฆืื ืืื `#new` `#advanced`](#-410-mock-responses-of-external-http-services) + [4.11 ืืืงื ืืช ืคืื ืงืฆืืืช ืืืื ืืื ืื ืคืจื](#-411-test-your-middlewares-in-isolation) + [4.12 ืงืืขื ืืช ืืคืืจื ืืืืฆืืจ, ืืืืืจื ืืงืจืื ืืืืืงืืช `#new`](#-412-specify-a-port-in-production-randomize-in-testing) + [4.13 ืืืืงื ืืช ืืืฉืช ืืชืืฆืืืช ืืืคืฉืจืืืช `#strategic` `#new`](#-413-test-the-five-possible-outcomes) + +
+
+
++ 5. ืขืืืื ืืืืืืจ (19) +
+ + [5.1. ื ืืืืจ `#strategic`](#-51-monitoring) + [5.2. ืืืืืื ืืช ืืืืืช ืืฆืคืืื ืืขืืจืช ืืืืื ืืืืืชืืื `#strategic`](#-52-increase-the-observability-using-smart-logging) + [5.3. ืืืฆืืื ืื ืื ืฉืืคืฉืจ (ืืืืืื gzip, SSL) ืืฉืืจืืช ื ืคืจื `#strategic`](#-53-delegate-anything-possible-eg-gzip-ssl-to-a-reverse-proxy) + [5.4. ืงืืืืข ืชืืืืืช](#-54-lock-dependencies) + [5.5. ืืืืืื ืืช ืืืื ืืช ืืืขืจืืช ืืขืืจืช ืืืื ืืืชืืื](#-55-guard-process-uptime-using-the-right-tool) + [5.6. ืืฉืชืืฉื ืืื ืืขืืื ื-CPU](#-56-utilize-all-cpu-cores) + [5.7. ืชืืฆืจื โmaintenance endpointโ](#-57-create-a-maintenance-endpoint) + [5.8. ืืื ืืช ืืื ืืืืข ืืขืืจืช ืืืฆืจื APM `#advanced` `#updated`](#-58-discover-the-unknowns-using-apm-products) + [5.9. ืืชืื ืืช ืืงืื ืืืชืื ืืืชืงื ื](#-59-make-your-code-production-ready) + [5.10. ืืืื ืืฉืืืจื ืืช ื ืืฆืื ืืืืืจืื `#advanced`](#-510-measure-and-guard-the-memory-usage) + [5.11. Get your frontend assets out of Node](#-511-get-your-frontend-assets-out-of-node) + [5.12. Strive to be stateless `#strategic`](#-512-strive-to-be-stateless) + [5.13. Use tools that automatically detect vulnerabilities](#-513-use-tools-that-automatically-detect-vulnerabilities) + [5.14. Assign a transaction id to each log statement `#advanced`](#-514-assign-a-transaction-id-to-each-log-statement) + [5.15. Set NODE_ENV=production](#-515-set-node_envproduction) + [5.16. Design automated, atomic and zero-downtime deployments `#advanced`](#-516-design-automated-atomic-and-zero-downtime-deployments) + [5.17. Use an LTS release of Node.js](#-517-use-an-lts-release-of-nodejs) + [5.18. Log to stdout, avoid specifying log destination within the app](#-518-log-to-stdout-avoid-specifying-log-destination-within-the-app) + [5.19. Install your packages with npm ci `#new`](#-519-install-your-packages-with-npm-ci) + +
+
+
++ 6. ืืืืื (27) +
+ + [6.1. Embrace linter security rules](#-61-embrace-linter-security-rules) + [6.2. Limit concurrent requests using a middleware](#-62-limit-concurrent-requests-using-a-middleware) + [6.3 Extract secrets from config files or use packages to encrypt them `#strategic`](#-63-extract-secrets-from-config-files-or-use-packages-to-encrypt-them) + [6.4. Prevent query injection vulnerabilities with ORM/ODM libraries `#strategic`](#-64-prevent-query-injection-vulnerabilities-with-ormodm-libraries) + [6.5. Collection of generic security best practices](#-65-collection-of-generic-security-best-practices) + [6.6. Adjust the HTTP response headers for enhanced security](#-66-adjust-the-http-response-headers-for-enhanced-security) + [6.7. Constantly and automatically inspect for vulnerable dependencies `#strategic`](#-67-constantly-and-automatically-inspect-for-vulnerable-dependencies) + [6.8. Protect Users' Passwords/Secrets using bcrypt or scrypt `#strategic`](#-68-protect-users-passwordssecrets-using-bcrypt-or-scrypt) + [6.9. Escape HTML, JS and CSS output](#-69-escape-html-js-and-css-output) + [6.10. Validate incoming JSON schemas `#strategic`](#-610-validate-incoming-json-schemas) + [6.11. Support blocklisting JWTs](#-611-support-blocklisting-jwts) + [6.12. Prevent brute-force attacks against authorization `#advanced`](#-612-prevent-brute-force-attacks-against-authorization) + [6.13. Run Node.js as non-root user](#-613-run-nodejs-as-non-root-user) + [6.14. Limit payload size using a reverse-proxy or a middleware](#-614-limit-payload-size-using-a-reverse-proxy-or-a-middleware) + [6.15. Avoid JavaScript eval statements](#-615-avoid-javascript-eval-statements) + [6.16. Prevent evil RegEx from overloading your single thread execution](#-616-prevent-evil-regex-from-overloading-your-single-thread-execution) + [6.17. Avoid module loading using a variable](#-617-avoid-module-loading-using-a-variable) + [6.18. Run unsafe code in a sandbox](#-618-run-unsafe-code-in-a-sandbox) + [6.19. Take extra care when working with child processes `#advanced`](#-619-take-extra-care-when-working-with-child-processes) + [6.20. Hide error details from clients](#-620-hide-error-details-from-clients) + [6.21. Configure 2FA for npm or Yarn `#strategic`](#-621-configure-2fa-for-npm-or-yarn) + [6.22. Modify session middleware settings](#-622-modify-session-middleware-settings) + [6.23. Avoid DOS attacks by explicitly setting when a process should crash `#advanced`](#-623-avoid-dos-attacks-by-explicitly-setting-when-a-process-should-crash) + [6.24. Prevent unsafe redirects](#-624-prevent-unsafe-redirects) + [6.25. Avoid publishing secrets to the npm registry](#-625-avoid-publishing-secrets-to-the-npm-registry) + [6.26. 6.26 Inspect for outdated packages](#-626-inspect-for-outdated-packages) + [6.27. Import built-in modules using the 'node:' protocol `#new`](#-627-import-built-in-modules-using-the-node-protocol) + +
+
+
++ 7. ืืืฆืืขืื (2) (ืืชืืืื โ๏ธ) +
+ + [7.1. Don't block the event loop](#-71-dont-block-the-event-loop) + [7.2. Prefer native JS methods over user-land utils like Lodash](#-72-prefer-native-js-methods-over-user-land-utils-like-lodash) + +
+
+
++ 8. ืืืงืจ (15) +
+ + [8.1 Use multi-stage builds for leaner and more secure Docker images `#strategic`](#-81-use-multi-stage-builds-for-leaner-and-more-secure-docker-images) + [8.2. Bootstrap using node command, avoid npm start](#-82-bootstrap-using-node-command-avoid-npm-start) + [8.3. Let the Docker runtime handle replication and uptime `#strategic`](#-83-let-the-docker-runtime-handle-replication-and-uptime) + [8.4. Use .dockerignore to prevent leaking secrets](#-84-use-dockerignore-to-prevent-leaking-secrets) + [8.5. Clean-up dependencies before production](#-85-clean-up-dependencies-before-production) + [8.6. Shutdown smartly and gracefully `#advanced`](#-86-shutdown-smartly-and-gracefully) + [8.7. Set memory limits using both Docker and v8 `#advanced` `#strategic`](#-87-set-memory-limits-using-both-docker-and-v8) + [8.8. Plan for efficient caching](#-88-plan-for-efficient-caching) + [8.9. Use explicit image reference, avoid latest tag](#-89-use-explicit-image-reference-avoid-latest-tag) + [8.10. Prefer smaller Docker base images](#-810-prefer-smaller-docker-base-images) + [8.11. Clean-out build-time secrets, avoid secrets in args `#strategic #new`](#-811-clean-out-build-time-secrets-avoid-secrets-in-args) + [8.12. Scan images for multi layers of vulnerabilities `#advanced`](#-812-scan-images-for-multi-layers-of-vulnerabilities) + [8.13 Clean NODE_MODULE cache](#-813-clean-node_module-cache) + [8.14. Generic Docker practices](#-814-generic-docker-practices) + [8.15. Lint your Dockerfile `#new`](#-815-lint-your-dockerfile) + ++ +# `1. ืืื ื ืืคืจืืืืงื` + +## ![โ] 1.1 ืื ื ืืช ืืคืจืืืืงื ืืคื ืจืืืืื ืขืกืงืืื + +**ืื;ืืง:** ืืกืืก ืืืขืจืืช ืฆืจืื ืืืืื ืชืืงืืืช ืื ืืืืจืื ืฉืืืืฆื ืืฆืืจื ืืืืื ืืช ืืช ืืืืืื ืืขืกืงื. ืื ืจืืื ืืืืฆื ืชืืื ืืืฆืจ (ืืืืืจ ืืงืฉืจ ืืืืื), ืืืฉื 'ืืฉืชืืฉืื', 'ืืืื ืืช', ืืืืื... ืื ืจืืื ืืืื ืืช ื API, ืืืืืงื ืืืกื ืื ืชืื ืื ืฉืื. ืื ืืืืจื ืฉื ืื? ืืืฉืจ ืืฉ ืกืืืื ืขืฆืืืืช ืื ืฉืื ืื ืืฉืคืืข ืื ืืจืง ืขื ืืืืง ืืจืืืื ืื - ืืขืืืก ืื ืคืฉื, ืกืืืืืืืช ืืคืืชืื ืืืืฉืฉ ืืคืจืืกื ืืืฉื ืฉื ืืจืืื ืืจืื ืืืชืจ ืงืื. ืืชืืฆืื ืืื, ืืชืื ืชืื ืืืืืื ืืคืชื ืืจืื ืืืชืจ ืืืจ. ืื ืื ืืืจืฉ ืืืืจื ืืคืจืื ืคืืืืช ืืืืื ืืืืืช ืืืฉื ืื ืMonorepo ืื multi-repo. + +```bash +my-system +โโ apps (components) +โ โโ orders +โ โโ users +โ โโ payments +โโ libraries (generic cross-component functionality) +โ โโ logger +โ โโ authenticator +``` + +**ืืืจืช:** ืืืฉืจ ืืืฆืจืื ืฉื ืืืืืืื ืื ื ืืฉืืื ืฉืื ืื ืืขืืจืืืื ืืื, ืืฉื ื ืกืืืื ืืืื ืฉืชืืืืฆืจ ืืขืจืืช ืกืคืืื ืืขืืช ืฆืืืื ืืืื. ืืืืืื, ืืืจืืืืงืืืจื ืฉืื 'ืืืืื ื`' ืงืืจื ืืฉืืจืืช ื'ืืืืื ื;', ืืื ืืคืจืื ืืจืืจืืืื ืืืืืืืื ืืฉืื ืื - ืื ืฉืื ืื ืืงืื ืขืืื ืืืฉืคืืข ืขื ืืฉืื ืืืจ. ืขื ืืืืฉื ืืืืช , ืืชืื ืชืื ืฉืฆืจืืืื ืืืืกืืฃ ืืืฆืจ ืืืฉ ืืืขืจืืช ืืืืงื ืื ืืืื ื ืขื ืื ืืฉืื ืื ืฉืืื ืืืื ืืืฉืคืืข. ืืชืืฆืื ืืื, ืื ืืฉืฉื ืืฉืืืจ ืืืืืืื ืืืจืื, ืืื ืคืจืืกื ื ืืืืชื ืืืืืช ืืืชืจ ืืืกืืื ืช ืืืชืจ. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืื ืืื ืืคื ืจืืืืื**](./sections/projectstructre/breakintcomponents.md) + +
+ +## ![โ] 1.2 ืืืืงืช ืืจืืืืื ื3 ืฉืืืืช, ืฉืืืจื ืขื ืฉืืืช ืืืื ืืืืืืืชืื + +**ืื;ืืง:** ืื ืจืืื ืฆืจืื ืืืืื 'ืฉืืืืช' - ืชืืงืืื ืืขืืืืช ืขื ืืืจืืืช ืืฉืืชืคืช: 'entry-point' ืืืคื ืฉืืืงื ืืฉืืืื ื ืืฆืืื, 'domain' ืืืคื ืฉืืืืืืงื ื ืืฆืืช ื 'data-access'. ืืขืืงืจืื ืืื ืื ืฉื ืืืจืืืืงืืืจืืช ืืืืืืืืช ืืฉืืง ืืื ืืืคืจืื ืืช ืืืืจืืืช ืืืื ืืช (ืืืฉื: HTTP, DB ืืขืื) ืืืืืืืงื ืืืขืืืืช ืฉื ืืืืฆืจ ืื ืฉืืืชืื ืชืื ืืืืื ืืงืืื ืืืชืจ ืชืืืืืช ืืื ืืืืื ืืืื ื ืืืื ืชืฉืชืืืช. ืืฉืื ืฉื ืื ืฉืืื ืืชืืงืืื ืืขืืืืช, ืฉืืืืขื ืื ื-[ืืืื 3 ืืฉืืืืช](https://he.wikipedia.org/wiki/%D7%90%D7%A8%D7%9B%D7%99%D7%98%D7%A7%D7%98%D7%95%D7%A8%D7%94_%D7%A8%D7%91-%D7%A9%D7%9B%D7%91%D7%AA%D7%99%D7%AA#%D7%90%D7%A8%D7%9B%D7%99%D7%98%D7%A7%D7%98%D7%95%D7%A8%D7%AA_%D7%A9%D7%9C%D7%95%D7%A9_%D7%A9%D7%9B%D7%91%D7%95%D7%AA) ([ืืื ืืืืช](https://en.wikipedia.org/wiki/Multitier_architecture#Three-tier_architecture)) ืืืช ืืืจื _ืืคืฉืืื_ ืืืฉืื ืืช ืืืืจื. + +```bash +my-system +โโ apps (components) +โ โโ component-a + โ โโ entry-points + โ โ โโ api # controller comes here + โ โ โโ message-queue # message consumer comes here + โ โโ domain # features and flows: DTO, services, logic + โ โโ data-access # DB calls w/o ORM +``` + +**ืืืจืช:** ืืขืชืื ืืืืคืืช ื ืชืงืืื ืืื ืฉืืืชืื ืชืื ืืขืืืจืื ืืืืืืงืื ืชืงืฉืืจืช ืืืืืืช request/reqponse ืืคืื ืงืฆืืืช ืืฉืืืืช ืฉื ืืืืืืงื ืื ื ืืืื ืืืืืข - ืืืจ ืื ืคืืืข ืืขืืงืจืื ืืืคืจืื ืืืืจื ืืื ืฉืืขืชืื ืืืื ืงืฉื ืืืชืจ ืืื ืืืฉ ืืช ืืืืืืงื ืืกืืื ืงืืื ืืื ืืืจืื ืืืืืืช: ืืืืงืืช ืืืืื, ืืฉืืืืช ืืชืืืื ืืช ืmessage queues. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืง ืืช ืืืืฆืจ ืืฉืืืืช**](./sections/projectstructre/createlayers.md) + +
+ +## ![โ] 1.3 ืขืืคื ืืืื ืืฉืืชืคืื ืืืืืืืช, ืฉืงืื ืืช ืืคืฆืชื + +**ืื;ืืง:** ืืงืื ืืช ืื ืืืืื ืฉืืคืฉืจ ืืฉืชืฃ ืืืชื ืืชืืงืืื ืืืขืืืืช, ืืืฉื 'libraries' ืืื ืืื ืืชืืงืืื ืคื ืืืืช ื ืคืจืืช, ืืืฉื '/libraries/logger'. ืืคืื ืืช ืืืื ืืืืืื ืืืชื ืชืืืื ืขื ืงืืืฅ ื package.json ืฉืื ืืืืช ืืื ืืืืืื ืืช ืืืืืืก (encapsulation), ืืืคืฉืจื ืืคืฆื ืขืชืืืืช ืืืืืจ. ืืืฉืจ ืืคืจืืืืงื ืฉืืื ืื ืื ืืชืฆืืจืช monorepo, ืืืื ืืื ืืืืืื ืืืืืช ืืืืืจืื ืขื ืืื ืฉืืืืฉ ื 'npm linking' ืืืชืืืช ืืคืืืืช ืฉืืื ืขื ืืื ืฉืืืืฉ ื ts-paths ืื ืขื ืืื ืืคืฆื ืืืชืงื ื ืขื ืืืืื ืื ืืืืืืช ืืืืืืช 'npm registry'. + +```bash +my-system +โโ apps (components) + โ โโ component-a +โโ libraries (generic cross-component functionality) +โ โโ logger +โ โ โโ package.json +โ โ โโ src +โ โ โ โโ index.js + +``` + +**ืืืจืช:** ืฆืจืื ืื ืฉื ืืื ืืืื ืฆืืืืื ืืคืื ืงืฆืืื ืืืืช ืืคื ืืืืช ืฉืื. ืขื ืืื ืืืืจื ืฉื package.json ืืฉืืจืฉ ืืืื ืืืฉืื ืืืื ืืืืืืจ ืงืืืฅ package.json.main ืื package.json.exports ืืื ืืืฆืืืจ ืืืคืืจืฉ ืืืื ืงืืฆืื ืืคืื ืงืฆืืืื ืืืช ืืื ืืืง ืืืืืงืื ืื ืืืฉืื ืฉื ืืืื. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืื ืืื ืืคื ืชืืื ื**](./sections/projectstructre/wraputilities.md) + +
+ +## ![โ] 1.4 ืืฉืชืืฉื ืืงืื ืคืืืืจืฆืื ืขื ืืฉืชื ื ืกืืืื ืืืืคื ืืืืข, ืืืืืื ืืืืจืจืื + +**ืื;ืืง:** ืืืืจืช ืกืืืื ืืืฉืืืช ืฆืจืืื ืืืืืื ืื (ื) ืฉืืืช ืืฉืชื ืื ืืืืืื ืืืืงืจื ืืงืืฆืื ืืื ืื ืืืฉืชื ื ืกืืืื (ื) ืกืืืืช ื ืฉืืจืื ืืืืฅ ืืงืื ืฉืฉืืื ืืืืืจ (ื) ืืงืื ืคืืืืจืฆืื ืืื ืืืจืจืืืช ืืฆืืจื ืืืคืืฉ ืงื ืืืชืจ (ื) ืชืืืื ืืกืืืื ืฉืื ืื ืฉื ืืฉืชื ืื (ื) ืืืืื ืืืงืื ืฉื ืืฉืชื ืื ืื ืชืงืื ืื (ื) ืืืืจืช ืืจืืจืช ืืืื ืืื ืฉืื. ืืฉื ื ืืกืคืจ ืกืคืจืืืช ืฉืขืื ืืช ืขื ืจืื ืืืจืืฉืืช ืืืื ืืื [convict](https://www.npmjs.com/package/convict), [env-var](env-var), [zod](https://github.com/colinhacks/zod), ืืขืื... + +**ืืืจืช:** ื ื ืื ืืืฉื ื ืืฉืชื ื ืกืืืื ืืืจืื ืฉืื ืืืืืจ, ืืืขืจืืช ืชืชืืื ืืจืืฅ ืืืฆืืื, ืชืขื ื ืืืงืฉืืช, ืืืง ืืืืืืข ืืขืืืื ืืืกื ืื ืชืื ืื, ืืืคืชืข ืืืื ืืกืจ ืื ืฉืื ืืืจืื ืืืืฉื ืืชืืืื ืืฉืืืขืืื ืืื ืื ืืืืื ืืกืืื ืืช ืืคืขืืื, ืื ืฉืืืฆืืจ ืืขืจืืช ืืืฆื "ืืืืืื". + +๐ [**ืืงืจืืื ื ืืกืคืช: ืฉืืืืช ืขืืืื ืฉื ืงืื ืคืืืืจืฆืื**](./sections/projectstructre/configguide.md) + +
+ +## ![โ] 1.5 ืฉืงืื ืืช ืื ืืืฉืืืืช ืืขืช ืืืืจืช ืืกืืจืช + +**ืื;ืืง:** ืืืฉืจ ืืื ืื ืืคืืืงืฆืืืช ื API-ืื, ืฉืืืืฉ ืืคืจืืืืืืจืง ืืื ืืืื. ืงื ืืืชืขืื ืืืืคืฉืจืืืืช ืืฉืื ืืช ืฉืงืืืืืช ืืืฉืืงืืืื ืืฉืืืื ืืืกืืคื ืฉื ืืืจ ืืืฉืชืืฉ ืืืคืฉืจืืช ืฉืคืืืช ืชืืืืช ืืืจืืฉืืช ืฉื ืืืืฆืจ. ื ืืื ื2023/2024 ืื ื ืืืืื ืื ืื ืืจืืขืช ืืคืจืืืืืืจืงืื ืืืื ืื ืืืืืืื ืืืืชืจ ืืืฉืืืื: [Nest.js](https://nestjs.com/), [Fastify](https://www.fastify.io/), [express](https://expressjs.com/), ื [Koa](https://koajs.com/). ืืืฆื ืขื ืืงืจืืื ื ืืกืคืช ืืืืฉื ืืื ืืงืจืื ืคืจืืื ื ืืกืคืื ืืขื ืื ืื ืื ืืืช ืืืืคืฉืจืืืืช. ืืืืคื ืคืฉืื ื, ืื ื ืืืืื ืื ืื Node.js ืืืช ืืืชืืื ืืื ืืืื ืืฆืืืชืื ืฉืจืืฆืื ืืขืืื ืืฉืืืช OOP ืื ืืื ืืช ืืืฆืจืื ืฉืืืืขืืื ืืืืื ืืฆืืจื ื ืืืจืช ืืื ืืคืฉืจ ืืืืง ืืืชื ืืจืืืืื ืงืื ืื _ืืขืฆืืืืื_. ืืืืืฆื ืฉืื ื ืืื Fastify ืขืืืจ ืืขืจืืืช ืืืืื ืกืืืจents (ืืื Microservices) ืฉืืืฉืชืชืื ืขื ืขืงืจืื ืืช ืคืฉืืืื ืฉื Node.js. + +**ืืืจืช:** ืืฉื ืืืืืช ืืขืฆืืื ืฉื ืืฉืืงืืืื, ืงื ืืงืื ืืืืื ืขื ืืกืืก ืืืืข ืืืงื ืืืืฉืืืช ืชืคืืืื ืืชืคืืืื. ืืืฉื, ืืฉื ื ืื ืื ืจืืืืช ืฉFastify ืืื web-server ืืื ืืืื ืฉืจืืื ืืืฉืืืช ืexpress ืืืื. ืืคืืขื, ืืื ืคืจืืืืืืจืง ืขืฉืืจ ืขื ืืจืื ืืจืืืืช ืจืฉืืืืช ืฉืืืกืืช ืืจืื ืฆืจืืื. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืืจืช ืืคืจืืืืืืจืง ืื ืืื**](./sections/projectstructre/choose-framework.md) + +## ![โ] 1.6 ืืฉืชืืฉื ื-TypeScript ืืืืืชืืืช ืืืฆืืจื ืืืฉืืืช + +**ืื;ืืง:** ืงืืืื ืืื ืืงืืื ืืืืืืช ืฉื ืกืืืื ืืฉืชื ืื ืืื ืืืจ ืื ืืคืฉืจืืช ืืช ืงืืืื, TypeScript ืืืืื ืืช ืืืคืฉืจืืช ืืคืืคืืืจืืช ืืืืชืจ ืืืฉืืื ืื. ืืฉืชืืฉืื ืื ืืืืืจืช ืกืืื ืืฉืชื ืื ืืขืจืื ืืืืจื ืฉื ืคืื ืงืฆืืืช. ืขื ืืืช, ืืืื ืืจื ืคืืคืืืช ืฉืืืืื ืืงืืืช ืืืฆืืจ ืืืจืืืืช ืืฉื ืืกืืืืืช 50 ืืืืืช ืืคืชื ื ืืกืคืืช ืฉืืฉ ืื ืืชืืื ืืช ืืชืืืืืืช ืฉืฆืจืื ืืืขืช ืืืฉืชืืฉ ืืื. ืฉืืืืฉ ืื ืฆืจืื ืืืืขืฉืืช ืืืืื, ืืขืืืคืืช ืืืืืจืืช ืคืฉืืืืช ืฉื ืืฉืชื ืื, ืืฉืืืืฉ ืืืืืืืช ืืชืงืืืืช ืจืง ืืืฉืจ ืฆืืจื ืืืจืื ืืืคืืข. + +**ืืืจืช:** [ืืืงืจืื](https://earlbarr.com/publications/typestudy.pdf) ืืจืืื ืื ืฉืืืืฉ ื-TypeScript ืืืื ืืขืืืจ ืืืืืื ื20% ืืืืืืื ืืฉืืืื ืืืงืืืื ืืืชืจ. ืืื TypeScript ืืืืืช ืืคืืชืื ื IDE ื ืืืืช ืืืชื ื ืกืืืช. ืืืฆื ืืฉื ื, 80% ืืืืืืื ืืื ืื ืขืืืจืช ืืืืืช. ืืชืืฆืื ืืื, ืฉืืืืฉ ืTypeScript ืืืกืืฃ ืขืจื ืืืืื. ืจืง ืืืกืคื ืฉื ืืืืงืืช ืืืืืชืืืช ืืืืื ืืขืืืจ ืืืืืช ืืช ืืืืื ืืืืืื ืืจืื, ืืืื ืืืื ืฉื ืืจืืื ืืืคืืื ืื ืชืงืื ืฉื ืกืื ืืืฉืชื ื. ืฉืืืืฉ ืื ืืื ืื ืขืืื ืืืจืื ืืช ืืืืจื, ืชืืื ืืช ืืืจืืืืช ืฉื ืงืื ืืขืืืช ืืชืืืจืืืืช ืืงืื ืื ืฉืืืืคื ืืฉืืจ ืืขืื ืืช ืืกืคืจ ืืืืืื ืืืื ืืชืืงืื ืฉื ืื ืืื. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืฉืืงืืืื ืืฉืืืืฉ ื-TypeScript**](./sections/projectstructre/typescript-considerations.md) + +
+ + + +# `2. ื ืืืื ืฉืืืืืช` + +## ![โ] 2.1 ืืฉืชืืฉื ื Async-Await ืื ืืืืืืช ืื ืืืื ืฉืืืืืช ืืกืื ืืจืื ืืืช + +**ืื;ืืง:** ื ืืืื ืฉืืืืืช ืืกืื ืืจืื ืืืช ืขื ืืื ืฉืืืืฉ ื-callbacks ืื ืืืจื ืืืืืจื ืืืืื ืื (ืืืืืขื ืืฉื [ืคืืจืืืืช ืืื](https://en.wikipedia.org/wiki/Pyramid_of_doom_(programming))). ืืืชื ื ืืืืื ืืืืชืจ ืฉืืคืฉืจ ืืชืช ืืงืื ืืื ืฉืืืืฉ ื-promises ืืกืื ืื async-await ืืืจ ืฉืืืคืฉืจ ืงืื ืืจืื ืืืชืจ ื ืงื ืืืกืืืจ ืืกืื ืืงืก ืืืื ื try-catch. + +**ืืืจืช:** ืกืื ืื ืืืชืืื `function(err, response)` ืืืืื ืฉืืืืฉ ื-callbacks ืฉื Node.js, ืกืืื ืืจื ืืืืื ืืงืื ืฉืื ืืคืฉืจ ืืชืืืง ืืฉื ืืขืจืืื ืืื ื ืืืื ืฉืืืืืช ืื ืืืื ืืชืืืื ืืชืงื ื ืฉื ืืืขืจืืช, ืขื ืงืื ืื ืืืืื ืืกืื ืื ืงืื ืืืืจ. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืื ืขืืช ื-callbacks**](./sections/errorhandling/asyncerrorhandling.md) + +
+ +## ![โ] 2.2 ืืจืืืื ืืช ืืื ื ืืืืืงื ืืฉืืืื ืืืืื ื `Error` + +**ืื;ืืง:** ืืฉื ื ืกืคืจืืืช ืฉืืืจืงืืช ืฉืืืื ืืืืจืืืช ืื ืืืืืืืงื ืคืจื ืืืฉืืช ืืืชืื ืืงืื ืฉื ืืกืคืจืื - ืืืจ ืฉืืืฆืจ ืืืจืืืืช ืื ืืืื ืืฉืืืืืช ืืืืฆืืจืช ืืื ื ืืฉืืชืฃ ืืื ืืืืืืื ืฉืื ืื. ืืืงืื ืืืช, ืืฉืงืืขื ืืืฆืืจืช ืืืืืืงื ืื ืืืืงืช (class) ืฉืืืื ืฉืืืจืฉืช ืืืืืืืงื ืืฉืืืื ืืืืื ื ืฉื ืืฉืคื ืืืฉืชืืฉื ืืื ืืื ืคืขื ืฉืฆืจืื ืืืืืช ืืช ืืืฆื, ืืืจืืง ืฉืืืื ืื ืืืคืืฅ ืฉืืืื. ืืฉืืืื ืืืคืืืงืืืืืช ืฆืจืืื ืืืืกืืฃ ืฉืืืช ื ืืกืคืื ืืืืืืช ืฉื ืืฉืืืื ืืจืืช ืืืืืจื ืฉืื. ืขื ืืื ืื, ืืื ืืฉืืืืืช ืืฉื ื ืืื ื ืืืื ืืื ืืืคืฉืจืืช ืชืืืื ืืืื ืืืชืจ ืื ืืืื ืฉืืืืืช. ืืฉื ื ืืื ืฉื `no-throw-literal` ESLint ืฉืืืืง ืืฆืืจื ืืืืืืช ืืช ืืฉืืืืฉ ืืื (ืขื ืืฃ ืฉืืฉ ืืื ืงืฆืช [ืืืืืืช](https://eslint.org/docs/rules/no-throw-literal) ืฉืืืืืืช ืืืกืชืืจ ืขื ืืื ืฉืืืืฉ ื-TypeScript ืืืืืจืช ืืืืง `@typescript-eslint/no-throw-literal`) + +**ืืืจืช:** ืืืฉืจ ืืคืขืืืื ืจืืื ืืืฉืื, ืื ืืฉื ื ืื ืืืืืืช ืืืื ืกืื ืฉื ืฉืืืื ืืืืข - ืื ืืืจื ืืื ืฉื ืืืื ืืฉืืืืืช ืืืื ืืจืื ืืืชืจ ืืืจืื. ืืจืืข ืืื, ืฉืืืืฉ ืืืืืืืงืืื ืืืืฆืืื ืืชืืืืจ ืฉืืืืืช ืขืืื ืืืืืื ืืืืืื ืฉื ืฉืืืืืช ืงืจืืืืืช ืืขืืืช ืืืืข ืืฉืื ืืื ืืขืงื ืืืจ ืืงืืจ ืืฉืืืื! + +๐ [**ืืงืจืืื ื ืืกืคืช: ืฉืืืืฉ ืืืืืืืงื ืืฉืืืื ืืืืื ื**](./sections/errorhandling/useonlythebuiltinerror.md) + +
+ +## ![โ] 2.3 ืืืืื ื ืืื ืฉืืืืืช ืงืืกืืจืืคืืืืช ืืืื ืฉืืืืืช ืชืคืขืืืืืช + +**ืื;ืืง:** ืฉืืืืืช ืชืคืขืืืืืช (ืืืฉื ืงืื ืื ืชืงืื ืืคื ืืื ื-API) ืืชืืืืกืืช ืืืงืจืื ืืืืขืื ืืื ืืืฉืคืขื ืฉื ืืฉืืืื ืืืื ืช ืืืืืืื ืืืืืื ืืืืืช ืื ืืืืช ืืฆืืจื ืืืืฉืืช. ืืฆื ืฉื ื, ืฉืืืืืช ืงืืกืืจืืคืืืืช (ืืืืขืืช ืื ืืฉืืืืืช ืชืื ืืช) ืืชืืืืกืืช ืืฉืืืืืช ืื ืฆืคืืืืช ืืืขืจืืช ืฉืืืจืฉืืช ืืชืืื ืืืื ืฉืื. + +**ืืืจืช:** ืืชื ืขืืืืื ืืืชืื ืืช ืืืขืจืืช ืืขืงืืืช ืื ืฉืืืื. ืืื ืืื ืืืจืื ืื-5000 ืืฉืชืืฉืื ืืืืืช ืืชื ืชืงืืช ืืืื ืฉืืืื ืชืคืขืืืืช ืฆืคืืื ืืฉืืืืช? ืืืืคื ืืื ืื ืื ืืืืืืื - ืืืฉืืืจ ืืช ืืืขืจืืช ืขืืืืช ืืืฉืจ ืงืืกืืจืืคื ืื ืฆืคืืื ืงืจืชื ืื ืืืื ืขืืืื ืืืจืืจ ืืชื ืืืืช ืืืชื ืฆืคืืื. ืืืืื ืืื ืฉื ื ืืืงืจืื ืืืคืฉืจืช ืืชืืืืืืช ืืืฉืืืช ืืืืืื ืช ืืืชืื ืืืงืฉืจ. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืฉืืืืืช ืชืคืขืืืืืช ืืื ืฉืืืืืช ืชืื ืืช**](./sections/errorhandling/operationalvsprogrammererror.md) + +
+ +## ![โ] 2.4 ื ืืื ืืช ืืฉืืืืืช ืืืจืืื ืืื ืืืืฆืขืืช ืืื ืืื ืืื + +**ืื;ืืง:** ืืืืืฉ ืื ืืืื ืฉื ืืฉืืืืืช ืืื ืืืฉื ืชืขืื ืืฉืืืื, ืืืืื ืื ืืงืจืืก ืืืืื ืืืืื ืื ืืจ ืฆืจืื ืืืืืช ืืจืืื ืืืงืื ืืื ืฉืื ืืื ืืกืืช ืืืขืจืืช (ืืืฉื APIs, cron jobs, scheduled jobs) ืืฉืชืืฉืืช ืื ืืืฉืจ ืืื ืืื ืฉืืืื. + +**ืืืจืช:** ืื ืื ืื ืืืื ืืช ืืฉืืืืืช ืืืงืื ืืื ืื ืืืืจื ืืืื ืฉืืคืื ืงืื ืืื ืจืื ื ืืืื ืื ืชืงืื ืฉื ืืืง ืืืฉืืืืืช. + +๐ [**ืืงืจืืื ื ืืกืคืช: ื ืืืื ืืฉืืืืืช ืืืงืื ืืจืืื**](./sections/errorhandling/centralizedhandling.md) + +
+ +## ![โ] 2.5 ืชืขืื ืืช ืฉืืืืืช ื-API ืืืืฆืขืืช OpenAPI ืื GraphQL + +**ืื;ืืง:** ืืคืฉืจื ืืืฉืชืืฉื ื-API ืฉืืื ืืืขืช ืืืื ืฉืืืืืช ืขืืืืืช ืืืืืข ืืชืฉืืื, ืื ืฉืื ืืืืื ืืืชืืืื ืืืชื ืืฆืืจื ืืืฉืืืช ืืืงืื ืืงืจืืก. ื-API ืืืืกืก REST ืื ื ืขืฉื ืืืจื ืืื ืืืืฆืขืืช ืืื ืชืขืื ืืื OpenAPI. ืื ืืชื ืืฉืชืืฉืื ื-GraphQL, ืืชื ืืืืืื ืืืฉืชืืฉ ืืกืืื ืืืืขืจืืช ืืฉืืื ืืืฉืื ืืช ืืืืจื. + +**ืืืจืช:** ืื ืฉืืฉืชืืฉ ื-API ืฉืื ื ืขืืื ืืืืืื ืืืจืื ืืืขืจืืช ืฉืื ืืงืจืืก ืืืืชืื ืืช ืขืฆืื ืจืง ืืืื ืฉืืื ืงืืื ืฉืืืื ืฉืืื ืื ืืฆืืื ืืืืื. ืฉืืื ืื: ืืืฉืชืืฉ ืฉื ื-API ืฉืืื ืืืื ืืืืืช ืืชื (ืื ืฉืงืืจื ืืจืื ืืฉืืฉืชืืฉืื ืืืืงืจืืกืจืืืืกืื). + +๐ [**ืืงืจืืื ื ืืกืคืช: ืชืืขืื ืฉืืืืืช ื-API ืืืืฆืขืืช OpenAPI ืื GraphQL**](./sections/errorhandling/documentingusingswagger.md) + +
+ +## ![โ] 2.6 ืืืจืืื ืืช ืืชืืืื ืืฆืืจื ืืกืืืจืช ืืืฉืจ ืืจ ืื ืืืงืจ + +**ืื;ืืง:** ืืืฉืจ ืฉืืืื ืื ืืืืขื ืืื (ืฉืืืื ืงืืกืืจืืคืืืช, ืจืื ืชืืื ื 2.3) - ืืฉื ื ืืืกืจ ืืืืืช ืืืื ืืืจืืืืช ืืืืฆืืืืช ืฉื ืืืขืจืืช. ืืืงืจื ืืื, ืืื ืืจื ืืืจืื ืืืืจืื ืืฉืืืื ืืืืืช ืืจืช ืฆืคืืื, ืกืืืจืช ืืืืืจืืืช ืืจืืืืื ื ืืกืคืื ืืืืจืื ืฉื ืืชืืืื. ืื ืกืืืืช ืจืืฆื ืืืืื ื ืืืืืืช ืฉืืจืืชื Docker ืื ืฉืืจืืชื ืขื ื ืฉืืกืคืงืื ืคืชืจืื ืืช ืืื ืฉืจืช (serverless) ืืืืืื ืฉืืชืืืื ืืขืื ืืืืฉ ืขืืืจืื. + +**ืืืจืช:** ืืืฉืจ ืฉืืืื ืื ืฆืคืืื ืงืืจืืช, ืจืืื ืืืฉืื ืขืืื ืืืืืช ืืืฆื ืื ืชืงืื (ืืืฉื event emitter ืืืืืืื ืฉืืคืกืืง ืืืคืืฅ ืืืจืืขืื ืืฉื ืืฉืืื ืคื ืืื) ืืืื ืืขืืฉืื ืฉืืจ ืืืงืฉืืช ืฉืืฉืชืืฉืืช ืืจืืื ืื ืขืืืืืช ืืืืืฉื ืื ืืืชื ืื ืืืืคื ืืืฉ ืื ืฆืคืื. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืจืืช ืืชืืืื**](./sections/errorhandling/shuttingtheprocess.md) + +
+ +## ![โ] 2.7 ืืฉืชืืฉื ื-Logger ืืืืจ ืืืืื ืืื ืืืืืื ืืช ืืงึฐืจึดืืืึผืช ืฉื ืืฉืืืืืช + +**ืื;ืืง:** ืืื ืืืืื ืืืืืชื ืืืืืืช [Pino](https://github.com/pinojs/pino) ืื [Winston](https://github.com/winstonjs/winston) ืืืืื ืืช ืืงืจืืืืช ืืืืื ื ืฉื ืืืืืื ืขื ืืื ืฉืืืืฉ ืืจืืช ืืืืจื, ืขืืืื, ืขืืฆืื, ืฆืืขืื ืืขืื. ื-`console.log` ืืื ืืช ืืืืืืืช ืืืื ืืจืืื ืืืืื ืข ืืฉืืืืฉ ืื. ืืขืืคืจืื ืืื ืืืืชืจ ืืชืืื ืืืคืฉืจ ืืืกืคื ืฉื ืฉืืืช ืฉืืืืฉืืื ื ืืกืคืื ืืื ืชืงืืจื ืืืืื ืฉื ืืืฆืืขืื. ืืคืชืืื ืฆืจืืืื ืืืชืื ืืช ืืืืืื ื-`stdout` ืืืชืช ืืชืฉืชืืช ืืืขืืืจ ืืช ืืืืืข ืืืื ืืืชืืื ืขืืืจ ืื ืืงืจื. + +**ืืืจืช:** ืจืคืจืืฃ ืขื ืฉืืจืืช console.log ืื ืืฆืืจื ืืื ืืช ืขื ืงืืฆื ืืงืกื ืขืืืกืื ืืขืืืคื ืืื ืืื ืืืคืืฉ ืืชืฆืืื ืืืชืืืื ืขืืืืื ืืืฉืืืจ ืืชืื ืืขืืื ืขื ืืฉืขืืช ืืงืื ืืช ืฉื ืืืืื. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืฉืืืืฉ ื-Logger ืืืื**](./sections/errorhandling/usematurelogger.md) + +
+ +## ![โ] 2.8 ืืืืงื ืืช ืชืืืืช ืืืขืจืืช ืืฉืืืืืช ืขื ืืื ืฉืืืืฉ ืืืื ืืืืืงืืช ืืืืื ืขืืืื + +**ืื;ืืง:** ืืื ืื ืืฉ ืืื ืืื QA ืืืืืืื ืืืงืฆืืขื ืืืื ืื ืืื ืืืคืชืืื ืืืฆืข ืืช ืืืืืงืืช - ืืืื ืื ืื ืจืง ืืืกืืื ืืืืื ืฉื ืืงืื ืืืืกื, ืืื ืื ื ืืืื ืืฉืืืืืช ืืฉืืืืจืืช ืืฉืืืืืช ืฉืืืืจืืช ืืืืืจ ืืืงืจื ืฉื ืชืงืื. ื ืืกืฃ ืขื ืื, ืืืืงื ืืงืจืื ืืืจืืืื ืืืชืจ ืฉื ืฉืืืืืช, ืืื ืืืฉื ืฉืืืืืช ืืืชื ืฆืคืืืืช, ืืื ืืืืื ืฉืืจืืื ืฉืืืคื ืืฉืืืืืช ืืืฆืข ืืืช ืืจืืื (ืจืื ืืืืืืืช ืงืื ืืงืืฉืืจ "ืืงืจืืื ื ืืกืคืช") + +**ืืืจืช:** ืืื ืืืืงืืช ืืื, ืื ืืื ืืืช ืืื ืืืืืืืืืช, ืื ืชืืืื ืืกืืื ืขื ืืงืื ืฉืืื ืฉืืืืืจ ืืช ืืฉืืืื ืื ืืื ื. ืืื ืฉืืืืืช ืืฉืืขืืชืืืช ืื ืชืืืื ืืืคื ืืฉืืืืืช. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืืงืช ืืชื ืืืืช ืืขืช ืฉืืืื**](./sections/errorhandling/testingerrorflows.md) + +
+ +## ![โ] 2.9 ืืื ืฉืืืืืช ืืืื ื ืืฉืืชื ืขื ืืื ืฉืืืืฉ ืืืื APM + +**ืื;ืืง:** ืืื ื ืืืืจ ืืืืืงืช ืืืฆืืขืื (ืืืืจืื ื-APM) ืืืืืื ืืืืคื ืืืื ืืช ืืงืื ืื ื-API ืื ืฉืืืืคื ืงืกืื ืื ืืฆืืืื ืฉืืืืืช, ืืชืจืกืงืืืืช ืืืืงืื ืฉืขืืืืื ืืื ืืืฆืคืื ืืืชื ืื ืฉืืื ืื ืืืืื. + +**ืืืจืช:** ืืชื ืขืืืืื ืืืชืืืฅ ืจืืืช ืืืืืื ืฉื ืืขืืืช ืืืฆืืขืื ืืืื ื ืืฉืืชื ืฉื ืืืขืจืืช, ืื ืจืื ืฉืืขืืื ืื ืชืืื ืืืืขืื ืืืืื ืืืงืื ืืืขืจืืช ืื ืืืืืืื ืืืืชืจ ืืืื ืื ืืฉืคืืข ืขื ืืืืืช ืืืฉืชืืฉ. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืฉืืืืฉ ื-APM**](./sections/errorhandling/apmproducts.md) + +
+ +## ![โ] 2.10 ืชืคืกื ืืงืจืื ืื ืืืืคืืื ืฉื ืืืืืช ืฉื ืืืืืืช + +**ืื;ืืง:** ืื ืฉืืืื ืื ืืืืื ืฉืืืืจืช ืืืืืื ืชืืืืข, ืืื ืื ืื ืืฉืื ืืคืืชืื ืืืคืื ืื ืืื ืฉืฆืจืื. ืืคืืื ืื ืืฉ ืืงืื ืืืื ื ื `process.uncaughtException`! ืืื ืืืชืืืจ ืขื ืื ืฆืจืื ืืืืืื ืื ื `process.unhandledRejection`. + +**ืืืจืช:** ืืฉืืืืืช ืืืขืจืืช ืืืืขื ืืืขืืื ืืื ืขืงืืืช. ืื ืืฉืื ืฉืฆืจืื ืืืืื ืืื ื... + +๐ [**ืืงืจืืื ื ืืกืคืช: ืชืคืืกื ืฉื ืืืืืช ืฉื ืืืืืืช**](./sections/errorhandling/catchunhandledpromiserejection.md) + +
+ +## ![โ] 2.11 ืืืืฉืื ืืืจ, ืืืื ืืช ืืฉืชื ื ืืงืื ืืืืฆืขืืช ืกืคืจืื ืืขืืืืช + +**ืื;ืืง:** ืืืืืจื ืชืื ืืช ืงืื ืงืฉืืื ื-API ืืื ืืืืื ืข ืืืืืื ืืืืืืืื ืฉืงืฉื ืืจืื ืืืชืจ ืืขืงืื ืืืจืืื. ืืชืืืช ืงืื ืืืืืืช ืืื ืชืืืื ืืืืืข, ืืื ืื ืื ืชืฉืชืืฉื ืืืืช ืืกืคืจืืืช ืืืืืจืืช ืืืื ืืื [ajv](https://www.npmjs.com/package/ajv), [zod](https://github.com/colinhacks/zod), ืื [typebox](https://github.com/sinclairzx81/typebox). + +**ืืืจืช:** ืืฉืื ืขื ืื - ืืคืื ืงืฆืื ืฉืืื ืืฆืคื ืืงืื ืืงืื ืืฉืชื ื `discount` ืืกืคืจื ืฉืื ืฉืงืจื ืืคืื ืงืฆืื ืฉืื ืืืขืืืจ. ืืืืฉื, ืืงืื ืืืืง ืื `discount != 0` (ืืืืช ืืื ืื ืฉืืคืฉืจ ืืงืื ืืืืื ืืืคืก), ืืื ืื ืื ืืืฉืชืืฉ ืืื ื ืืืื ืื. ืืืื, ืื ืืื ืืืืืื, ืจืืืชื??? + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืฉืืื ืืืืจ**](./sections/errorhandling/failfast.md) + +
+ +## ![โ] 2.12 ืชืืื ืืืชืื ื ืืชืฉืืื ืืืืืืืืช ืืคื ื ืฉืืชื ืืขืืืจืื ืืช ืืชืฉืืื ืืืื ืืื ืืืืื ืข ืืืขืงื ืืืงื + +**ืื;ืืง:** ืชืืื ืืชืื `return await` ืืืฉืจ ืืืืืจืื ืชืืฆืื ืฉื ืืืืื ืืืืช ืืื ืืืฉืื ืขืจื ืืื ืฉื ืืขืงื ืืืจ ืืงืืจ ืืฉืืืื (stacktrace). ืื ืคืื ืงืฆืื ืืืืืจื ืืืืื ืืื ืืืืืช ืืืืืช ืืืืืจืช ืืคืื ืงืฆืื ืืกืื ืืจืื ืืช ืืืืคืืจืฉ ืืืืืช ืืืืืื ืฉืืื ืืืืืจื. + +```js +async function promisifyFunction() { + // some logic + return await new Promise(...); +} +``` + +**ืืืจืช:** ืืคืื ืงืฆืื ืฉืืืืืจื ืืืืื ืืื ืืืชื ื ืื ืชืืคืืข ืื ืชืื ืืืขืงื ืืืจื ืืฉืืืื (stacktrace). ืืืกืจืื ืืืื ืขืืืืื ืืกืื ืืช ืืืื ื ืฉื ืืจืืืช ืืืขืจืืช ืฉืืจืื ืืฉืืืื, ืืืืืื ืื ืืืืจื ืืืชื ืืืืช ืืื ืฆืคืืื ืงืจื ืืคืื ืงืฆืื ืืืกืจื. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืืจืช ืืืืืืช**](./sections/errorhandling/returningpromises.md) + +
+ + + +# `3. ืชืื ืืืช ืงืื ืืกืื ืื ืขืืฆืื` + +## ![โ] 3.1 ืืฉืชืืฉื ื-ESLint + +**ืื;ืืง:** [ESLint](https://eslint.org) ืืื ืืกืื ืืจื ืื-ืคืงืื ืืืฆืืืช ืฉืืืืืช ืืงืื ืืชืืงืื ืฉื ืกืื ืื ืืช ืงืื, ืื ืจืง ืืืืื ืฉื ืจืืื ืกืืจืจ ืฉืขืืื ืืืฆืืจ ืชืงืื ืืื ืื ืืืืื ืฉื ืงืื ืฉืื ืขืืื ืืกืื ืืจืืื (anti-pattern) ืืื ืืจืืงืช ืฉืืืืืช ืืื ืกืืืื. ืืื ื ESLint ืืืื ืืชืงื ืืืืคื ืืืืืืื ืกืื ืื ืืช ืงืื, ืื ืืืื ืืืจืื ืืืืืืช [prettier](https://www.npmjs.com/package/prettier) ืืืืื ืืืชืจ ืืขืืฆืื ืืกืื ืื ืืงืื ืืขืืืืื ืืฉืืืื ืขื ESLint. + +**ืืืจืช:** ืืคืชืืื ืืฉืชืขืืื ืชืื ืืื ืืฉืงืขืช ืืื ื ืืืฆืืืช ืจืืืืื ืกืืจืจืื ืืืืืื ืืืืจื ืืฉืืจื ืืืืื ืืืงืจ ืฉืืื ืืืืืื ืขื ืืื ืืฉืืืจ ืขื ืกืื ืื ืืงืื ืฉื ืืคืจืืืืงื. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืฉืืืืฉ ื-ESLint ื-Prettier**](./sections/codestylepractices/eslint_prettier.md) + +
+ +## ![โ] 3.2 ืืฉืชืืฉื ืืชืืกืคืื ืฉื Node.js ืฉืืจืืืืื ืืช ESLint + +**ืื;ืืง:** ืขื ืืื ืืกืื ืืจื ืฉื ืืืงื ESLint ืฉืืืกืื ืืช ืฉืคืช JavaScript, ืืืกืืคื ืืช ืืชืืกืคืื ืืืขืืืืื ืฉื Node.js ืืื [eslint-plugin-node](https://www.npmjs.com/package/eslint-plugin-node), [eslint-plugin-mocha](https://www.npmjs.com/package/eslint-plugin-mocha), [eslint-plugin-node-security](https://www.npmjs.com/package/eslint-plugin-security), [eslint-plugin-require](https://www.npmjs.com/package/eslint-plugin-require), [eslint-plugin-jest](https://www.npmjs.com/package/eslint-plugin-jest) ืืขืื ืชืืกืคืื ืฉืืืืฉืื ืืืงืื ื ืืกืคืื ืืืืขืืืื. + +**ืืืจืช:** ืืจืื ืชืื ืืืช ืงืื ืื ืชืงืื ืืช ืฉืืฉืืืืฉ ื-Node.js ื ืขืืืืช ืืชืืช ืืจืืื. ืืืืืื, ืืคืชืืื ืืืชืื `require(variableAsPath)` ืขื ืืฉืชื ื ืฉืืืคืฉืจ ืืืฉื ืืชืืงืื ืืงืื, ืืืจ ืฉืืืคืฉืจ ืืชืืงืคืื ืืืจืืฅ ืื ืงืื JS. ืื ืชืฉืชืืฉื ืืืืงื Node.js ืชืืืื ืืืืืช ืืช ืืืขืืช ืืืืช ืืืงืื ืขืืื ืืชืจืื ืืืขืื ืืืขื. + +
+ +## ![โ] 3.3 ืืชืืืื ืืืืง ืฉื ืงืื ืขื ืกืืืจืืื ืืกืืืกืืื ืืืืชื ืืฉืืจื + +**ืื;ืืง:** ืืืืืฅ ืฉืืกืืืจืืื ืืืกืืืกืืื ืืคืืชืืื ืฉื ืืืืง ืฉื ืงืื ืืืื ืืืืชื ืืฉืืจื ืืื ืขื ืืงืื. + +### ืืืืื + +```javascript +// Do +function someFunction() { + // code block +} + +// Avoid +function someFunction() +{ + // code block +} +``` + +**ืืืจืช:** ืืชืขืืืืช ืืฉืืืช ืขืืืื ืื ืขืืืื ืืืืืื ืืชืืฆืืืช ืื ืฆืคืืืืช, ืืื ืฉื ืืชื ืืจืืืช ืืฉืจืฉืืจ ืืงืืฉืืจ ื StackOverflow: + +๐ [**ืืงืจืืื ื ืืกืคืช:** "ืืื ืืชืืฆืืืช ืืฉืชื ืืช ืืืชืื ืืืืงืื ืืกืืืจ ืืืกืืืกื?" (StackOverflow)](https://stackoverflow.com/questions/3641519/why-does-a-results-vary-based-on-curly-brace-placement) + +
+ +## ![โ] 3.4 ืืคืจืืื ืืื ืืืฆืืจืืช ืืฉืื ืืช ืืฆืืจื ืชืงื ืืช + +ืืื ืื ืืชื ืืฉืชืืฉืื ืื ืงืืื-ืคืกืืง (;) ืืฉืืื ืืืคืจืื ืืื ืืืฆืืจืืช ืขื ืืืฉืชื ืื ืืืื ืื ืื, ืขืฆื ืืืืืขื ืขื ืืืฉืืืืช ืฉื ืืจืืืช ืฉืืจื ืืืงืื ืืื ืืชืืื ืื ืฉื ืืืกืคื ืืืืืืืืช ืฉื ื ืงืืื-ืคืกืืง, ืืขืืจื ืืื ืืืืืช ืฉืืืืืช ืกืื ืืงืก ืจืืืืืช. + +**ืื;ืืง:** ืฉืืืืฉ ื-ESLint ืืื ืืืขืืืช ืืช ืืืืืขืืช ืืืื ืืกืืืื ืืืจืื ืืื. ืืืื ืืื [Prettier](https://prettier.io/) ืื [Standardjs](https://standardjs.com/) ืืืืืื ืืืืคื ืืืืืืื ืืคืชืืจ ืืช ืืืขืืืช ืืืื. + +**ืืืจืช:** ืืื ืฉืจืืื ื ืืกืขืืฃ ืืงืืื, "ืืืชืืจืืื" (interpreter) ืฉื JavaScript ืืืกืืฃ ืืืืืืืืช ื ืงืืื-ืคืกืืง ืืกืืฃ ืื ืืฆืืจื ืืืืื ืืืื, ืื ืฉืืื ืืืืื ืื ืืืฆืืจื ืืกืชืืืืช ืืืงืื ืืืจ ืืืืชืืื ื ืขื ืืืื ื, ืืืจ ืฉืขืืื ืืืืืื ืืชืืฆืืืช ืืืชื ืฆืคืืืืช. ืืคืฉืจ ืืืฉืชืืฉ ืืืฉืืืช ืืืืืื ืข ื [IIFE](https://developer.mozilla.org/en-US/docs/Glossary/IIFE) ืืื ืืืืื ืข ืืจืื ืืืชื ืืืืืืช ืืืืชื ืฆืคืืืืช. + +### ืืืืื + +```javascript +// Do +function doThing() { + // ... +} + +doThing() + +// Do + +const items = [1, 2, 3] +items.forEach(console.log) + +// Avoid โ throws exception +const m = new Map() +const a = [1,2,3] +[...m.values()].forEach(console.log) +> [...m.values()].forEach(console.log) +> ^^^ +> SyntaxError: Unexpected token ... + +// Avoid โ throws exception +const count = 2 // it tries to run 2(), but 2 is not a function +(function doSomething() { + // do something amazing +}()) +// put a semicolon before the immediate invoked function, after the const definition, save the return value of the anonymous function to a variable or avoid IIFEs altogether +``` + +๐ [**ืืงืจืืื ื ืืกืคืช:** "Semi ESLint rule"](https://eslint.org/docs/rules/semi) +
+๐ [**ืืงืจืืื ื ืืกืคืช:** "No unexpected multiline ESLint rule"](https://eslint.org/docs/rules/no-unexpected-multiline) + +
+ +## ![โ] 3.5 ืชื ื ืืคืื ืงืฆืื ืฉื + +**ืื;ืืง:** ืชื ื ืฉืืืช ืืื ืืคืื ืงืฆืืืช, ืืืื closures ื-callbacks. ืืืื ืขื ืืคืื ืงืฆืืืช ืื ืื ืืืืืช. ืื ืืืื ืฉืืืืฉื ืืฉืืืืงืื ืืคืืืงืฆืืืช Node.js. ืืชื ืฉืืืช ืืื ืืคืื ืงืฆืืืช ืืืคืฉืจ ืืื ืืืืื ืืงืืืช ืขื ืื ืืชื ืืกืชืืืื ืืฉืืชื ืฆืืคืื ืืชืืื ืช ืืฆื ืฉื ืืืืืจืื ืฉื ืืืคืืืงืฆืื. + +**ืืืจืช:** ืืืื ืืช ืืจืกืช ืืืฆืืจ (production) ืขื ืืกืืก ืชืืื ืช ืืฆื ืฉื ืืืืืจืื (core dump) ืขืืื ืืืืืช ืืืชืืจ ืืฉืืืขืืืช ืฉื ืืืืืจืื ืงืืจืืช ืืื ืืื ื ืคืื ืงืฆืืืช ืื ืื ืืืืืช. + +
+ +## ![โ] 3.6 ืืฉืชืืฉื ืืืืกืืืืช ืงืืืขืืช ืืืชื ืฉืืืช ืืืฉืชื ืื, ืืงืืืขืื, ืืคืื ืงืฆืืืช ืืืืืืงืืช + +**ืื;ืืง:** ืืฉืชืืฉื ื-**_lowerCamelCase_** ืืืฉืจ ืืชื ื ืืชื ืื ืฉืืืช ืืงืืืขืื, ืืฉืชื ืื ืืคืื ืงืฆืืืช, **_UpperCamelCase_** (ืื ืืืืช ืืจืืฉืื ื ืืืืื) ืืืฉืจ ืืชื ื ืืชื ืื ืฉืืืช ืืืืืงืืช ื-**_UPPER_SNAKE_CASE_** ืืืฉืจ ืืชื ื ืืชื ืื ืฉืืืช ืืืฉืชื ืื ืืืืืืืื ืื ืกืืืืื. ืกืืจ ืื ืืืคืฉืจ ืืื ืืืืืื ืืงืืืช ืืื ืืฉืชื ืื ืจืืืืื ืืคืื ืงืฆืืืช ืืืื ืืืืงืืช ืฉืืืจืฉืืช ืืชืืื ืืืืื ืืฉืชื ืื ืืืืืืืื. ืืฉืชืืฉื ืืฉืืืช ืฉืืชืืจืื ืืืื ืืช ืืฉืืขืืช ืืืฉืชื ื, ืื ืฉืืืื ืงืฆืจ. + +**ืืืจืช:** JavaScript ืืื ืืฉืคื ืืืืืื ืืขืืื ืฉืชืืคืฉืจ ืืื ืืงืจืื ื-constructor ("Class") ืืฉืืจืืช ืืื ืืชืืื. ืืื, ืืฉืื ืืืื ืืืืืื ืืื ืฉืืืช ืืืืงืืช ืืฉืืืช ืคืื ืงืฆืืืช ืขื ืืื ืฉืืืืฉ ื-UpperCamelCase. + +### ืืืืืืืช + +```javascript +// for global variables names we use the const/let keyword and UPPER_SNAKE_CASE +let MUTABLE_GLOBAL = "mutable value"; +const GLOBAL_CONSTANT = "immutable value"; +const CONFIG = { + key: "value", +}; + +// examples of UPPER_SNAKE_CASE convention in nodejs/javascript ecosystem +// in javascript Math.PI module +const PI = 3.141592653589793; + +// https://github.com/nodejs/node/blob/b9f36062d7b5c5039498e98d2f2c180dca2a7065/lib/internal/http2/core.js#L303 +// in nodejs http2 module +const HTTP_STATUS_OK = 200; +const HTTP_STATUS_CREATED = 201; + +// for class name we use UpperCamelCase +class SomeClassExample { + // for static class properties we use UPPER_SNAKE_CASE + static STATIC_PROPERTY = "value"; +} + +// for functions names we use lowerCamelCase +function doSomething() { + // for scoped variable names we use the const/let keyword and lowerCamelCase + const someConstExample = "immutable value"; + let someMutableExample = "mutable value"; +} +``` + +
+ +## ![โ] 3.7 ืืขืืืคื const ืขื ืคื ื let. ื ืืืฉื ืืช var + +**ืื;ืืง:** ืฉืืืืฉ ื-`const` ืืฉืืขืืชื ืืื ืฉืืืืจ ืฉืืืฉืชื ื ืืืืชืื ืืจืืฉืื ื ืืื ืื ืืืื ืืืืืช ืืืืชืื ืฉืื. ืืขืืคืช ืฉืืืืฉ ื-`const` ืชืขืืืจ ืืื ืื ืืืชืคืชืืช ืืืืฉืชืืฉ ืฉืื ืืืืชื ืืฉืชื ื ืืฆืจืืื ืฉืื ืื ืืชืืคืื ืืช ืืงืื ืฉืืื ืืงืจืื ืืืชืจ. ืื ืืฉืชื ื ืฆืจืื ืืืืืช ืืืืชืื ืืืืฉ, ืืืฉื ืืชืื ืืืืืช for, ืื ืืฉืชืืฉื ื-`let` ืืฆืืจื ืื. ื ืงืืื ื ืืกืคืช ืฉืืฉืื ืืฆืืื ืืื ืฉืฉืืืืฉ ื-`let` ืืคืฉืจืืช ืจืง ืืชืื ืืืชื ืืืืืง ืฉืืื ืืืืืจื ืื. `var` ื ืฆืื ืscope ืฉื ืืคืื ืงืฆืื ืฉืืื ืืืืืจ ืื ืืื ืืืืืง ืกืคืฆืืคื ืืืื [ืฆืจืื ืื ืืืฉืชืืฉ ืื ื-ES6](https://hackernoon.com/why-you-shouldnt-use-var-anymore-f109a58b9b70) ืืฉืืคืฉืจ ืืืฉืชืืฉ ื-`const` ืื-`let`. + +**ืืืจืช:** ืืืืื ืืืคื ืืืืืช ืืืื ืืกืืจืื ืืืฉืจ ืืฉืชื ื ืืฉืชื ื ืืขืืชืื ืืืืคืืช. + +๐ [**ืืงืจืืื ื ืืกืคืช: JavaScript ES6+: var, let, or const?** ](https://medium.com/javascript-scene/javascript-es6-var-let-or-const-ba58b8dcde75) + +
+ +## ![โ] 3.8 ืืขื ื ืืืืืืื ืืชืืืื, ืืื ืืงืจืืื ืืคืื ืงืฆืืืช + +**ืื;ืืง:** ืืขื ื ืืช ืืืืืืืื (require...) ืืชืืืืช ืื ืงืืืฅ, ืืคื ื ืื ืืคืื ืงืฆืืืช. ืฉืืืช ืขืืืื ืคืฉืืื ืื ืื ืจืง ืฉืชืขืืืจ ืืื ืืงืืืช ืืืืืืจืืช ืืืืืช ืืช ืืชืืืืืช ืฉื ืงืืืฅ ืืกืืื, ืืื ืื ืชืื ืข ืืกืคืจ ืืขืืืช ืืคืฉืจืืืช. + +**ืืืจืช:** ืืขืื ืช ืืืืืืื ืืื ืชืืืื ืกืื ืืจืื ื ื-Node.js. ืื ืืืขืื ื ืชืชืืฆืข ืืชืื ืคืื ืงืฆืื ืืื ืขืืืื ืืืกืื ืืืคืื ืืืงืฉืืช ืืืจืืช ืืืื ืงืจืืื. ืื ืืกืฃ ืืื, ืื ืืืืื ืืืื ื ืื ืืืฉืื ืฉืืื ืชืืื ืื ืืืจืงื ืฉืืืื ืืืคืืื ืืช ืืฉืจืช, ืืืืืฅ ืฉืื ืืืืืข ืืื ืฉืืืชืจ ืืืงืื, ืื ืฉืื ืืืื ืืงืจื ืืืงืจื ืฉืืืืืื ื ืืขื ืืชืื ืคืื ืงืฆืื. + +
+ +## ![โ] 3.9 ืืืืืจื ืื ืืกื ืืกืืืจืช ืืกืคืจืื ืฉืืื + +**ืื;ืืง:** ืืขืช ืคืืชืื ืืืืื ืื ืกืคืจืื, ืืืืืจื ืงืืืฅ ืืกืืก ืฉืืืืฆื ืืช ืืงืื ืืืืืขื ืืฉืืืืฉ ืืืฆืื ื. ืื ืขื ืืืืฉืชืืฉืื ืฉื ืืงืื ืฉืืื ืืช ืืฆืืจื ืืืืื ืงืืฆืื ืฉืืืฉืืื ืขืืืง ืืฆืืื ืืืช ืืฆืืจื ืฉืืื ืืืืื ืืช ืืื ื ืืงืืฆืื ืฉืืื. ืืืฉืจ ืขืืืืื ืืฉืืืช commonjs (require), ืื ืืืื ืืืืขืฉืืช ืขื ืืื ืฉืืืืฉ ืืงืืืฅ index.js ืฉืืืฉื ืืชืืงืื ืืจืืฉืืช ืื ืืืืืจืช ืืฉืื main ืืงืืืฅ package.json. ืืืฉืจ ืขืืืืื ืืฉืืืช ESM (import), ืื ืงืืืฅ package.json ืงืืื ืืชืืงืื ืืจืืฉืืช, ืื ืืฉืื "exports" ืืืคืฉืจ ืืช ืืืืจืช ืืงืืืฅ ืืจืืฉื. ืื ืื ืืื ืงืืืฅ package.json, ืื ืฉืืืืฉ ืืงืืืฅ index.js ืืชืืงืื ืืจืืฉืืช ืืืฆื ืืช ืื ืืคืื ืงืฆืืื ืืืืช ืฉืืืืขืืช ืืฉืืืืฉ ืืืฆืื ื. + +**ืืืจืช:** ืงืืืื ืฉื ืงืืืฅ ืจืืฉื ืจืฉืื ืืฉืืฉ ืืืืฉืง ืืืฆืื ื ืฉืืกืชืืจ ืืช ืืืืงืื ืืคื ืืืืื ืฉื ืืกืคืจืื, ืืงืฉืจ ืืช ืืืฉืชืืฉ ืืฉืืจืืช ืืงืื ืืืืื ืืืืคืฉืจ ืฉืื ืืืื ืขืชืืืืื ืืื ืฆืืจื ืืฉืืืจืืช ืืืืื. + +### ืืืืื + +```javascript +// Avoid: client has deep familiarity with the internals + +// Client code +const SMSWithMedia = require("./SMSProvider/providers/media/media-provider.js"); + +// Better: explicitly export the public functions + +//index.js, module code +module.exports.SMSWithMedia = require("./SMSProvider/providers/media/media-provider.js"); + +// Client code +const { SMSWithMedia } = require("./SMSProvider"); +``` + +
+ +## ![โ] 3.10 ืืฉืชืืฉื ืืืืคืจืืืจ `===` + +**ืื;ืืง:** ืืขืืืคื ืืช ืืืฉืืืื ืืงืคืื ืืช ืืืืฆืขืืช ืืืืคืจืืืจ `===` ืขื ืคื ื ืืืฉืืืื ืืืืฉื ืืืชืจ ืืืืฆืขืืช ืืืืคืจืืืจ `==`. `==` ืืฉืืื ืฉื ื ืืฉืชื ืื ืืืจื ืืืจื ืฉื ืฉื ืืื ืืกืื ืืฉืชื ื ืืื. ืืื ืืืจืช ืกืืื ืืฉืชื ืื ืืืืคืจืืืจ `===`, ืืฉื ื ืืืฉืชื ืื ืืืืืื ืืืืืช ืืืืชื ืกืื ืืื ืฉืืืืื ืืืืืช ืฉืืืื. + +**ืืืจืช:** ืืฉืชื ืื ืืขืื ืขืจืืื ืฉืื ืื ืขืืืืื ืืืืืืจ `true` ืืืฉืจ ืืฉืืืื ืืื ืืื ืืขืืจืช ืืืืคืจืืืจ `==`. + +### ืืืืืืืช + +```javascript +"" == "0"; // false +0 == ""; // true +0 == "0"; // true + +false == "false"; // false +false == "0"; // true + +false == undefined; // false +false == null; // false +null == undefined; // true + +" \t\r\n " == 0; // true +``` + +ืื ืืืฉืืืืืช ืืขืื ืืืืืจื `false` ืืขืช ืืฉืืืื ืขื `===`. + +
+ +## ![โ] 3.11 ืืฉืชืืฉื ื-Async Await, ืืื ืขื ื-callbacks + +**ืื;ืืง:** async-await ืื ืืืจื ืืคืฉืืื ืืืืชืจ ืืืชืื ืงืื ืืกืื ืืจืื ื ืฉืืจืืืฉ ืืื ืงืื ืกืื ืืจืื ื. ืืงืื ืฉืืืชื ืืฉืืืช async-await ืืื ืื ืืจืื ืืืชืจ ืคืฉืื ืืชืืื ืืื ืื ืื ื-try-catch. ืฉืืื ืื ืืืืืคื ืืช ืืฆืืจื ื-callbacks ื-promises ืืจืื ืืืงืจืื. ืฉืืืืฉ ืืฉืืื ืื ืืงืื ืืื ืื ืจืื ืืืช ืืืชื ืืช ืืืืืืช ืืืชืจ ืฉืืคืฉืจ ืืชืช ืืื ืฉืืงืจื ืืช ืืงืื. + +**ืืืจืช:** ืืืคืื ืืฉืืืืืช ืืกืื ืืจืื ืืืช ืืฉืืืช callback ืืื ืื ืจืื ืืืจื ืืืืืจื ืืืื ืื - ืืืืืื ืฉืฉืืื ืื ืืืืืืช ืืืืงืช ืฉืืืืืช ืืื ืฉืื, ืืืฆืจืช ืงืื ืื ืืืืจ ืืงืื ืืืงืฉื ืขื ืืื ืช ืชืืืื ืืืจืืื ืฉื ืืงืื. + +๐[**ืืงืจืืื ื ืืกืคืช:** ืืืจืื ื-async-await](https://github.com/yortus/asyncawait) + +
+ +## ![โ] 3.12 ืืฉืชืืฉื ืืคืื ืงืฆืืืช ืืฅ (=>) + +**ืื;ืืง:** ืืื ื ืืืืืฅ ืืืฉืชืืฉ ื async-await ืืืืืื ืข ืืืืืจืช ืคืจืืืจืื ืืคืื ืงืฆืืืช ืืืฉืจ ืืชืขืกืงืื ืขื API ืืฉื ืฉืชืืื ื-callbacks ืื ืืืืืืช - ืคืื ืงืฆืืืช ืืฅ ืืืคืฉืจืืช ืืืจืื ืืช ืืงืื ืงืืืคืงืื ืืืชืจ ืืืืืื ืฉืฉืืืจืืช ืขื ืืงืื ืืงืกื ืฉื ืคืื ืงืฆืืช ืืืขืืคืช (`this`). + +**ืืืจืช:** ืงืื ืืจืื ืืืชืจ (ืขื ืืกืืก ืคืื ืงืฆืืืช ืฉื ES5) ืืฉืืฃ ืืืืชืจ ืืืืื ืืงืฉื ืืืชืจ ืืงืจืืื. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืืข ืืืื ืืืืฅ ืืช ืคืื ืงืฆืืืช ืืืฅ**](https://medium.com/javascript-scene/familiarity-bias-is-holding-you-back-its-time-to-embrace-arrow-functions-3d37e1a9bb75) + +
+ +## ![โ] 3.13 ืืืื ืขื ืืืฉืคืขืืช ืฆืืืืืช ืืืืฅ ืืคืื ืงืฆืืืช + +**ืื;ืืง:** ืืืื ืขื ืืืชืืืช ืงืื ืขื ืืฉืคืขืืช ืฆืืืืืช ืืื ืคืขืืืช ืจืฉืช ืื ืคื ืื ืืืกื ื ืชืื ืื ืืืืฅ ืืคืื ืงืฆืื. ืื ืื ืชืืชืื ืงืื ืืื ืืื ืืจืืฅ ืืื ืืืฉืจ ืงืืืฅ ืืืจ ืคืื ื ืืงืืืฅ ืืื. ืืงืื 'ืืฆืฃ' ืืื ืขืืื ืืจืืฅ ืืืฉืจ ืืชืฉืชืืช ืืืชื ืืื ืืืงืฉ ืขืื ืื ืืืื ื ืขืืืจื. ืื ืื ืคืืืข ืืืืฆืืขืื ืืคืืื ืื ืืื ืฆืืจื ืืคืื ืงืฆืื ืฉืขืืืจื ืืชืืฆืขืช ืืคืขืืื ืืืื ืืจืืฆื. ืืืจ ืืืจืื, ืืชืืืช ืืืกืื ืืคืขืืื ืื ืืฉืืื ืืืืงืืช ืืจืื ืืืชืจ ืืืจืืืช ืืฉืืื ืื ื ืขืฉืืช ืืคืื ืงืฆืื. ืืืงืื ืืืช, ืฉืืื ืืช ืืงืื ืืื ืืคืื ืงืฆืื ืฉืฆืจืืื ืืืืงืจื ืืืคืืจืฉ. ืื ืืงืื ืืื ืฆืจืื ืืืืงืจื ืืฉืจ ืืขืช ืขืืืืช ืืืขืจืืช, ืฉืืงืื ืฉืืืืฉ ื-factory ืื ืืชืื ืืช ืืืจืช ืฉืืชืืืื ืืืจืืฉื ืืืืช. + +**ืืืจืช:** ืชืฉืชืืืช ืกืื ืืจืืืืช ืืขืืื ืืืื ืืืืืจืืช ื ืืืื ืฉืืืืืช, ืืฉืชื ื ืกืืืื ืื ืืืืจ ืชืงืืืช. ืื ืืคืขืืื ืชืชืืฆืข ืืคื ื ืฉืืชืฉืชืืช ืืืืชืืืช ืื ืื ืืืื ื ืืืืจ ืฉื ืืืงืจื ืื ืฉืืคืขืืื ืชืืืฉื ืืฉื ืืืกืจ ืืืืืจืืช ืฉืืจื ื ืืขื ื. + +
+ + + +# `4. ืืืืงืืช ืืืงืจืช ืืืืืช` + +> ืืฉ ืื ื ืืืจืืืื ืืขืืืืื ืืืชืืืช ืืืืงืืช. ืจืฉืืืช ืฉืืืืช ืืขืืืื ืืืืืืฆืืช ืคื ืืื ืกืืืื ืืืื ืฉื ืืืืจืืืื ืืืื. +> +> ื. [ืฉืืืืช ืขืืืื ืืืืืฆืืช ืืืชืืืช ืืืืงืืช ื-JavaScript](https://github.com/goldbergyoni/javascript-testing-best-practices)
+> ื. [ืืืืงืืช ื-Node.js - ืืขืืจ ืืืกืืืืช](https://github.com/testjavascript/nodejs-integration-tests-best-practices) + + +## ![โ] 4.1 ืืคืืืช, ืืืชืื ืืืืงืืช API ืืจืืืืื ืืฉืื ืื + +**ืื;ืืง:** ืืจืื ืืคืจืืืงืืื ืืื ืืืืงืืช ืืืืืืืืืช ืืื ืืฉื ืืื ืืื ืื ืงืฆืจ, ืื ืฉืืชืืืื ืื ืกืืช ืืืืกืืฃ ืืืืงืืช ืืคืจืืืงื ื ืืกืฃ ืื ืื ืืฆื ืืฉืืืื ืื ื ืืฉ ืขื ืืืื. ืืื, ืืชืขืืฃ ืืืืชืืื ืืืืงืืช API ืฉืืืช ืืืจื ืืงืื ืืืชืื ืืืืงืืช ืืืกืคืง ืืืกืื (ืืืืงืืช) ืฉื ืืงืื ืืืฉืจ ืืืืืงืืช ืืืืื ืฉื ืคืื ืงืฆืืืช ืืืืืืช (ืืคืฉืจ ืืืฉืชืืฉ ืืฉืืื ืื ืื ืืืืื ืืืฆืื ืืื ืืื ืืชืืืช ืงืื, ืืืฉื ืฉืืืืฉ ื-[Postman](https://www.getpostman.com/)). ืืืืจ ืืื, ืื ืืฉ ืืื ืืืชืจ ืืฉืืืื ืืืื ืชืืฉืืื ืขื ืืืืงืืช ืืชืงืืืืช ืืืชืจ ืืืื ืืืืงืืช ืืืืื, ืืืืงืืช ืืื ืืกืื ืื ืชืื ืื ืืืืงืืช ืืืฆืืขืื ืืขืื. + +**ืืืจืช:** ืืชื ืขืืืืื ืืืืื ืืืื ืฉืืืื ืขื ืืชืืืช ืืืืงืืช ืืืืื ืืืื ืืืืืืช ืืกืืคื ืฉื ืืืจ ืฉืืืกืืชื ืจืง 20% ืืืืขืจืืช. + +
+ +## ![โ] 4.2 ืกืืืื 3 ืืืงืื ืืืชื ืฉื ืืื ืืืืงื + +**ืื;ืืง:** ืืืจืื ืืืืืงื ืืชืืจ ืืช ืฉืื ืืืจืืฉืืช ืื ืฉืืื ืชืกืืืจ ืืช ืขืฆืื ืื ืQA ืื ืืืืจืื (ืืืื ืืชืื ืืขืชืื ืืื ืจืืืง) ืฉืื ืืงืืืื ืืืืงืื ืืคื ืืืืื ืฉื ืืงืื. ืฆืืื ื ืืืืืงื (1) ืืืื ืืืง ื ืืืง, (2) ืืืืื ืชื ืืื (3) ืืื ืืชืืฆืื ืฉืืฆืคืื ืฉืชืืื. + +**ืืืจืช:** ืืืชืงื ื ืืืืืง ื ืืฉืื, ืืืืงื ืืฉื โAdd productโ ื ืืฉืื. ืืื ืื ืืชืืจ ืื ืืืืืง ืื ืชืืคืงื? + +๐ [**ืืงืจืืื ื ืืกืคืช: ืกืืืื 3 ืืืงืื ืืืชื ืฉื ืืื ืืืืงื**](./sections/testingandquality/3-parts-in-name.md) + +
+ +## ![โ] 4.3 ืืืงื ืืช ืืืืืงืืช ืืคื ืชืื ืืช ื-AAA + +**ืื;ืืง:** ืืืงื ืืช ืืืืืงืืช ืืฉืืืฉื ืืืงืื ื ืคืจืืื: Arrange (ืืจืื), Act (ืคืขื) & Assert (ืืื) (AAA). ืืืืง ืืจืืฉืื ืืืื ืืช ืืืื ื ืฉื ืืกืืืื ืืืืืงื, ืืืืง ืืฉื ื ืืช ืืืจืฆื ืืืฆื ืืืืงืืช, ืืืืกืืฃ ืืืืง ืฉืืืืื ืฉืืชืงืืื ืืชืืฆืื ืืจืฆืืื. ืฉืืืืฉ ืืืื ื ืื ืืขืงืืืืช ืืืืื ืฉืืงืืจื ืื ืืืืื ืืื ืืืฉืื ืฉื ืืื ืช ืืืืืงื. + +**ืืืจืช:** ืื ืืกืคืืง ืฉืืชืืืื ืืื ื ืจืื ืืืืื ืขื ืืื ืช ืืงืื, ืขืืฉืื ืื ืืืืง ืืงื ืืืื (ืืื ืช ืืืืืงืืช) ืืฉืจืืฃ ืืช ืืืื. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืงื ืืช ืืืืืงืืช ืืคื ืชืื ืืช ื-AAA**](./sections/testingandquality/aaa.md) + +
+ +## ![โ] 4.4 ืืืืื ืื ืืจืกืช ื-Node ืืืืื + +**ืื;ืืง:** ืืฉืชืืฉื ืืืืื ืืืขืืืืื ืื ืืืืคืื ืฉืืืืฉ ืืืืชื ืืจืกืช Node.js ืืกืืืืืช ืืฉืื ืืช ืืขื ืืื ืฉืืจ ืืืคืชืืื. ืืืื ืืื [nvm](https://github.com/nvm-sh/nvm), ื-[Volta](https://volta.sh/) ืืืคืฉืจืื ืืืืืืจ ืืืคืืจืฉ ืืช ืืืจืกื ืื ืืจืฉืช ืืคืจืืืงื ืืงืืืฅ ืื ืฉืื ืืืจื ืืฆืืืช ืืืืืื ืขื ืืื ืืจืฆืช ืคืงืืื ืืืช ืืืืฉืจ ืงื ืขื ืืจืกืช ืืคืจืืืงื. ืืฉื ื ืืคืฉืจืืช ืฉืืจืกื ืื ืื ืชืฉืชืงืฃ ืืชืืืื ื-CI ืืกืืืืช ืืืฆืืจ/ืืงืืืืช (ืืืืืื ืขื ืืื ืืขืชืงืช ืืกืคืจ ืืืจืกื ืืืืืงืฉ ื-`.Dockerfile` ืืืงืืฆื ืืืืืจืืช ืฉื ืชืืืื ื-CI). + +**ืืืจืช:** ืืคืชืืช ืขืืืื ืืืืชืงื ืื ืืคืกืคืก ืฉืืืื ืืืืืื ืฉืืื ืืฉืชืืฉืช ืืืจืกืช Node.js ืฉืื ื ืืฉืืจ ืืฆืืืช. ืื ืืจืืข ืืื, ืกืืืืช ืืืฆืืจ ืจืฆื ืืืืฆืขืืช ืืจืกื ืฉืื ื ืืื ืฉืืืจืฆื ืขืืื ืืืืืงืืช. + +
+ +## ![โ] 4.5 ืืืื ืขื ืืืชืืื ืืืืข ืืจืขืื ื ืืฉืืชืฃ, ืืืืืจื ืืคื ืฆืืจื ืฉื ืืืืงื + +**ืื;ืืง:** ืืื ืืืืื ืข ืืฆืืืืืช ืืชืืืช ืืื ืืืืงืืช ืฉืื ืืช ืืืื ืฉืืืื ืืจืืจ ืืืชืจ ืืื ืืืกืืืจ ืื ืงืืจื ืืฉืืืื ืืฉืื ืื ืฉื ืืืืืงื, ืจืืื ืฉืื ืืืืงื ืชืืกืืฃ ืืชื ืื ืืช ืืืืืข ืืขืืืฃ ืฉืื (ืืืฉื ืฉืืจืืช ืืืืื). ืืืงืจื ืืืืืงื ืฆืจืืื ืืฆืจืื ืืืืข ืืืืื ืื ืืื ืื ืฉืืื ืงืืื ืฉื - ืืื ืฆืจืืื ืงืืื ืืื ืืืืกืืฃ ืืช ืืืืืข ืืืคืืจืฉ ืืืืืื ืข ืืฉืื ืื ืืืืข ืฉื ืืืืงื ืืืจืช. + +**ืืืจืช:** ืชืืจื ืืื ืืงืจื ืื ืืคืฆืช ืืจืกื ื ืืฉืื ืืฉื ืฉืืืื ืืืืืงืืช, ืืฆืืืช ืืฉื ืก ืืืชื ืืื ืืืงืืจ ืืช ืืกืืื ืืืืืข ืื ืืชืืื ื ืืขืฆืืื ืฉืืืขืจืืช ืขืืืืช ืชืงืื ืืื ืืืืืงืืช ืืืจืกืืช ืืืืข ืืืช ืืฉื ืื ืืืื ื ืืฉืื ืืขืฆืจื ืืช ืชืืืื ืืืคืฆื. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืื ืขื ืืืชืืื ืืืืข ืืจืขืื ื ืืฉืืชืฃ**](./sections/testingandquality/avoid-global-test-fixture.md) + +
+ +## ![โ] 4.6 ืชืืืื ืืช ืืืืืงืืช + +**ืื;ืืง:** ืืืืงืืช ืฉืื ืืช ืฆืจืืืืช ืืจืืฅ ืืชืจืืืฉืื ืฉืื ืื: ืืืืงืืช ืฉืคืืืช (quick smoke/sanity), IO-less, ืืืืงืืช ืืขืช ืฉืืืจืช ืงืืืฅ ืื commit, ืืืืงืืช ืืืืืช ืืงืฆื ืืงืฆื (e2e) ืืืฉืจ ื ืคืชื PR ืืืืื... ืืชืจืืืฉืื ืืฉืื ืื ืืืืืื ืืืืืช ืืืืืจืื ืืขืืจืช ืชืืื ืืืืงืืช ืฉืื ืืช ืขื ืืืืืช ืืคืชื ืืื #cold #api #sanity ืืืจ ืืืืคืฉืจ ืืืืืืจ ืงืืืฆืช ืืืืงืืช ืืืชืื ืืฆืืจื ืืืืจืืฅ ืจืง ืืืชื. ืืืฉื, ืืืช ืืฉืืื ืืืจืืฅ ืจืง ืืช ืงืืืฆืช ืืืืงืืช ืืฉืคืืืช ืืืืฆืขืืช [Mocha](https://mochajs.org/): `mocha --grep 'sanity'`. + +**ืืืจืช:** ืืจืฆื ืฉื ืื ืืืืืงืืช ืืืื ืืืื ืฉืืืฆืขืืช ืขืฉืจืืช ืคื ืืืช ืืืกื ื ืชืื ืื ืืื ืคืขื ืฉืืคืชื ืขืืฉื ืฉืื ืื ืงืื ืืื ืืช ืงืฆื ืืคืืชืื ืืฆืืจื ื ืืืจืช ืืชืื ืข ืืฆืืืช ืืคืืชืื ืืืจืืฅ ืืืืงืืช. + +
+ +## ![โ] 4.7 ืืืืงื ืืช ืจืืช ืืืกืื ืืืืืงืืช ืฉืืื, ืื ืืขืืืจ ืืืืืช ืืคืืกื ืืืืงืืช ืฉืืืืื + +**ืื;ืืง:** ืืืื ืืืืืงืช ืืืกืื ืืงืื ืขื ืืื ืืืืงืืช ืืื [Istanbul](https://github.com/istanbuljs/istanbuljs)/[NYC](https://github.com/istanbuljs/nyc) ืืฆืืื ืื ืืฉื ืฉืืืฉ ืกืืืืช: ืื ืืืื ื (ืืื ืขืืืช ืืื"ืืืช ืฉืื ืืกืคืงืื), ืื ืขืืืจืื ืืืืืช ืืจืืื ืืืืืื ืืืืกืื, ืืืืจืื ืืืื ืื ืืืืืฉืื ืืงืจืื ืฉื ืื ืืชืืื ืืืืืงืืช: ืขื ืืื ืฆืคืืื ืืฆืืขืื ืฉืืืืืืช ืืืื ืืกืคืงืื ืืคืฉืจ ืืืืืช ืืืฉื ืฉืืฉ ืงืืขื ืงืื ืฉืื ื ืืืงืื ืืขืืื ืืื ืืกืชืขืคืืืืช ืฉื `catch` (ืื ืฉืืืืจ ืฉืืฉ ืืืืงืืช ืจืง ืืืกืืื ืืืฆืืื ืืื ืืืงืจืื ืฉื ืืฉืืืืืช). ืจืฆืื ืืืืืืจ ืืช ืื ืื ืฉืื ืืคืื ืืช ืชืืืืื ืืฆืืจืช ืืืจืกืืืช ืืืืื ืืืืืกืื ืื ืขืืืจ ืกืฃ ืืกืืื. + +**ืืืจืช:** ืื ืืืื ืฉืื ืืืฆืขื ืืืืื ืฉืืืืื ืฉืงืืขืื ื ืจืืืื ืืืงืื ืื ื ืืืงืื ืืื. + +
+ +## ![โ] 4.8 Use production-like environment for e2e testing + +**ืื;ืืง:** End to end (e2e) testing which includes live data used to be the weakest link of the CI process as it depends on multiple heavy services like DB. Use an environment which is as close to your real production environment as possible like a-continue (Missed -continue here, needs content. Judging by the **Otherwise** clause, this should mention docker-compose) + +**ืืืจืช:** Without docker-compose, teams must maintain a testing DB for each testing environment including developers' machines, keep all those DBs in sync so test results won't vary across environments + +
+ +## ![โ] 4.9 ืฉืืชืื ืืช ืืงืื ืืืืคื ืงืืืข ืืขืืจืช ืืื ื ืืชืื ืกืืื + +**ืื;ืืง:** ืฉืืืืฉ ืืืื ื ืืชืื ืกืืื (static analysis tools) ืขืืืจ ืืื ืฉืืื ื ืืชื ืืจืืื ืืชืืืืืช ืืฉืคืจ ืืช ืืืืืช ืืงืื ืืืฉืืืจ ืขื ืืงืื ืืชืืืืง. ืืคืฉืจ ืืืืกืืฃ ืืืื ืืืื ืืฉืืื ืืื ืืื ื-CI ืื ืฉืืคืืื ืืช ืืชืืืื ืืืืื ืืื ืืืืื ื ืืืืืืช ืืงืื. ืืื ืืืชืจืื ืืช ืืขืืงืจืืื ืฉืืื ืขื ืคื ื ืืืื ืคืฉืืืื ืืืชืจ ืืื ืืืืืืช ืืืืืช ืคืืืื ืืืืืืช ืืงืื ืขื ืคื ื ืืกืคืจ ืงืืฆืื (ืืื ืืคื ืงืื), ืืืจืืืืช ืืืืื ืฉื ืงืื ืืืขืงื ืืืจื ืืืืกืืืจืื ืืืืชืงืืืืช ืฉื ืืงืื. ืฉื ื ืืืื ืืืืืฆืื ืืฉืืืืฉ ืื [Sonarqube](https://www.sonarqube.org/) (7,900+ [stars](https://github.com/SonarSource/sonarqube)) ื [Code Climate](https://codeclimate.com/) (2,400+ [stars](https://github.com/codeclimate/codeclimate)). + +**ืืืจืช:** ืื ืืงืื ืืืืืืช ื ืืืื, ืชืงืืืช ืืืขืืืช ืืืฆืืขืื ืชืืื ืืืื ืืชืืจ ืฉืืฃ ืกืคืจืื ืืืฉื ืื ืืฆืฆืช ืื ืคืชืจืื ืืื ืืืืื ืืืืฉ ืืืืื ืืคืชืืจ. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืฉืืชืื!**](./sections/testingandquality/refactoring.md) + +
+ +## ![โ] 4.10 ืืืืืืช ืชืฉืืืืช ืฉื ืฉืจืชื HTTP ืืืฆืื ืืื + +**ืื;ืืง:** ืืฉืชืืฉื ืืืื ืืืืื ืฉื ืืืืืข ืฉืืืืข ืืืจืฉืช ืขืืืจ ืชืฉืืืืช ืฉืืืืขืืช ืืฉืืจืืชืื ืืืฆืื ืืื (ืืื ืืงืฉืืช REST ื GraphQL). ืื ืืืจืื ืื ืจืง ืืื ืืืืื ืืช ืืจืืื ืฉื ืืืง ืืื ืืขืืงืจ ืืื ืืืืืง ืืฆืืื ืื ืฆืคืืืื. ืืืื ืืื [nock](https://github.com/nock/nock) ืื [Mock-Server](https://www.mock-server.com/) ืืืคืฉืจืื ืืืืืืจ ืชืฉืืื ืืกืืืืช ืืืงืฉื ืืฉืืจืืช ืืืฆืื ื ืืฉืืจืช ืงืื ืืืืื. ืืฉืื ืื ืืฉืืื ืืืืืช ืื ืฉืืืืืช, ืขืืืืืื, timeouts, ืืื ืืืจืืข ืืืจ ืฉืื ืจืื ืืงืจื ืืกืืืืช ืืืืฆืืจ. + +**ืืืจืช:** ืืืคืฉืจ ืืจืืื ืืืฉืช ืืืืืข ืืืืชื ืืฉืืจืืชืื ืืืฆืื ืืื ืืืจื ืืื ืืกืชืืื ืืืืืงืืช ืคืฉืืืืช ืฉืืืกืืช ืืขืืงืจ ืืช ืืืงืจืื ืฉืืื ืืื. ืื ืืกืฃ ืืื ืืืืืงืืช ืืคืขืืื ืืืฉืื ืืืืื ืืืืืืช ืืืชืจ. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืืืืช ืฉืืจืืชืื ืืืฆืื ืืื**](./sections/testingandquality/mock-external-services.md) + +
+ +## ![โ] 4.11 ืืืืงื ืืช ืคืื ืงืฆืืืช ืืืื ืืื ืื ืคืจื + +**ืื;ืืง:** ืืืฉืจ ืคืื ืงืฆืืืช ืืื ืืื (middleware) ืืืืืช ื ืชื ืืฉืืขืืชื ืฉื ืืืืืงื ืฉืืฉืชืจืขืช ืขื ืคื ื ืืกืคืจ ืขืฆืื ืฉื ืืงืฉืืช, ืืืื ืืืืืง ืืืชื ืืฆืืจื ืืืืืืช ืืื ืฆืืจื ืืืขืื ืืช ืื ืชืฉืชืืช ืืคืจืืืืืืจืง. ืืคืฉืจ ืืืฉืื ืืช ืืคืขืืื ืืืืช ืืงืืืช ืขื ืืื ืขืืืคื ืื ืืืืื ืฉื `{req, res, next}`. + +**ืืืจืช:** ืืื ืืคืื ืงืฆืืืช ืืื ืืื ื-`express` === ืืื ืืจืื ืืงืจืืื ืฉื ืืืงืฉืืช. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืืืง ืคืื ืงืฆืืืช ืืื ืืื ืื ืคืจื**](./sections/testingandquality/test-middlewares.md) + +
+ +## ![โ] 4.12 ืงืืขื ืืช ืืคืืจื ืืืืฆืืจ, ืืืืืจื ืืงืจืื ืืืืืงืืช + +**ืื;ืืง:** ืืืฉืจ ืืืฆืขืื ืืืืงืืช ืืื API, ืื ืจืฆืื ืืืฃ ื ืืื ืืืชืื ืืช ืืฉืจืช ืืชืื ืืืืืงืืช. ืชื ื ืืฉืจืช ืืืืืจ ืคืืจื ืืืืคื ืืงืจืื ืืืฉืจ ืืจืืฆืื ืืืืงืืช ืืื ืืื ืืข ืืชื ืืฉืืืืช. ืื ืืชื ืืฉืชืืฉืื ืืฉืจืช HTTP ืฉื Node.js (ืืฉืืืืฉ ืขื ืืื ืจืื ืกืคืจืืืช ืืชืฉืชืืช), ืืื ืืืฉืื ืืช ืืืืืืช ืืืืช ืืื ืฆืืจื ืืขืฉืืช ืืืื ืืืื ืืืขืืืจ port=0 - ืื ืืืจ ืืืจืื ืืืงืฆืื ืืื ืืืืช ืฉื ืคืืจื. + +**ืืืจืช:** ืืืืจื ืฉื ืคืืจื ืกืคืฆืืคื ืืื ืข ืืช ืืืคืฉืจืืช ืืืจืืฅ ืฉื ื ืืกืืื ืืืงืืื. ืจืื ืืืืื ืฉืืจืืฆืื ืืืื ืืกืืื - ืืจืืฆืื ืืืงืืื ืืืจืืจืช ืืืื. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืืืจื ืคืืจื ืืงืจืื ืืืืืงืืช**](./sections/testingandquality/randomize-port.md) + +
+ +## ![โ] 4.13 ืืืืงื ืืช ืืืฉืช ืืชืืฆืืืช ืืืคืฉืจืืืช + +**ืื;ืืง:** ืืขืช ืืืืงืช ืืงืจื, ืืืื ืฉืืชื ืืืกืื ืืช ืืืฉืช ืืงืืืืจืืืช ืืืคืฉืจืืืช. ืืื ืคืขื ืฉืคืขืืื ืืื (ืืืฉื ืงืจืืืช API), ืืชืืืื ืชืืืื, **ืชืืฆืื** ืืฉืืขืืชืืช ื ืืฆืจืช ืืืชืืฆืขืช ืงืจืืื ืืืืืงื. ืืฉื ื ืืืฉ ืกืืื ืชืืฆืืืช ืืื ืืงืจื: ืชืืืื, ืฉืื ืื ื ืจืื ืืขืื (ืืื ืขืืืื ืืืกื ืื ืชืื ืื), ืฉืืืืช ืงืจืืื ื- +API, ืืืืขื ืืืฉื ื ืจืฉืืช ืืชืืจ, ืืงืจืืื ืืืื ืฆืคืื ืืืืืข (ืืื ืืืืจ ืืื ืืืืืงืืช). [ืจืฉืืืช ืืืืงืืช ืืกืืกืืืช](https://testjavascript.com/wp-content/uploads/2021/10/the-backend-checklist.pdf). ืื ืกืื ืฉื ืชืืฆืื ืืืืข ืื ืืชืืจืื ืืืืืืื ืืฉืืืืช ืืืืชืืง ืืช ืืืชืืจืื ืืืื - ืืชืื ื ืืืจืื ืืขืืื ืขื ื ืืฉื ืื [ืืืืงืืช ื-Node.js - ืืขืืจ ืืืกืืืืช](https://github.com/testjavascript/nodejs-integration-tests-best-practices) + +**ืืืจืช:** ืชืืจื ืืขืฆืืื ืืงืจื ืฉื ืืืืงืช ืืืกืคื ืฉื ืืืฆืจ ืืืฉ ืืืขืจืืช. ื ืคืืฅ ืืจืืืช ืืืืงืืช ืฉืืืกืืช ืื ืืจืง ืืช ืืืงืจืื ืฉื ืชืฉืืื ืชืงืื ื. ืื ืืงืจื ืื ืืืืฆืจ ืื ืืชืืืกืฃ ืขื ืืฃ ืืชืฉืืื ืืืืืืืช? ืื ืฆืจืื ืืืืขืฉืืช ืืืืื ืืืขืช ืืืกืคืช ืืืฆืจ ืืฉ ืื ืงืจืืื ืืฉืืจืืช ืืืฆืื ื ืื ืืืกืคืช ืืืืขื ืืชืืจ - ืืื ืืืืืงื ืื ืฆืจืืื ืืืชืืืืก ืื ืืื? ืงื ืืืชืขืื ืืืืืื ืืงืจืื, ืืื ืงืืื ืืืช [ืจืฉืืืช ืืืืืงืืช](https://testjavascript.com/wp-content/uploads/2021/10/the-backend-checklist.pdf) ืขืืืจืช. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืืงืช ืืืฉืช ืืชืืฆืืืช**](./sections/testingandquality/test-five-outcomes.md) + +
+ + + +# `5. ืขืืืื ืืืืืืจ` + +## ![โ] 5.1. ื ืืืืจ + +**ืื;ืืง:** ื ืืืืจ ืืื ืืฉืืง ืฉื ืืฆืืืช ืืขืืืช ืืคื ื ืฉืืืฉืชืืฉืื ืืืฆืืื ืืืชื - ืืืื ืืืืื ืฉืื ืฆืจืื ืืืืืช ืืจืืฉ ืกืืจ ืืขืืืคืืืืช. ืืฉืืง ืืืฆืฃ ืืืฆืขืืช ืืืืืจืืช ืื ืื ืืืืืื ืืืกืืกืืื ืฉืืืืืื ืืขืงืื ืืืจืืื (ืืืืืฆืืช ืฉืื ื ืืืืฉื), ืืืืจ ืืื ืืขืืืจ ืขื ืื ืืืืืืืช ืืืขื ืืื ืืช ืฉืื ืืืฆืจ ืืฆืืข ืืืืืืจ ืืช ืืคืชืจืื ืืืืืื ืขืืืจ ืืืจืืฉืืช ืฉืืื. ืืื ืืงืจื, ืืจืืขืช ืืฉืืืืช ืื ืืชื ืืช ืืฆืคืืื ืืืืืืช ืืืืืื: (1) Uptime - ืืฆืืื ืช ืืื ืืืขืจืืช ืืืื ื, (2) Metrics - ืืฆืืื ืช ืืื ืืืชื ืืืืช ืืืฆืืืจืช ืฉื ืืืขืจืืช (ืืื 99% ืืืืงืฉืืช ื ืขื ืืช), (3) Logging - ืืืืงืช ืื ืืงืฉื ืืกืืืืืช ืืกืชืืืืช ืืืฆืืื, (4) Distributed tracing - ืืืืงืช ืืื ืืืขืจืืช ืืฆืืื ืืื ืืจืืืืื ืืืืืืจืื ืฉืื. + +**ืืืจืช:** ืืฉืืื === ืืงืืืืช ืืืืืืืื. ืคืฉืื ืืืื. + +๐ [**ืืงืจืืื ื ืืกืคืช: ื ืืืืจ!**](./sections/production/monitoring.md) + +
+ +## ![โ] 5.2. ืืืืืื ืืช ืืืืืช ืืฆืคืืื ืืขืืจืช ืืืืื ืืืืืชืืื + +**ืื;ืืง:** ืืืืื ืืืืืื ืืืืืช ืคื ืืืื ืฉื ืฉืื ืืฆืืื ืฉืืืคืชืืื ืจืฆื ืืืื ืื ืืืืืคืื ืืกื ืืืื ืฉืืชืืจ ืืช ืืืฆื ืฉื ืืืืฆืจ. ืชืื ื ื ืืช ืืืืืื ืฉืืื ืืืืื ืืจืืฉืื: ืืื ืื ื ืืกืคืื, ืืืคื ืื ื ืฉืืจืื ืืืื ืื ืื ืืชืืื ืืื ืืืืืื ืฉืืืืืข ืืืืจืื (ืืืื ืฉืืืืืช, ืืขืงื ืืืจ ืคืขืืื ืืื ืืกืคืจ ืฉืืจืืชืื ืืื') ืืืืช ื ืืืฉ ืืืจ ืฉืืืืฉ. + +**ืืืจืช:** ืืฉ ืืื ืงืืคืกื ืฉืืืจื ืฉืงืฉื ืืืืื ืืื ืืื ืืืืขื ืืืฆื ืื ืืืื, ืืจืง ืขืืฉืื ืืชื ืืชืืืืื ืืฉืืชื ืืช ืื ืืืืืื ืฉืืื ืืื ืฉืืืื ืืืืข ืจืืืื ืื. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืืืช ืืฉืงืืคืืช ืขื ืืื ืืืืื ืืืืืชืืื**](./sections/production/smartlogging.md) + +
+ +## ![โ] 5.3. ืืืฆืืื ืื ืื ืฉืืคืฉืจ (ืืืืืื gzip, SSL) ืืฉืืจืืช ื ืคืจื + +**ืื;ืืง:** Node.js ืืจืืข ืืืืฆืข ืคืขืืืืช ืฉืืืจืฉืืช ืขืืฆืืช ืืืฉืื ืืืืื ืื-CPU, ืืื ืืืฉื ืืืืกื, ืกืืื ืชืืืื SSL, ืืื'... ืืืื ืฉืชืฉืชืืฉื ืืชืฉืชืืืช ืืื nginx, HAproxy ืื ืฉืืจืืชื ืขื ื ืืืจืื ืืฉื ืื. + +**ืืืจืช:** ืืช'ืจื ืืืืื ืืืืกืื ืฉืืื ืืืฉืืจ ืขืกืืง ืืืฉืืืืช ืชืฉืชืืชืืืช ืืืงืื ืืืชืขืกืง ืืื ืืืขืจืืช ืฉืืื ืืืืืฆืืขืื ืืืฉืืงื ืืืชืื. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืฆืืช ืื ืื ืฉืืคืฉืจ (ืืืืืื gzip, SSL) ืืฉืืจืืช ื ืคืจื**](./sections/production/delegatetoproxy.md) + +
+ +## ![โ] 5.4. ืงืืืืข ืชืืืืืช + +**ืื;ืืง:** ืืงืื ืฉืืื ืฆืจืื ืืืืืช ืืื ืืื ืืกืืืืืช, ืื ืืื ืงืืืฅ ืืขืืื npm ืืืคืฉืจ ืฉืืืืฉ ืืชืืืืืช ืฉืื ืืช ืืื ืกืืืื. ืืืื ืื ืืฉ ืืื `package-lock.json` ืื ืฉืื ืืกืืืืืช ืืืื ืืืืช. + +**ืืืจืช:** ืื ืฉื ืืืืืงืืช ืืืฉืจื ืืจืกื ืฉืชืชื ืื ืืืจืช ืืกืืืืช ืืืฆืืจ. ืืจืืข ืืื, ืฉืจืชืื ืฉืื ืื ืืืืชื ืกืืืื ืืจืืฆื ืงืื ืฉืื ื. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืงืืืืข ืชืืืืืช**](./sections/production/lockdependencies.md) + +
+ +## ![โ] 5.5. ืืืืืื ืืช ืืืื ืืช ืืืขืจืืช ืืขืืจืช ืืืื ืืืชืืื + +**ืื;ืืง:** ืืืขืจืืช ืฆืจืืื ืืืืฉืื ืืขืืื ืืืืชืืชืื ืืืืื ืืงืจืชื ืฉืืืื ืงืจืืืืช. ืกืืืืืช ืจืืฆื ืืืฉืืช ืืื ืืืฉื ืืืื ืืืืืกืกืืช ืืืงืจ (ืืื ืงืืืจื ืืืก), ืื Serverless ืืืคืืืช ืืื ืืฆืืจื ืืืืืืืืช. ืืืฉืจ ืืืืฆืจ ืืืชืงื ืขื ืฉืจืช ืืืืชื ืคืืื, ืืฉ ืฆืืจื ืื ืื ืืช ืืฉืืื ืืืขืจืืช ืืขืืจืช ืืื ืืื [systemd](https://systemd.io/). ืื ืืฉ ืืืืื ืข ืืืขืฉืืช ืืืช ืืืฉืจ ืืฉืชืืฉืื ืืชืฉืชืืืช ืฉืืืจ ืืืฆืขืืช ืืช ืื ืืืืจ ืืืืืื ืฉืื ืืืจืื ืืืืืขืช ืฉืืืืืช. ืืืฉืจ ืืชืฉืชืืช ืืื ืืืืขืืช ืืฉืืืืืช, ืืื ืื ืืืืืช ืฉื ืืืฆืืข ืฉืืื ืคืืืืช ืืฉืืืื ืืื ืืขืืจืช ืืืื ืกืื ืก ืฉื ืืืขืจืืช ืืืงืื ืืืจ ืืจืฉืช. + +**ืืืจืช:** ืืจืฆื ืฉื ืขืฉืจืืช ืืื ืกืื ืกืื ืืื ืกืืื ืืจืืจื ืืืืชืจ ืืืื ืืื ืชืฉืชืืช ืืื (cluster management, docker, PM2) ืขืืื ืืืจืื ืืืืืก ืขืืืจ ื-DevOps. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืืืื ืืช ืืืื ืืช ืืืขืจืืช ืืขืืจืช ืืืื ืืืชืืื**](./sections/production/guardprocess.md) + +
+ +## ![โ] 5.6. ืืฉืชืืฉื ืืื ืืขืืื ื-CPU + +**ืื;ืืง:** ืืชืฆืืจื ืืืกืืกืืช ืฉืื, ืืขืจืืช ืืืืกืกืช Node.js ืชืจืืฅ ืขื ืืขืื CPU ืืื ืืฉืืจ ืืืขืืืื ืื ืืื. ืืืืืชืื ืืฉืืคื ืืช ืืชืืืื ืืื ืื ืืช ืืืขืจืืช ืืื ืฉืชืจืืฅ ืขื ืื ืืืขืืืื. ืจืื ืชืฉืชืืืช ืืจืืฆื ืืืืฉืืช (ืืื ืงืืืจื ืืืก) ืืืคืฉืจืืช ืืฉืืคื ืืช ืืชืืืืืื ืืืกืคืจ ืืขืืืื, ืื ืื ืื ืืืืืืืช ืืืฉืชืืฉ ืืื ืืืขืืืื - ืืืช ืืืืจืืืช ืฉืืื! ืื ืืืืฆืจ ืืืชืงื ืขื ืฉืจืช ืคืืื, ืื ืืืืง ืืืืจืืืชืื ืืชื ืฆืจืืืื ืื ืืืฉืชืืฉ ืืคืชืจืื ืืช ืฉืืืฆืขื ืืช ืืฉืืคืื ืฉื ืืชืืืื (ืืื systemd). + +**ืืืจืช:** ืืืืฆืจ ืฉืืื ืื ืฆื ืืื ืืืืชืจ 25% ืืืืฉืืืื ืืืืื ืื(!). ืืืจื ืฉืืฉืจืช ืจืืื ืืฉ 4 ืืขืืื CPU ืื ืืืชืจ, ืืืชืงื ื ืกืื ืืจืืืช ืฉื ืชืืืื Node.js ืืฉืชืืฉืช ืจืง ืืืขืื ืืื (ืื ืฉืืจืืชืื ืืฉืืืช PaaS ืืื AWS beanstalk!). + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืฉืชืืฉื ืืื ืืขืืื ื-CPU**](./sections/production/utilizecpu.md) + +
+ +## ![โ] 5.7. ืชืืฆืจื โmaintenance endpointโ + +**ืื;ืืง:** ืืืฉืคื ืืืืข ืจืืืื ืื ืขื ืืืขืจืืช, ืืืฉื ืืฆื ืืืืืจืื ื -[REPL](https://en.wikipedia.org/wiki/Read%E2%80%93eval%E2%80%93print_loop), ืืืืฆืขืืช API ืืืืืื. ืขื ืืฃ ืฉืืืืืฅ ืืืืฉืขื ืขื ืืืื ืืขืืืืื ืืฉื ืื, ืืช ืืืง ืืืืืืข ืืืคืขืืืืช ืืืชืจ ืคืฉืื ืืืืืง ืืืืฆืขืืช ืืชืืืช ืงืื. + +**ืืืจืช:** ืชืืื ืฉืืชื ืืืฆืขืื ืืจืื โdiagnostic deploysโ โ ืืขืืืช ืงืื ืืกืืืืช ืืืืฆืืจ ืจืง ืืื ืืืฉืื ืขืื ืงืฆืช ืืืืข ืืืื ืชื ืขื ืืืขืจืืช. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืฆืืจืช โmaintenance endpointโ**](./sections/production/createmaintenanceendpoint.md) + +
+ +## ![โ] 5.8. ืืื ืืช ืืื ืืืืข ืืขืืจืช ืืืฆืจื APM + +**ืื;ืืง:** ืฉืืงืื ืืืกืคืช ืฉืืื ื ืืกืคืช ืฉื ืืืืืืช ืืืืฆืจ ืฉืืื - [APM](https://en.wikipedia.org/wiki/Application_performance_management) (Application monitoring and performance products). ืืื ื ืจืื ืืกืืื ืื ืืืืืจืืื ืืืืืื ืืืืืฆื ืขื ืืื ืืื ืืงืืช ื ืืืืจ ืกืื ืืจืืืืช, ืื ืืืขืจืืืช ืืืืืจืืช ืืฉ ืขืื ืจืืืื ืกืืืืื ืื ืืขืื. ื ืืืืจ ืืขืจืืืช ืืืืืงืช ืืืฆืืขืื (ืื ืืงืืฆืืจ APM) ืืืืืื ืืืืคื ืงืกืื ืืืืกืืฃ ืฉืืื ื ืืกืคืช ืฉื ืืืืืืช ืคืืชืื ืืขืืจ ืืื ืฉืืกืคืงืื ืืืืื ืืกืื ืืจืืืื. ืืืืืื, ืืฉื ื ืืื APM ืฉืืืืืื ืืืืืืฉ ืืจื ืืงืฆืื ืฉืืืขื ืช ืืื ืืืื ืืช **ืฆื ืืืงืื** ืืืืฆืืข ืื ืืกืืื ืืื. ืืืื ืืื ืื ืืกืคืงืื ืืืชืจ ืืงืฉืจ ืืฆืืืช ืืคืืชืื ืฉืื ืกืื ืืืงืืจ ืฉืืืื ืืืืช ืขื ืืื ืืฆืื ืฉื ืืขืืืกืื ืฉืืื ืืฉืจืช ืืืื ืฉืืื ืืฉืืืื. + +**ืืืจืช:** ืืชื ืืฉืงืืขืื ืืื ื ืืืจ ืืืืืืช ืืืฆืืขื API ืืื ืืืื ืืช ืฉื ืืืขืจืืช, ืื ืจืื ืฉืืขืืื ืื ืชืืื ืืืืขืื ืืืืื ืืืงืื ืืงืื ืื ืืืืืืื ืืืืชืจ ืืืื ืืืช ืืืื ืื ืืฉืคืืข ืขื ืืืืืช ืืืฉืชืืฉ. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืืื ืฉืืืืืช ืืืื ื ืืฉืืชื ืืขืืจืช ืืืฆืจื APM**](./sections/production/apmproducts.md) + +
+ +## ![โ] 5.9. ืืชืื ืืช ืืงืื ืืืชืื ืืืชืงื ื + +**ืื;ืืง:** ืงืืืื ืืืฉืจ ืืชืืฆืื ืืกืืคืืช ืืืืฉืืืชืืื, ืืชืืื ื ื ืืืชืงื ื ืืกืืืืช ืืฆืืจ ืืืจ ืืืืื ืืจืืฉืื. ืื ืืื ื ื ืฉืืข ืงืฆืช ืืขืืจืคื ืืืื ืืงืืฉืืจ ืืฉื ื ืืกืคืจ ืืืืฆืืช ืืงืฉืืจืืช ืืชืืืื ืืืืฆืจ ืฉืืืจ ืืืชืงื. + +**ืืืจืช:** ืืืืคื ืืขืืื ืฉื IT/DevOps ืื ืื ืกื ืืืฆืื ืืขืจืืช ืฉืืชืืื ืืจืืข. + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืชืื ืืช ืืงืื ืืืชืื ืืืชืงื ื**](./sections/production/productioncode.md) + +
+ +## ![โ] 5.10. ืืืื ืืฉืืืจื ืืช ื ืืฆืื ืืืืืจืื + +**ืื;ืืง:** ื-Node.js ืืฉื ื ืืขืจืืช ืืืกืื ืืืจืืืช ืขื ื ืืืื ืืืืืจืื: ืืื ืืข ื-v8 ืืฉื ื ืืืืืืช ืขืืื ืื ืฉื ืฆืจืืืช ืืืืจืื (1.4GB) ืืืฉื ื ืืจืืื ืืืืขืืช ืืื ืืืจืื ืืืืืืช ืืืืจืื ืืงืื ืฉื Node.js - ืืืื ืืขืงื ืืืจ ืฆืจืืืช ืืืืืจืื ืฉื ืชืืืื Node.js ืืื ืืืื. ืืืืฆืจืื ืงืื ืื, ืืคืฉืจ ืืืืื ืืช ืฆืจืืืช ืืืืืจืื ืื ืืื ืืื ืืขืืจืช ืคืงืืืืช shell, ืืื ืืืืฆืจืื ืืื ืื ืืื-ืืืืืื ืฆืจืื ืืชืขืืฃ ืฉืืืืฉ ืืืืื ืืืงืื ืื ืืืืจ ืืฆื ืืืืืจืื. + +**ืืืจืช:** ืืืืืื ืืื ืืืืช MB ืื ืืื ืืืชืืืื ืืื ืฉืงืจื ื[ืืืืืืจื](https://www.joyent.com/blog/walmart-node-js-memory-leak) + +๐ [**ืืงืจืืื ื ืืกืคืช: ืืืืื ืืฉืืืจื ืขื ื ืืฆืื ืืืืืจืื**](./sections/production/measurememory.md) + +
+ +## ![โ] 5.11. Get your frontend assets out of Node + +**ืื;ืืง:** Serve frontend content using a specialized infrastructure (nginx, S3, CDN) because Node performance gets hurt when dealing with many static files due to its single-threaded model. One exception to this guideline is when doing server-side rendering + +**ืืืจืช:** Your single Node thread will be busy streaming hundreds of html/images/angular/react files instead of allocating all its resources for the task it was born for โ serving dynamic content + +๐ [**Read More: Get your frontend assets out of Node**](./sections/production/frontendout.md) + +
+ +## ![โ] 5.12. Strive to be stateless + +**ืื;ืืง:** Store any type of _data_ (e.g. user sessions, cache, uploaded files) within external data stores. When the app holds data in-process this adds additional layer of maintenance complexity like routing users to the same instance and higher cost of restarting a process. To enforce and encourage a stateless approach, most modern runtime platforms allows 'reapp-ing' instances periodically + +**ืืืจืช:** Failure at a given server will result in application downtime instead of just killing a faulty machine. Moreover, scaling-out elasticity will get more challenging due to the reliance on a specific server + +๐ [**Read More: Be stateless, kill your Servers almost every day**](./sections/production/bestateless.md) + +
+ +## ![โ] 5.13. Use tools that automatically detect vulnerabilities + +**ืื;ืืง:** Even the most reputable dependencies such as Express have known vulnerabilities (from time to time) that can put a system at risk. This can be easily be tamed using community and commercial tools that constantly check for vulnerabilities and warn (locally or at GitHub), some can even patch them immediately + +**ืืืจืช:** Keeping your code clean from vulnerabilities without dedicated tools will require you to constantly follow online publications about new threats. Quite tedious + +๐ [**Read More: Use tools that automatically detect vulnerabilities**](./sections/production/detectvulnerabilities.md) + +
+ +## ![โ] 5.14. Assign a transaction id to each log statement + +**ืื;ืืง:** Assign the same identifier, transaction-id: uuid(), to each log entry within a single request (also known as correlation-id/tracing-id/request-context). Then when inspecting errors in logs, easily conclude what happened before and after. Node has a built-in mechanism, [AsyncLocalStorage](https://nodejs.org/api/async_context.html), for keeping the same context across asynchronous calls. see code examples inside + +**ืืืจืช:** Looking at a production error log without the context โ what happened before โ makes it much harder and slower to reason about the issue + +๐ [**Read More: Assign โTransactionIdโ to each log statement**](./sections/production/assigntransactionid.md) + +
+ +## ![โ] 5.15. Set `NODE_ENV=production` + +**ืื;ืืง:** Set the environment variable `NODE_ENV` to โproductionโ or โdevelopmentโ to flag whether production optimizations should get activated โ some npm packages determine the current environment and optimize their code for production + +**ืืืจืช:** Omitting this simple property might greatly degrade performance when dealing with some specific libraries like Express server-side rendering + +๐ [**Read More: Set NODE_ENV=production**](./sections/production/setnodeenv.md) + +
+ +## ![โ] 5.16. Design automated, atomic and zero-downtime deployments + +**ืื;ืืง:** Research shows that teams who perform many deployments lower the probability of severe production issues. Fast and automated deployments that donโt require risky manual steps and service downtime significantly improve the deployment process. You should probably achieve this using Docker combined with CI tools as they became the industry standard for streamlined deployment + +**ืืืจืช:** Long deployments -> production downtime & human-related error -> team unconfident in making deployment -> fewer deployments and features + +
+ +## ![โ] 5.17. Use an LTS release of Node.js + +**ืื;ืืง:** Ensure you are using an LTS version of Node.js to receive critical bug fixes, security updates and performance improvements + +**ืืืจืช:** Newly discovered bugs or vulnerabilities could be used to exploit an application running in production, and your application may become unsupported by various modules and harder to maintain + +๐ [**Read More: Use an LTS release of Node.js**](./sections/production/LTSrelease.md) + +
+ +## ![โ] 5.18. Log to stdout, avoid specifying log destination within the app + +**ืื;ืืง:** Log destinations should not be hard-coded by developers within the application code, but instead should be defined by the execution environment the application runs in. Developers should write logs to `stdout` using a logger utility and then let the execution environment (container, server, etc.) pipe the `stdout` stream to the appropriate destination (i.e. Splunk, Graylog, ElasticSearch, etc.). + +**ืืืจืช:** If developers set the log routing, less flexibility is left for the ops professional who wishes to customize it. Beyond this, if the app tries to log directly to a remote location (e.g., Elastic Search), in case of panic or crash - further logs that might explain the problem won't arrive + +๐ [**Read More: Log Routing**](./sections/production/logrouting.md) + +
+ +## ![โ] 5.19. Install your packages with `npm ci` + +**ืื;ืืง:** Run `npm ci` to strictly do a clean install of your dependencies matching package.json and package-lock.json. Obviously production code must use the exact version of the packages that were used for testing. While package-lock.json file sets strict version for dependencies, in case of mismatch with the file package.json, the command 'npm install' will treat package.json as the source of truth. On the other hands, the command 'npm ci' will exit with error in case of mismatch between these files + +**ืืืจืช:** QA will thoroughly test the code and approve a version that will behave differently in production. Even worse, different servers in the same production cluster might run different code. + +๐ [**Read More: Use npm ci**](./sections/production/installpackageswithnpmci.md) + +
+ + + +# `6. ืืืืื` + +
+
+
+
+## ![โ] 6.1. Embrace linter security rules
+
+
+
+
+**ืื;ืืง:** Make use of security-related linter plugins such as [eslint-plugin-security](https://github.com/nodesecurity/eslint-plugin-security) to catch security vulnerabilities and issues as early as possible, preferably while they're being coded. This can help catching security weaknesses like using eval, invoking a child process or importing a module with a string literal (e.g. user input). Click 'Read more' below to see code examples that will get caught by a security linter
+
+**ืืืจืช:** What could have been a straightforward security weakness during development becomes a major issue in production. Also, the project may not follow consistent code security practices, leading to vulnerabilities being introduced, or sensitive secrets committed into remote repositories
+
+๐ [**Read More: Lint rules**](./sections/security/lintrules.md)
+
++ +## ![โ] 6.2. Limit concurrent requests using a middleware + +
+
+**ืื;ืืง:** DOS attacks are very popular and relatively easy to conduct. Implement rate limiting using an external service such as cloud load balancers, cloud firewalls, nginx, [rate-limiter-flexible](https://www.npmjs.com/package/rate-limiter-flexible) package, or (for smaller and less critical apps) a rate-limiting middleware (e.g. [express-rate-limit](https://www.npmjs.com/package/express-rate-limit))
+
+**ืืืจืช:** An application could be subject to an attack resulting in a denial of service where real users receive a degraded or unavailable service.
+
+๐ [**Read More: Implement rate limiting**](./sections/security/limitrequests.md)
+
++ +## ![โ] 6.3 Extract secrets from config files or use packages to encrypt them + +
+
+**ืื;ืืง:** Never store plain-text secrets in configuration files or source code. Instead, make use of secret-management systems like Vault products, Kubernetes/Docker Secrets, or using environment variables. As a last resort, secrets stored in source control must be encrypted and managed (rolling keys, expiring, auditing, etc). Make use of pre-commit/push hooks to prevent committing secrets accidentally
+
+**ืืืจืช:** Source control, even for private repositories, can mistakenly be made public, at which point all secrets are exposed. Access to source control for an external party will inadvertently provide access to related systems (databases, apis, services, etc).
+
+๐ [**Read More: Secret management**](./sections/security/secretmanagement.md)
+
++ +## ![โ] 6.4. Prevent query injection vulnerabilities with ORM/ODM libraries + +
+
+**ืื;ืืง:** To prevent SQL/NoSQL injection and other malicious attacks, always make use of an ORM/ODM or a database library that escapes data or supports named or indexed parameterized queries, and takes care of validating user input for expected types. Never just use JavaScript template strings or string concatenation to inject values into queries as this opens your application to a wide spectrum of vulnerabilities. All the reputable Node.js data access libraries (e.g. [Sequelize](https://github.com/sequelize/sequelize), [Knex](https://github.com/tgriesser/knex), [mongoose](https://github.com/Automattic/mongoose)) have built-in protection against injection attacks.
+
+**ืืืจืช:** Unvalidated or unsanitized user input could lead to operator injection when working with MongoDB for NoSQL, and not using a proper sanitization system or ORM will easily allow SQL injection attacks, creating a giant vulnerability.
+
+๐ [**Read More: Query injection prevention using ORM/ODM libraries**](./sections/security/ormodmusage.md)
+
++ +## ![โ] 6.5. Collection of generic security best practices + +**ืื;ืืง:** This is a collection of security advice that is not related directly to Node.js - the Node implementation is not much different than any other language. Click read more to skim through. + +๐ [**Read More: Common security best practices**](./sections/security/commonsecuritybestpractices.md) + +
+ +## ![โ] 6.6. Adjust the HTTP response headers for enhanced security + +
+
+**ืื;ืืง:** Your application should be using secure headers to prevent attackers from using common attacks like cross-site scripting (XSS), clickjacking and other malicious attacks. These can be configured easily using modules like [helmet](https://www.npmjs.com/package/helmet).
+
+**ืืืจืช:** Attackers could perform direct attacks on your application's users, leading to huge security vulnerabilities
+
+๐ [**Read More: Using secure headers in your application**](./sections/security/secureheaders.md)
+
++ +## ![โ] 6.7. Constantly and automatically inspect for vulnerable dependencies + +
+
+**ืื;ืืง:** With the npm ecosystem it is common to have many dependencies for a project. Dependencies should always be kept in check as new vulnerabilities are found. Use tools like [npm audit](https://docs.npmjs.com/cli/audit) or [snyk](https://snyk.io/) to track, monitor and patch vulnerable dependencies. Integrate these tools with your CI setup so you catch a vulnerable dependency before it makes it to production.
+
+**ืืืจืช:** An attacker could detect your web framework and attack all its known vulnerabilities.
+
+๐ [**Read More: Dependency security**](./sections/security/dependencysecurity.md)
+
++ +## ![โ] 6.8. Protect Users' Passwords/Secrets using bcrypt or scrypt + +
+
+**ืื;ืืง:** Passwords or secrets (e.g. API keys) should be stored using a secure hash + salt function like `bcrypt`,`scrypt`, or worst case `pbkdf2`.
+
+**ืืืจืช:** Passwords and secrets that are stored without using a secure function are vulnerable to brute forcing and dictionary attacks that will lead to their disclosure eventually.
+
+๐ [**Read More: User Passwords**](./sections/security/userpasswords.md)
+
++ +## ![โ] 6.9. Escape HTML, JS and CSS output + +
+
+**ืื;ืืง:** Untrusted data that is sent down to the browser might get executed instead of just being displayed, this is commonly referred as a cross-site-scripting (XSS) attack. Mitigate this by using dedicated libraries that explicitly mark the data as pure content that should never get executed (i.e. encoding, escaping)
+
+**ืืืจืช:** An attacker might store malicious JavaScript code in your DB which will then be sent as-is to the poor clients
+
+๐ [**Read More: Escape output**](./sections/security/escape-output.md)
+
++ +## ![โ] 6.10. Validate incoming JSON schemas + +
+
+**ืื;ืืง:** Validate the incoming requests' body payload and ensure it meets expectations, fail fast if it doesn't. To avoid tedious validation coding within each route you may use lightweight JSON-based validation schemas such as [jsonschema](https://www.npmjs.com/package/jsonschema) or [joi](https://www.npmjs.com/package/joi)
+
+**ืืืจืช:** Your generosity and permissive approach greatly increases the attack surface and encourages the attacker to try out many inputs until they find some combination to crash the application
+
+๐ [**Read More: Validate incoming JSON schemas**](./sections/security/validation.md)
+
++ +## ![โ] 6.11. Support blocklisting JWTs + +
+
+**ืื;ืืง:** When using JSON Web Tokens (for example, with [Passport.js](https://github.com/jaredhanson/passport)), by default there's no mechanism to revoke access from issued tokens. Once you discover some malicious user activity, there's no way to stop them from accessing the system as long as they hold a valid token. Mitigate this by implementing a blocklist of untrusted tokens that are validated on each request.
+
+**ืืืจืช:** Expired, or misplaced tokens could be used maliciously by a third party to access an application and impersonate the owner of the token.
+
+๐ [**Read More: Blocklist JSON Web Tokens**](./sections/security/expirejwt.md)
+
++ +## ![โ] 6.12. Prevent brute-force attacks against authorization + +
+
+**ืื;ืืง:** A simple and powerful technique is to limit authorization attempts using two metrics:
+
+1. The first is number of consecutive failed attempts by the same user unique ID/name and IP address.
+2. The second is number of failed attempts from an IP address over some long period of time. For example, block an IP address if it makes 100 failed attempts in one day.
+
+**ืืืจืช:** An attacker can issue unlimited automated password attempts to gain access to privileged accounts on an application
+
+๐ [**Read More: Login rate limiting**](./sections/security/login-rate-limit.md)
+
++ +## ![โ] 6.13. Run Node.js as non-root user + +
+
+**ืื;ืืง:** There is a common scenario where Node.js runs as a root user with unlimited permissions. For example, this is the default behaviour in Docker containers. It's recommended to create a non-root user and either bake it into the Docker image (examples given below) or run the process on this user's behalf by invoking the container with the flag "-u username"
+
+**ืืืจืช:** An attacker who manages to run a script on the server gets unlimited power over the local machine (e.g. change iptable and re-route traffic to their server)
+
+๐ [**Read More: Run Node.js as non-root user**](./sections/security/non-root-user.md)
+
++ +## ![โ] 6.14. Limit payload size using a reverse-proxy or a middleware + +
+
+**ืื;ืืง:** The bigger the body payload is, the harder your single thread works in processing it. This is an opportunity for attackers to bring servers to their knees without tremendous amount of requests (DOS/DDOS attacks). Mitigate this limiting the body size of incoming requests on the edge (e.g. firewall, ELB) or by configuring [express body parser](https://github.com/expressjs/body-parser) to accept only small-size payloads
+
+**ืืืจืช:** Your application will have to deal with large requests, unable to process the other important work it has to accomplish, leading to performance implications and vulnerability towards DOS attacks
+
+๐ [**Read More: Limit payload size**](./sections/security/requestpayloadsizelimit.md)
+
++ +## ![โ] 6.15. Avoid JavaScript eval statements + +
+
+**ืื;ืืง:** `eval` is evil as it allows executing custom JavaScript code during run time. This is not just a performance concern but also an important security concern due to malicious JavaScript code that may be sourced from user input. Another language feature that should be avoided is `new Function` constructor. `setTimeout` and `setInterval` should never be passed dynamic JavaScript code either.
+
+**ืืืจืช:** Malicious JavaScript code finds a way into text passed into `eval` or other real-time evaluating JavaScript language functions, and will gain complete access to JavaScript permissions on the page. This vulnerability is often manifested as an XSS attack.
+
+๐ [**Read More: Avoid JavaScript eval statements**](./sections/security/avoideval.md)
+
++ +## ![โ] 6.16. Prevent evil RegEx from overloading your single thread execution + +
+
+**ืื;ืืง:** Regular Expressions, while being handy, pose a real threat to JavaScript applications at large, and the Node.js platform in particular. A user input for text to match might require an outstanding amount of CPU cycles to process. RegEx processing might be inefficient to an extent that a single request that validates 10 words can block the entire event loop for 6 seconds and set the CPU on ๐ฅ. For that reason, prefer third-party validation packages like [validator.js](https://github.com/chriso/validator.js) instead of writing your own Regex patterns, or make use of [safe-regex](https://github.com/substack/safe-regex) to detect vulnerable regex patterns
+
+**ืืืจืช:** Poorly written regexes could be susceptible to Regular Expression DoS attacks that will block the event loop completely. For example, the popular `moment` package was found vulnerable with malicious RegEx usage in November of 2017
+
+๐ [**Read More: Prevent malicious RegEx**](./sections/security/regex.md)
+
++ +## ![โ] 6.17. Avoid module loading using a variable + +
+
+**ืื;ืืง:** Avoid requiring/importing another file with a path that was given as parameter due to the concern that it could have originated from user input. This rule can be extended for accessing files in general (i.e. `fs.readFile()`) or other sensitive resource access with dynamic variables originating from user input. [Eslint-plugin-security](https://www.npmjs.com/package/eslint-plugin-security) linter can catch such patterns and warn early enough
+
+**ืืืจืช:** Malicious user input could find its way to a parameter that is used to require tampered files, for example, a previously uploaded file on the file system, or access already existing system files.
+
+๐ [**Read More: Safe module loading**](./sections/security/safemoduleloading.md)
+
++ +## ![โ] 6.18. Run unsafe code in a sandbox + +
+
+**ืื;ืืง:** When tasked to run external code that is given at run-time (e.g. plugin), use any sort of 'sandbox' execution environment that isolates and guards the main code against the plugin. This can be achieved using a dedicated process (e.g. `cluster.fork()`), serverless environment or dedicated npm packages that act as a sandbox
+
+**ืืืจืช:** A plugin can attack through an endless variety of options like infinite loops, memory overloading, and access to sensitive process environment variables
+
+๐ [**Read More: Run unsafe code in a sandbox**](./sections/security/sandbox.md)
+
++ +## ![โ] 6.19. Take extra care when working with child processes + +
+
+**ืื;ืืง:** Avoid using child processes when possible and validate and sanitize input to mitigate shell injection attacks if you still have to. Prefer using `child_process.execFile` which by definition will only execute a single command with a set of attributes and will not allow shell parameter expansion.
+
+**ืืืจืช:** Naive use of child processes could result in remote command execution or shell injection attacks due to malicious user input passed to an unsanitized system command.
+
+๐ [**Read More: Be cautious when working with child processes**](./sections/security/childprocesses.md)
+
++ +## ![โ] 6.20. Hide error details from clients + +
+
+**ืื;ืืง:** An integrated express error handler hides the error details by default. However, great are the chances that you implement your own error handling logic with custom Error objects (considered by many as a best practice). If you do so, ensure not to return the entire Error object to the client, which might contain some sensitive application details
+
+**ืืืจืช:** Sensitive application details such as server file paths, third party modules in use, and other internal workflows of the application which could be exploited by an attacker, could be leaked from information found in a stack trace
+
+๐ [**Read More: Hide error details from client**](./sections/security/hideerrors.md)
+
++ +## ![โ] 6.21. Configure 2FA for npm or Yarn + +
+
+**ืื;ืืง:** Any step in the development chain should be protected with MFA (multi-factor authentication), npm/Yarn are a sweet opportunity for attackers who can get their hands on some developer's password. Using developer credentials, attackers can inject malicious code into libraries that are widely installed across projects and services. Maybe even across the web if published in public. Enabling 2-factor-authentication in npm leaves almost zero chances for attackers to alter your package code.
+
+**ืืืจืช:** [Have you heard about the eslint developer whose password was hijacked?](https://medium.com/@oprearocks/eslint-backdoor-what-it-is-and-how-to-fix-the-issue-221f58f1a8c8)
+
++ +## ![โ] 6.22. Modify session middleware settings + +
+
+**ืื;ืืง:** Each web framework and technology has its known weaknessesโ-โtelling an attacker which web framework we use is a great help for them. Using the default settings for session middlewares can expose your app to module- and framework-specific hijacking attacks in a similar way to the `X-Powered-By` header. Try hiding anything that identifies and reveals your tech stack (E.g. Node.js, express)
+
+**ืืืจืช:** Cookies could be sent over insecure connections, and an attacker might use session identification to identify the underlying framework of the web application, as well as module-specific vulnerabilities
+
+๐ [**Read More: Cookie and session security**](./sections/security/sessions.md)
+
++ +## ![โ] 6.23. Avoid DOS attacks by explicitly setting when a process should crash + +
+
+**ืื;ืืง:** The Node process will crash when errors are not handled. Many best practices even recommend to exit even though an error was caught and got handled. Express, for example, will crash on any asynchronous errorโ-โunless you wrap routes with a catch clause. This opens a very sweet attack spot for attackers who recognize what input makes the process crash and repeatedly send the same request. There's no instant remedy for this but a few techniques can mitigate the pain: Alert with critical severity anytime a process crashes due to an unhandled error, validate the input and avoid crashing the process due to invalid user input, wrap all routes with a catch and consider not to crash when an error originated within a request (as opposed to what happens globally)
+
+**ืืืจืช:** This is just an educated guess: given many Node.js applications, if we try passing an empty JSON body to all POST requestsโ-โa handful of applications will crash. At that point, we can just repeat sending the same request to take down the applications with ease
+
++ +## ![โ] 6.24. Prevent unsafe redirects + +
+
+**ืื;ืืง:** Redirects that do not validate user input can enable attackers to launch phishing scams, steal user credentials, and perform other malicious actions.
+
+**ืืืจืช:** If an attacker discovers that you are not validating external, user-supplied input, they may exploit this vulnerability by posting specially-crafted links on forums, social media, and other public places to get users to click it.
+
+๐ [**Read More: Prevent unsafe redirects**](./sections/security/saferedirects.md)
+
++ +## ![โ] 6.25. Avoid publishing secrets to the npm registry + +
+
+**ืื;ืืง:** Precautions should be taken to avoid the risk of accidentally publishing secrets to public npm registries. An `.npmignore` file can be used to ignore specific files or folders, or the `files` array in `package.json` can act as an allow list.
+
+**ืืืจืช:** Your project's API keys, passwords or other secrets are open to be abused by anyone who comes across them, which may result in financial loss, impersonation, and other risks.
+
+๐ [**Read More: Avoid publishing secrets**](./sections/security/avoid_publishing_secrets.md)
+
++ +## ![โ] 6.26 Inspect for outdated packages + +**ืื;ืืง:** Use your preferred tool (e.g. `npm outdated` or [npm-check-updates](https://www.npmjs.com/package/npm-check-updates)) to detect installed outdated packages, inject this check into your CI pipeline and even make a build fail in a severe scenario. For example, a severe scenario might be when an installed package is 5 patch commits behind (e.g. local version is 1.3.1 and repository version is 1.3.8) or it is tagged as deprecated by its author - kill the build and prevent deploying this version + +**ืืืจืช:** Your production will run packages that have been explicitly tagged by their author as risky + +
+ +## ![โ] 6.27. Import built-in modules using the 'node:' protocol + +
+
+**ืื;ืืง:** Import or require built-in Node.js modules using the 'node protocol' syntax:
+
+```javascript
+import { functionName } from "node:module"; // note that 'node:' prefix
+```
+
+For example:
+
+```javascript
+import { createServer } from "node:http";
+```
+
+This style ensures that there is no ambiguity with global npm packages and makes it clear for the reader that the code refers to a well-trusted official module. This style can be enforced with the eslint rule ['prefer-node-protocol'](https://github.com/sindresorhus/eslint-plugin-unicorn/blob/main/docs/rules/prefer-node-protocol.md)
+
+**ืืืจืช:** Using the import syntax without 'node:' prefix opens the door for [typosquatting attacks](https://en.wikipedia.org/wiki/Typosquatting) where one could mistakenly mistype a module name (e.g., 'event' instead of 'events) and get a malicious package that was built only to trick users into installing them
+
++ + + +# `7. ืืืืื: ืืืฆืืขืื` + +## Our contributors are working on this section. [Would you like to join?](https://github.com/goldbergyoni/nodebestpractices/issues/256) + +
+ +## ![โ] 7.1. Don't block the event loop + +**ืื;ืืง:** Avoid CPU intensive tasks as they will block the mostly single-threaded Event Loop and offload those to a dedicated thread, process or even a different technology based on the context. + +**ืืืจืช:** As the Event Loop is blocked, Node.js will be unable to handle other request thus causing delays for concurrent users. **3000 users are waiting for a response, the content is ready to be served, but one single request blocks the server from dispatching the results back** + +๐ [**Read More: Do not block the event loop**](./sections/performance/block-loop.md) + +
+ +## ![โ] 7.2. Prefer native JS methods over user-land utils like Lodash + +**ืื;ืืง:** It's often more penalising to use utility libraries like `lodash` and `underscore` over native methods as it leads to unneeded dependencies and slower performance. +Bear in mind that with the introduction of the new V8 engine alongside the new ES standards, native methods were improved in such a way that it's now about 50% more performant than utility libraries. + +**ืืืจืช:** You'll have to maintain less performant projects where you could have simply used what was **already** available or dealt with a few more lines in exchange of a few more files. + +๐ [**Read More: Native over user land utils**](./sections/performance/nativeoverutil.md) + +
+ + + +# `8. ืืืงืจ` + +๐ Many thanks to [Bret Fisher](https://github.com/BretFisher) from whom we learned many of the following practices + +
+ +## ![โ] 8.1 Use multi-stage builds for leaner and more secure Docker images + +**ืื;ืืง:** Use multi-stage build to copy only necessary production artifacts. A lot of build-time dependencies and files are not needed for running your application. With multi-stage builds these resources can be used during build while the runtime environment contains only what's necessary. Multi-stage builds are an easy way to get rid of overweight and security threats. + +**ืืืจืช:** Larger images will take longer to build and ship, build-only tools might contain vulnerabilities and secrets only meant for the build phase might be leaked. + +### Example Dockerfile for multi-stage builds + +```dockerfile +FROM node:14.4.0 AS build + +COPY . . +RUN npm ci && npm run build + + +FROM node:slim-14.4.0 + +USER node +EXPOSE 8080 + +COPY --from=build /home/node/app/dist /home/node/app/package.json /home/node/app/package-lock.json ./ +RUN npm ci --production + +CMD [ "node", "dist/app.js" ] +``` + +๐ [**Read More: Use multi-stage builds**](./sections/docker/multi_stage_builds.md) + +
+ +## ![โ] 8.2. Bootstrap using `node` command, avoid `npm start` + +**ืื;ืืง:** Use `CMD ['node','server.js']` to start your app, avoid using npm scripts which don't pass OS signals to the code. This prevents problems with child-processes, signal handling, graceful shutdown and having zombie processes + +Update: [Starting from npm 7, npm claim](https://docs.npmjs.com/cli/v7/using-npm/changelog#706-2020-10-27) to pass signals. We follow and will update accordingly + +**ืืืจืช:** When no signals are passed, your code will never be notified about shutdowns. Without this, it will lose its chance to close properly possibly losing current requests and/or data + +[**Read More: Bootstrap container using node command, avoid npm start**](./sections/docker/bootstrap-using-node.md) + +
+ +## ![โ] 8.3. Let the Docker runtime handle replication and uptime + +**ืื;ืืง:** When using a Docker run time orchestrator (e.g., Kubernetes), invoke the Node.js process directly without intermediate process managers or custom code that replicate the process (e.g. PM2, Cluster module). The runtime platform has the highest amount of data and visibility for making placement decision - It knows best how many processes are needed, how to spread them and what to do in case of crashes + +**ืืืจืช:** Container keeps crashing due to lack of resources will get restarted indefinitely by the process manager. Should Kubernetes be aware of that, it could relocate it to a different roomy instance + +๐ [**Read More: Let the Docker orchestrator restart and replicate processes**](./sections/docker/restart-and-replicate-processes.md) + +
+ +## ![โ] 8.4. Use .dockerignore to prevent leaking secrets + +**TL;DR**: Include a `.dockerignore` file that filters out common secret files and development artifacts. By doing so, you might prevent secrets from leaking into the image. As a bonus the build time will significantly decrease. Also, ensure not to copy all files recursively rather explicitly choose what should be copied to Docker + +**Otherwise**: Common personal secret files like `.env`, `.aws` and `.npmrc` will be shared with anybody with access to the image (e.g. Docker repository) + +๐ [**Read More: Use .dockerignore**](./sections/docker/docker-ignore.md) + +
+ +## ![โ] 8.5. Clean-up dependencies before production + +**ืื;ืืง:** Although Dev-Dependencies are sometimes needed during the build and test life-cycle, eventually the image that is shipped to production should be minimal and clean from development dependencies. Doing so guarantees that only necessary code is shipped and the amount of potential attacks (i.e. attack surface) is minimized. When using multi-stage build (see dedicated bullet) this can be achieved by installing all dependencies first and finally running `npm ci --production` + +**ืืืจืช:** Many of the infamous npm security breaches were found within development packages (e.g. [eslint-scope](https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes)) + +๐ Read More: [Remove development dependencies](./sections/docker/install-for-production.md) + +
+ +## ![โ] 8.6. Shutdown smartly and gracefully + +**ืื;ืืง:** Handle the process SIGTERM event and clean-up all existing connection and resources. This should be done while responding to ongoing requests. In Dockerized runtimes, shutting down containers is not a rare event, rather a frequent occurrence that happen as part of routine work. Achieving this demands some thoughtful code to orchestrate several moving parts: The load balancer, keep-alive connections, the HTTP server and other resources + +**ืืืจืช:** Dying immediately means not responding to thousands of disappointed users + +๐ [**Read More: Graceful shutdown**](./sections/docker/graceful-shutdown.md) + +
+ +## ![โ] 8.7. Set memory limits using both Docker and v8 + +**ืื;ืืง:** Always configure a memory limit using both Docker and the JavaScript runtime flags. The Docker limit is needed to make thoughtful container placement decision, the --v8's flag max-old-space is needed to kick off the GC on time and prevent under utilization of memory. Practically, set the v8's old space memory to be a just bit less than the container limit + +**ืืืจืช:** The docker definition is needed to perform thoughtful scaling decision and prevent starving other citizens. Without also defining the v8's limits, it will under utilize the container resources - Without explicit instructions it crashes when utilizing ~50-60% of its host resources + +๐ [**Read More: Set memory limits using Docker only**](./sections/docker/memory-limit.md) + +
+ +## ![โ] 8.8. Plan for efficient caching + +**ืื;ืืง:** Rebuilding a whole docker image from cache can be nearly instantaneous if done correctly. The less updated instructions should be at the top of your Dockerfile and the ones constantly changing (like app code) should be at the bottom. + +**ืืืจืช:** Docker build will be very long and consume lot of resources even when making tiny changes + +๐ [**Read More: Leverage caching to reduce build times**](./sections/docker/use-cache-for-shorter-build-time.md) + +
+ +## ![โ] 8.9. Use explicit image reference, avoid `latest` tag + +**ืื;ืืง:** Specify an explicit image digest or versioned label, never refer to `latest`. Developers are often led to believe that specifying the `latest` tag will provide them with the most recent image in the repository however this is not the case. Using a digest guarantees that every instance of the service is running exactly the same code. + +In addition, referring to an image tag means that the base image is subject to change, as image tags cannot be relied upon for a deterministic install. Instead, if a deterministic install is expected, a SHA256 digest can be used to reference an exact image. + +**ืืืจืช:** A new version of a base image could be deployed into production with breaking changes, causing unintended application behaviour. + +๐ [**Read More: Understand image tags and use the "latest" tag with caution**](./sections/docker/image-tags.md) + +
+ +## ![โ] 8.10. Prefer smaller Docker base images + +**ืื;ืืง:** Large images lead to higher exposure to vulnerabilities and increased resource consumption. Using leaner Docker images, such as Slim and Alpine Linux variants, mitigates this issue. + +**ืืืจืช:** Building, pushing, and pulling images will take longer, unknown attack vectors can be used by malicious actors and more resources are consumed. + +๐ [**Read More: Prefer smaller images**](./sections/docker/smaller_base_images.md) + +
+ +## ![โ] 8.11. Clean-out build-time secrets, avoid secrets in args + +**ืื;ืืง:** Avoid secrets leaking from the Docker build environment. A Docker image is typically shared in multiple environment like CI and a registry that are not as sanitized as production. A typical example is an npm token which is usually passed to a dockerfile as argument. This token stays within the image long after it is needed and allows the attacker indefinite access to a private npm registry. This can be avoided by coping a secret file like `.npmrc` and then removing it using multi-stage build (beware, build history should be deleted as well) or by using Docker build-kit secret feature which leaves zero traces + +**ืืืจืช:** Everyone with access to the CI and docker registry will also get access to some precious organization secrets as a bonus + +๐ [**Read More: Clean-out build-time secrets**](./sections/docker/avoid-build-time-secrets.md) + +
+ +## ![โ] 8.12. Scan images for multi layers of vulnerabilities + +**ืื;ืืง:** Besides checking code dependencies vulnerabilities also scan the final image that is shipped to production. Docker image scanners check the code dependencies but also the OS binaries. This E2E security scan covers more ground and verifies that no bad guy injected bad things during the build. Consequently, it is recommended running this as the last step before deployment. There are a handful of free and commercial scanners that also provide CI/CD plugins + +**ืืืจืช:** Your code might be entirely free from vulnerabilities. However it might still get hacked due to vulnerable version of OS-level binaries (e.g. OpenSSL, TarBall) that are commonly being used by applications + +๐ [**Read More: Scan the entire image before production**](./sections/docker/scan-images.md) + +
+ +## ![โ] 8.13 Clean NODE_MODULE cache + +**ืื;ืืง:** After installing dependencies in a container remove the local cache. It doesn't make any sense to duplicate the dependencies for faster future installs since there won't be any further installs - A Docker image is immutable. Using a single line of code tens of MB (typically 10-50% of the image size) are shaved off + +**ืืืจืช:** The image that will get shipped to production will weigh 30% more due to files that will never get used + +๐ [**Read More: Clean NODE_MODULE cache**](./sections/docker/clean-cache.md) + +
+ +## ![โ] 8.14. Generic Docker practices + +**ืื;ืืง:** This is a collection of Docker advice that is not related directly to Node.js - the Node implementation is not much different than any other language. Click read more to skim through. + +๐ [**Read More: Generic Docker practices**](./sections/docker/generic-tips.md) + +
+ +## ![โ] 8.15. Lint your Dockerfile + +**ืื;ืืง:** Linting your Dockerfile is an important step to identify issues in your Dockerfile which differ from best practices. By checking for potential flaws using a specialised Docker linter, performance and security improvements can be easily identified, saving countless hours of wasted time or security issues in production code. + +**ืืืจืช:** Mistakenly the Dockerfile creator left Root as the production user, and also used an image from unknown source repository. This could be avoided with with just a simple linter. + +๐ [**Read More: Lint your Dockerfile**](./sections/docker/lint-dockerfile.md) + +
+ + + +# Milestones + +To maintain this guide and keep it up to date, we are constantly updating and improving the guidelines and best practices with the help of the community. You can follow our [milestones](https://github.com/goldbergyoni/nodebestpractices/milestones) and join the working groups if you want to contribute to this project + +
+ +## Translations + +All translations are contributed by the community. We will be happy to get any help with either completed, ongoing or new translations! + +### Completed translations + +-  [Brazilian Portuguese](./README.brazilian-portuguese.md) - Courtesy of [Marcelo Melo](https://github.com/marcelosdm) +-  [Chinese](./README.chinese.md) - Courtesy of [Matt Jin](https://github.com/mattjin) +-  [Russian](./README.russian.md) - Courtesy of [Alex Ivanov](https://github.com/contributorpw) +-  [Polish](./README.polish.md) - Courtesy of [Michal Biesiada](https://github.com/mbiesiad) +-  [Japanese](./README.japanese.md) - Courtesy of [Yuki Ota](https://github.com/YukiOta), [Yuta Azumi](https://github.com/YA21) +-  [Basque](README.basque.md) - Courtesy of [Ane Diaz de Tuesta](https://github.com/anediaz) & Joxefe Diaz de Tuesta + +### Translations in progress + +-  [French](./README.french.md) ([Discussion](https://github.com/goldbergyoni/nodebestpractices/issues/129)) +-  Hebrew ([Discussion](https://github.com/goldbergyoni/nodebestpractices/issues/156)) +-  [Korean](README.korean.md) - Courtesy of [Sangbeom Han](https://github.com/uronly14me) ([Discussion](https://github.com/goldbergyoni/nodebestpractices/issues/94)) +-  [Spanish](https://github.com/goldbergyoni/nodebestpractices/blob/spanish-translation/README.spanish.md) ([Discussion](https://github.com/goldbergyoni/nodebestpractices/issues/95)) +-  Turkish ([Discussion](https://github.com/goldbergyoni/nodebestpractices/issues/139)) + +
+ +## Steering Committee + +Meet the steering committee members - the people who work together to provide guidance and future direction to the project. In addition, each member of the committee leads a project tracked under our [GitHub projects](https://github.com/goldbergyoni/nodebestpractices/projects). + +
+
+[Yoni Goldberg](https://github.com/goldbergyoni)
+
+
+
+Independent Node.js consultant who works with customers in the USA, Europe, and Israel on building large-scale Node.js applications. Many of the best practices above were first published at [goldbergyoni.com](https://goldbergyoni.com). Reach Yoni at [@goldbergyoni](https://github.com/goldbergyoni) or [me@goldbergyoni.com](mailto:me@goldbergyoni.com)
+
++ +
+
+[Josh Hemphill](https://github.com/josh-hemphill)
+
+
+
+
+Full Stack Software Engineer / Developer specializing in Security, DevOps/DevSecOps, and ERP Integrations.
+
++ +
+
+[Raz Luvaton](https://github.com/rluvaton)
+
+
+
+Full Stack Developer who knows how to exit from Vim and loves Architecture, Virtualization and Security.
+
++ +## Contributing + +If you've ever wanted to contribute to open source, now is your chance! See the [contributing docs](.operations/CONTRIBUTING.md) for more information. + +## Contributors โจ + +Thanks goes to these wonderful people who have contributed to this repository! + + + + +
+
+๐ป full-stack web engineer, Node.js & GraphQL enthusiast
+
++ +
+
+[Kyle Martin](https://github.com/js-kyle)
+
+
+
+Full Stack Developer & Site Reliability Engineer based in New Zealand, interested in web application security, and architecting and building Node.js applications to perform at global scale.
+
++ +
+
+[Kevyn Bruyere](https://github.com/kevynb)
+
+
+Independent full-stack developer with a taste for Ops and automation.
+
++ +
+
+[Sagir Khan](https://github.com/sagirk)
+
+
+
+
+Deep specialist in JavaScript and its ecosystem โ React, Node.js, TypeScript, GraphQL, MongoDB, pretty much anything that involves JS/JSON in any layer of the system โ building products using the web platform for the worldโs most recognized brands. Individual Member of the Node.js Foundation.
diff --git a/README.md b/README.md
index 5fcaf4dec..065d37585 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@
- 
+ 
+
@@ -22,19 +22,13 @@ Read in a different language: [**CN**](./README.chin
-## ๐ We have an [official Node.js starter - Practica.js](https://github.com/practicajs/practica). Use it to generate a new solution skeleton with all the practices baked inside. Or just it to learn by code examples +# ๐ 2024 edition is here! -
- -# Latest Best Practices and News - -- **โจ 80,000 stars**: Blushing, surprised and proud! - -- **๐ New menu and tags**: Our menu is collapsible now and includes `#tags`. New visitors can read `#strategic` items first. Returning visitors can focus on `#new` content. Seniors can filter for `#advanced` items. Courtesy of the one and only [Rubek Joshi](https://github.com/rubek-joshi) +- **๐ฐ Modernized to 2024**: Tons of text edits, new recommended libraries, and some new best practices -- **๐จโ๐ฉโ๐งโ๐ฆ New family member!**: A new repository joins our family - [Node.js Integration Tests Best Practices โจ](https://github.com/testjavascript/nodejs-integration-tests-best-practices). It includes 40+ best practices for writing awesome and performant Node.js component tests +- **โจ Easily focus on new content**: Already visited before? Search for `#new` or `#updated` tags for new content only -- ** French translation!1! :** The latest translation that joins our international guide is French. Bienvenue +- **๐ Curious to see examples? We have a starter**: Visit [Practica.js](https://github.com/practicajs/practica), our application example and boilerplate (beta) to see some practices in action
@@ -48,18 +42,25 @@ Read in a different language: [**CN**](./README.chin
+# By Yoni Goldberg + +### Learn with me: As a consultant, I engage with worldwide teams on various activities like workshops and code reviews. ๐AND... Hold on, I've just launched my [beyond-the-basics testing course, which is on a ๐ limited-time sale](https://testjavascript.com/) until August 7th + +
+ ## Table of Contents
- 1. Project Structure Practices (5) + 1. Project Architecture Practices (6)
- [1.1 Structure your solution by components `#strategic`](#-11-structure-your-solution-by-components) - [1.2 Layer your components, keep the web layer within its boundaries `#strategic`](#-12-layer-your-components-keep-the-web-layer-within-its-boundaries) - [1.3 Wrap common utilities as npm packages](#-13-wrap-common-utilities-as-npm-packages) - [1.4 Separate Express 'app' and 'server'](#-14-separate-express-app-and-server) - [1.5 Use environment aware, secure and hierarchical config `#modified-recently`](#-15-use-environment-aware-secure-and-hierarchical-config) + [1.1 Structure your solution by components `#strategic` `#updated`](#-11-structure-your-solution-by-business-components) + [1.2 Layer your components, keep the web layer within its boundaries `#strategic` `#updated`](#-12-layer-your-components-with-3-tiers-keep-the-web-layer-within-its-boundaries) + [1.3 Wrap common utilities as packages, consider publishing](#-13-wrap-common-utilities-as-packages-consider-publishing) + [1.4 Use environment aware, secure and hierarchical config `#updated`](#-14-use-environment-aware-secure-and-hierarchical-config) + [1.5 Consider all the consequences when choosing the main framework `#new`](#-15-consider-all-the-consequences-when-choosing-the-main-framework) + [1.6 Use TypeScript sparingly and thoughtfully `#new`](#-16-use-typescript-sparingly-and-thoughtfully)- 3. Code Style Practices (12) + 3. Code Style Practices (12)
[3.1 Use ESLint `#strategic`](#-31-use-eslint) - [3.2 Node.js specific plugins](#-32-nodejs-specific-plugins) + [3.2 Use Node.js eslint extension plugins `#updated`](#-32-use-nodejs-eslint-extension-plugins) [3.3 Start a Codeblock's Curly Braces on the Same Line](#-33-start-a-codeblocks-curly-braces-on-the-same-line) [3.4 Separate your statements properly](#-34-separate-your-statements-properly) [3.5 Name your functions](#-35-name-your-functions) [3.6 Use naming conventions for variables, constants, functions and classes](#-36-use-naming-conventions-for-variables-constants-functions-and-classes) [3.7 Prefer const over let. Ditch the var](#-37-prefer-const-over-let-ditch-the-var) [3.8 Require modules first, not inside functions](#-38-require-modules-first-not-inside-functions) - [3.9 Require modules by folders, as opposed to the files directly](#-39-require-modules-by-folders-as-opposed-to-the-files-directly) + [3.9 Set an explicit entry point to a module/folder `#updated`](#-39-set-an-explicit-entry-point-to-a-modulefolder) [3.10 Use the === operator](#-310-use-the--operator) [3.11 Use Async Await, avoid callbacks `#strategic`](#-311-use-async-await-avoid-callbacks) [3.12 Use arrow function expressions (=>)](#-312-use-arrow-function-expressions-) + [3.13 Avoid effects outside of functions `#new`](#-313-avoid-effects-outside-of-functions)-# `1. Project Structure Practices` +# `1. Project Architecture Practices` + +## ![โ] 1.1 Structure your solution by business components -## ![โ] 1.1 Structure your solution by components +### `๐ #updated` -**TL;DR:** The worst large applications pitfall is maintaining a huge code base with hundreds of dependencies - such a monolith slows down developers as they try to incorporate new features. Instead, partition your code into components, each gets its folder or a dedicated codebase, and ensure that each unit is kept small and simple. Visit 'Read More' below to see examples of correct project structure +**TL;DR:** The root of a system should contain folders or repositories that represent reasonably sized business modules. Each component represents a product domain (i.e., bounded context), like 'user-component', 'order-component', etc. Each component has its own API, logic, and logical database. What is the significant merit? With an autonomous component, every change is performed over a granular and smaller scope - the mental overload, development friction, and deployment fear are much smaller and better. As a result, developers can move much faster. This does not necessarily demand physical separation and can be achieved using a Monorepo or with a multi-repo + +```bash +my-system +โโ apps (components) +โ โโ orders +โ โโ users +โ โโ payments +โโ libraries (generic cross-component functionality) +โ โโ logger +โ โโ authenticator +``` -**Otherwise:** When developers who code new features struggle to realize the impact of their change and fear to break other dependent components - deployments become slower and riskier. It's also considered harder to scale-out when all the business units are not separated +**Otherwise:** when artifacts from various modules/topics are mixed together, there are great chances of a tightly-coupled 'spaghetti' system. For example, in an architecture where 'module-a controller' might call 'module-b service', there are no clear modularity borders - every code change might affect anything else. With this approach, developers who code new features struggle to realize the scope and impact of their change. Consequently, they fear breaking other modules, and each deployment becomes slower and riskier ๐ [**Read More: structure by components**](./sections/projectstructre/breakintcomponents.md)
-## ![โ] 1.2 Layer your components, keep the web layer within its boundaries +## ![โ] 1.2 Layer your components with 3-tiers, keep the web layer within its boundaries -**TL;DR:** Each component should contain 'layers' - a dedicated object for the web, logic, and data access code. This not only draws a clean separation of concerns but also significantly eases mocking and testing the system. Though this is a very common pattern, API developers tend to mix layers by passing the web layer objects (e.g. Express req, res) to business logic and data layers - this makes your application dependent on and accessible only by specific web frameworks +### `๐ #updated` + +**TL;DR:** Each component should contain 'layers' - a dedicated folder for common concerns: 'entry-point' where controller lives, 'domain' where the logic lives, and 'data-access'. The primary principle of the most popular architectures is to separate the technical concerns (e.g., HTTP, DB, etc) from the pure logic of the app so a developer can code more features without worrying about infrastructural concerns. Putting each concern in a dedicated folder, also known as the [3-Tier pattern](https://en.wikipedia.org/wiki/Multitier_architecture), is the _simplest_ way to meet this goal + +```bash +my-system +โโ apps (components) +โ โโ component-a + โ โโ entry-points + โ โ โโ api # controller comes here + โ โ โโ message-queue # message consumer comes here + โ โโ domain # features and flows: DTO, services, logic + โ โโ data-access # DB calls w/o ORM +``` -**Otherwise:** App that mixes web objects with other layers cannot be accessed by testing code, CRON jobs, triggers from message queues, etc +**Otherwise:** It's often seen that developer pass web objects like request/response to functions in the domain/logic layer - this violates the separation principle and makes it harder to access later the logic code by other clients like testing code, scheduled jobs, message queues, etc ๐ [**Read More: layer your app**](./sections/projectstructre/createlayers.md)
-## ![โ] 1.3 Wrap common utilities as npm packages +## ![โ] 1.3 Wrap common utilities as packages, consider publishing -**TL;DR:** In a large app that constitutes a large codebase, cross-cutting-concern utilities like a logger, encryption and alike, should be wrapped by your code and exposed as private npm packages. This allows sharing them among multiple codebases and projects +**TL;DR:** Place all reusable modules in a dedicated folder, e.g., "libraries", and underneath each module in its own folder, e.g., "/libraries/logger". Make the module an independent package with its own package.json file to increase the module encapsulation, and allows future publishing to a repository. In a Monorepo setup, modules can be consumed by 'npm linking' to their physical paths, using ts-paths or by publishing and installing from a package manager repository like the npm registry -**Otherwise:** You'll have to invent your deployment and the dependency wheel +```bash +my-system +โโ apps (components) + โ โโ component-a +โโ libraries (generic cross-component functionality) +โ โโ logger +โ โ โโ package.json +โ โ โโ src +โ โ โ โโ index.js + +``` + +**Otherwise:** Clients of a module might import and get coupled to internal functionality of a module. With a package.json at the root, one can set a package.json.main or package.json.exports to explicitly tell which files and functions are part of the public interface ๐ [**Read More: Structure by feature**](./sections/projectstructre/wraputilities.md)
-## ![โ] 1.4 Separate Express 'app' and 'server' +## ![โ] 1.4 Use environment aware, secure and hierarchical config -**TL;DR:** Avoid the nasty habit of defining the entire [Express](https://expressjs.com/) app in a single huge file - separate your 'Express' definition to at least two files: the API declaration (app.js) and the networking concerns (WWW). For even better structure, locate your API declaration within components +### `๐ #updated` -**Otherwise:** Your API will be accessible for testing via HTTP calls only (slower and much harder to generate coverage reports). It probably won't be a big pleasure to maintain hundreds of lines of code in a single file +**TL;DR:** A flawless configuration setup should ensure (a) keys can be read from file AND from environment variable (b) secrets are kept outside committed code (c) config is hierarchical for easier findability (d) typing support (e) validation for failing fast (f) Specify default for each key. There are a few packages that can help tick most of those boxes like [convict](https://www.npmjs.com/package/convict), [env-var](https://github.com/evanshortiss/env-var), [zod](https://github.com/colinhacks/zod), and others -๐ [**Read More: separate Express 'app' and 'server'**](./sections/projectstructre/separateexpress.md) +**Otherwise:** Consider a mandatory environment variable that wasn't provided. The app starts successfully and serve requests, some information is already persisted to DB. Then, it's realized that without this mandatory key the request can't complete, leaving the app in a dirty state + +๐ [**Read More: configuration best practices**](./sections/projectstructre/configguide.md)
-## ![โ] 1.5 Use environment aware, secure and hierarchical config +## ![โ] 1.5 Consider all the consequences when choosing the main framework -**TL;DR:** A perfect and flawless configuration setup should ensure (a) keys can be read from file AND from environment variable (b) secrets are kept outside committed code (c) config is hierarchical for easier findability. There are a few packages that can help tick most of those boxes like [rc](https://www.npmjs.com/package/rc), [nconf](https://www.npmjs.com/package/nconf), [config](https://www.npmjs.com/package/config), and [convict](https://www.npmjs.com/package/convict). +### `๐ #new` -**Otherwise:** Failing to satisfy any of the config requirements will simply bog down the development or DevOps team. Probably both +**TL;DR:** When building apps and APIs, using a framework is mandatory. It's easy to overlook alternative frameworks or important considerations and then finally land on a sub optimal option. As of 2023/2024, we believe that these four frameworks are worth considering: [Nest.js](https://nestjs.com/), [Fastify](https://www.fastify.io/), [express](https://expressjs.com/), and [Koa](https://koajs.com/). Click read more below for a detailed pros/cons of each framework. Simplistically, we believe that Nest.js is the best match for teams who wish to go OOP and/or build large-scale apps that can't get partitioned into smaller _autonomous_ components. Fastify is our recommendation for apps with reasonably-sized components (e.g., Microservices) that are built around simple Node.js mechanics. Read our [full considerations guide here](./sections/projectstructre/choose-framework.md) -๐ [**Read More: configuration best practices**](./sections/projectstructre/configguide.md) +**Otherwise:** Due to the overwhelming amount of considerations, it's easy to make decisions based on partial information and compare apples with oranges. For example, it's believed that Fastify is a minimal web-server that should get compared with express only. In reality, it's a rich framework with many official plugins that cover many concerns + +๐ [**Read More: Choosing the right framework**](./sections/projectstructre/choose-framework.md) + +## ![โ] 1.6 Use TypeScript sparingly and thoughtfully + +### `๐ #new` + +**TL;DR:** Coding without type safety is no longer an option, TypeScript is the most popular option for this mission. Use it to define variables and functions return types. With that, it is also a double edge sword that can greatly _encourage_ complexity with its additional ~ 50 keywords and sophisticated features. Consider using it sparingly, mostly with simple types, and utilize advanced features only when a real need arises + +**Otherwise:** [Researches](https://earlbarr.com/publications/typestudy.pdf) show that using TypeScript can help in detecting ~20% bugs earlier. Without it, also the developer experience in the IDE is intolerable. On the flip side, 80% of other bugs were not discovered using types. Consequently, typed syntax is valuable but limited. Only efficient tests can discover the whole spectrum of bugs, including type-related bugs. It might also defeat its purpose: sophisticated code features are likely to increase the code complexity, which by itself increases both the amount of bugs and the average bug fix time + +๐ [**Read More: TypeScript considerations**](./sections/projectstructre/typescript-considerations.md)
@@ -277,7 +334,7 @@ Read in a different language: [**CN**](./README.chin ## ![โ] 2.1 Use Async-Await or promises for async error handling -**TL;DR:** Handling async errors in callback style is probably the fastest way to hell (a.k.a the pyramid of doom). The best gift you can give to your code is using a reputable promise library or async-await instead which enables a much more compact and familiar code syntax like try-catch +**TL;DR:** Handling async errors in callback style is probably the fastest way to hell (a.k.a the pyramid of doom). The best gift you can give to your code is using Promises with async-await which enables a much more compact and familiar code syntax like try-catch **Otherwise:** Node.js callback style, function(err, response), is a promising way to un-maintainable code due to the mix of error handling with casual code, excessive nesting, and awkward coding patterns @@ -285,9 +342,11 @@ Read in a different language: [**CN**](./README.chin
-## ![โ] 2.2 Use only the built-in Error object +## ![โ] 2.2 Extend the built-in Error object + +### `๐ #updated` -**TL;DR:** Many throw errors as a string or as some custom type โ this complicates the error handling logic and the interoperability between modules. Whether you reject a promise, throw an exception or emit an error โ using only the built-in Error object (or an object that extends the built-in Error object) will increase uniformity and prevent loss of information. There is `no-throw-literal` ESLint rule that strictly checks that (although it has some [limitations](https://eslint.org/docs/rules/no-throw-literal) which can be solved when using TypeScript and setting the `@typescript-eslint/no-throw-literal` rule) +**TL;DR:** Some libraries throw errors as a string or as some custom type โ this complicates the error handling logic and the interoperability between modules. Instead, create app error object/class that extends the built-in Error object and use it whenever rejecting, throwing or emitting an error. The app error should add useful imperative properties like the error name/code and isCatastrophic. By doing so, all errors have a unified structure and support better error handling. There is `no-throw-literal` ESLint rule that strictly checks that (although it has some [limitations](https://eslint.org/docs/rules/no-throw-literal) which can be solved when using TypeScript and setting the `@typescript-eslint/no-throw-literal` rule) **Otherwise:** When invoking some component, being uncertain which type of errors come in return โ it makes proper error handling much harder. Even worse, using custom types to describe errors might lead to loss of critical error information like the stack trace! @@ -295,11 +354,13 @@ Read in a different language: [**CN**](./README.chin
-## ![โ] 2.3 Distinguish operational vs programmer errors +## ![โ] 2.3 Distinguish catastrophic errors from operational errors -**TL;DR:** Operational errors (e.g. API received an invalid input) refer to known cases where the error impact is fully understood and can be handled thoughtfully. On the other hand, programmer error (e.g. trying to read an undefined variable) refers to unknown code failures that dictate to gracefully restart the application +### `๐ #updated` -**Otherwise:** You may always restart the application when an error appears, but why let ~5000 online users down because of a minor, predicted, operational error? The opposite is also not ideal โ keeping the application up when an unknown issue (programmer error) occurred might lead to an unpredicted behavior. Differentiating the two allows acting tactfully and applying a balanced approach based on the given context +**TL;DR:** Operational errors (e.g. API received an invalid input) refer to known cases where the error impact is fully understood and can be handled thoughtfully. On the other hand, catastrophic error (also known as programmer errors) refers to unusual code failures that dictate to gracefully restart the application + +**Otherwise:** You may always restart the application when an error appears, but why let ~5000 online users down because of a minor, predicted, operational error? The opposite is also not ideal โ keeping the application up when an unknown catastrophic issue (programmer error) occurred might lead to an unpredicted behavior. Differentiating the two allows acting tactfully and applying a balanced approach based on the given context ๐ [**Read More: operational vs programmer error**](./sections/errorhandling/operationalvsprogrammererror.md) @@ -307,7 +368,7 @@ Read in a different language: [**CN**](./README.chin ## ![โ] 2.4 Handle errors centrally, not within a middleware -**TL;DR:** Error handling logic such as mail to admin and logging should be encapsulated in a dedicated and centralized object that all endpoints (e.g. Express middleware, cron jobs, unit-testing) call when an error comes in +**TL;DR:** Error handling logic such as logging, deciding whether to crash and monitoring metrics should be encapsulated in a dedicated and centralized object that all entry-points (e.g. APIs, cron jobs, scheduled jobs) call when an error comes in **Otherwise:** Not handling errors within a single place will lead to code duplication and probably to improperly handled errors @@ -315,9 +376,9 @@ Read in a different language: [**CN**](./README.chin
-## ![โ] 2.5 Document API errors using Swagger or GraphQL +## ![โ] 2.5 Document API errors using OpenAPI or GraphQL -**TL;DR:** Let your API callers know which errors might come in return so they can handle these thoughtfully without crashing. For RESTful APIs, this is usually done with documentation frameworks like Swagger. If you're using GraphQL, you can utilize your schema and comments as well. +**TL;DR:** Let your API callers know which errors might come in return so they can handle these thoughtfully without crashing. For RESTful APIs, this is usually done with documentation frameworks like OpenAPI. If you're using GraphQL, you can utilize your schema and comments as well **Otherwise:** An API client might decide to crash and restart only because it received back an error it couldnโt understand. Note: the caller of your API might be you (very typical in a microservice environment) @@ -327,7 +388,7 @@ Read in a different language: [**CN**](./README.chin ## ![โ] 2.6 Exit the process gracefully when a stranger comes to town -**TL;DR:** When an unknown error occurs (a developer error, see best practice 2.3) - there is uncertainty about the application healthiness. Common practice suggests restarting the process carefully using a process management tool like [Forever](https://www.npmjs.com/package/forever) or [PM2](http://pm2.keymetrics.io/) +**TL;DR:** When an unknown error occurs (catastrophic error, see best practice 2.3) - there is uncertainty about the application healthiness. In this case, there is no escape from making the error observable, shutting off connections and exiting the process. Any reputable runtime framework like Dockerized services or cloud serverless solutions will take care to restart **Otherwise:** When an unfamiliar exception occurs, some object might be in a faulty state (e.g. an event emitter which is used globally and not firing events anymore due to some internal failure) and all future requests might fail or behave crazily @@ -335,9 +396,11 @@ Read in a different language: [**CN**](./README.chin
-## ![โ] 2.7 Use a mature logger to increase error visibility +## ![โ] 2.7 Use a mature logger to increase errors visibility + +### `๐ #updated` -**TL;DR:** A set of mature logging tools like [Pino](https://github.com/pinojs/pino) or [Log4js](https://www.npmjs.com/package/log4js), will speed-up error discovery and understanding. So forget about console.log +**TL;DR:** A robust logging tools like [Pino](https://github.com/pinojs/pino) or [Winston](https://github.com/winstonjs/winston) increases the errors visibility using features like log-levels, pretty print coloring and more. Console.log lacks these imperative features and should be avoided. The best in class logger allows attaching custom useful properties to log entries with minimized serialization performance penalty. Developers should write logs to `stdout` and let the infrastructure pipe the stream to the appropriate log aggregator **Otherwise:** Skimming through console.logs or manually through messy text file without querying tools or a decent log viewer might keep you busy at work until late @@ -347,7 +410,9 @@ Read in a different language: [**CN**](./README.chin ## ![โ] 2.8 Test error flows using your favorite test framework -**TL;DR:** Whether professional automated QA or plain manual developer testing โ Ensure that your code not only satisfies positive scenarios but also handles and returns the right errors. Testing frameworks like Mocha & Chai can handle this easily (see code examples within the "Gist popup") +### `๐ #updated` + +**TL;DR:** Whether professional automated QA or plain manual developer testing โ Ensure that your code not only satisfies positive scenarios but also handles and returns the right errors. On top of this, simulate deeper error flows like uncaught exceptions and ensure that the error handler treat these properly (see code examples within the "read more" section) **Otherwise:** Without testing, whether automatically or manually, you canโt rely on your code to return the right errors. Without meaningful errors โ thereโs no error handling @@ -367,6 +432,8 @@ Read in a different language: [**CN**](./README.chin ## ![โ] 2.10 Catch unhandled promise rejections +### `๐ #updated` + **TL;DR:** Any exception thrown within a promise will get swallowed and discarded unless a developer didnโt forget to explicitly handle it. Even if your code is subscribed to `process.uncaughtException`! Overcome this by registering to the event `process.unhandledRejection` **Otherwise:** Your errors will get swallowed and leave no trace. Nothing to worry about @@ -377,7 +444,7 @@ Read in a different language: [**CN**](./README.chin ## ![โ] 2.11 Fail fast, validate arguments using a dedicated library -**TL;DR:** Assert API input to avoid nasty bugs that are much harder to track later. The validation code is usually tedious unless you are using a very cool helper library like [ajv](https://www.npmjs.com/package/ajv) and [Joi](https://www.npmjs.com/package/joi) +**TL;DR:** Assert API input to avoid nasty bugs that are much harder to track later. The validation code is usually tedious unless you are using a modern validation library like [ajv](https://www.npmjs.com/package/ajv), [zod](https://github.com/colinhacks/zod), or [typebox](https://github.com/sinclairzx81/typebox) **Otherwise:** Consider this โ your function expects a numeric argument โDiscountโ which the caller forgets to pass, later on, your code checks if Discount!=0 (amount of allowed discount is greater than zero), then it will allow the user to enjoy a discount. OMG, what a nasty bug. Can you see it? @@ -387,6 +454,8 @@ Read in a different language: [**CN**](./README.chin ## ![โ] 2.12 Always await promises before returning to avoid a partial stacktrace +### `๐ #new` + **TL;DR:** Always do `return await` when returning a promise to benefit full error stacktrace. If a function returns a promise, that function must be declared as `async` function and explicitly `await` the promise before returning it @@ -397,15 +466,25 @@ especially if the cause of the abnormal behavior is inside of the missing functi ๐ [**Read More: returning promises**](./sections/errorhandling/returningpromises.md) +
+ +## ![โ] 2.13 Subscribe to event emitters and streams 'error' event + +### `๐ #new` + +**TL;DR:** Unlike typical functions, a try-catch clause won't get errors that originate from Event Emitters and anything inherited from it (e.g., streams). Instead of try-catch, subscribe to an event emitter's 'error' event so your code can handle the error in context. When dealing with [EventTargets](https://nodejs.org/api/events.html#eventtarget-and-event-api) (the web standard version of Event Emitters) there are no 'error' event and all errors end in the process.on('error) global event - in this case, at least ensure that the process crash or not based on the desired context. Also, mind that error originating from _asynchronous_ event handlers are not get caught unless the event emitter is initialized with {captureRejections: true} + +**Otherwise:** Event emitters are commonly used for global and key application functionality such as DB or message queue connection. When this kind of crucial objects throw an error, at best the process will crash due to unhandled exception. Even worst, it will stay alive as a zombie while a key functionality is turned off +
-# `3. Code Style Practices` +# `3. Code Patterns And Style Practices` ## ![โ] 3.1 Use ESLint -**TL;DR:** [ESLint](https://eslint.org) is the de-facto standard for checking possible code errors and fixing code style, not only to identify nitty-gritty spacing issues but also to detect serious code anti-patterns like developers throwing errors without classification. Though ESLint can automatically fix code styles, other tools like [prettier](https://www.npmjs.com/package/prettier) and [beautify](https://www.npmjs.com/package/js-beautify) are more powerful in formatting the fix and work in conjunction with ESLint +**TL;DR:** [ESLint](https://eslint.org) is the de-facto standard for checking possible code errors and fixing code style, not only to identify nitty-gritty spacing issues but also to detect serious code anti-patterns like developers throwing errors without classification. Though ESLint can automatically fix code styles, other tools like [prettier](https://www.npmjs.com/package/prettier) are more powerful in formatting the fix and work in conjunction with ESLint **Otherwise:** Developers will focus on tedious spacing and line-width concerns and time might be wasted overthinking the project's code style @@ -413,9 +492,11 @@ especially if the cause of the abnormal behavior is inside of the missing functi
-## ![โ] 3.2 Node.js specific plugins +## ![โ] 3.2 Use Node.js eslint extension plugins -**TL;DR:** On top of ESLint standard rules that cover vanilla JavaScript, add Node.js specific plugins like [eslint-plugin-node](https://www.npmjs.com/package/eslint-plugin-node), [eslint-plugin-mocha](https://www.npmjs.com/package/eslint-plugin-mocha) and [eslint-plugin-node-security](https://www.npmjs.com/package/eslint-plugin-security) +### `๐ #updated` + +**TL;DR:** On top of ESLint standard rules that cover vanilla JavaScript, add Node.js specific plugins like [eslint-plugin-node](https://www.npmjs.com/package/eslint-plugin-node), [eslint-plugin-mocha](https://www.npmjs.com/package/eslint-plugin-mocha) and [eslint-plugin-node-security](https://www.npmjs.com/package/eslint-plugin-security), [eslint-plugin-require](https://www.npmjs.com/package/eslint-plugin-require), [/eslint-plugin-jest](https://www.npmjs.com/package/eslint-plugin-jest) and other useful rules **Otherwise:** Many faulty Node.js code patterns might escape under the radar. For example, developers might require(variableAsPath) files with a variable given as a path which allows attackers to execute any JS script. Node.js linters can detect such patterns and complain early @@ -508,7 +589,7 @@ const count = 2 // it tries to run 2(), but 2 is not a function ```javascript // for global variables names we use the const/let keyword and UPPER_SNAKE_CASE -let MUTABLE_GLOBAL = "mutable value" +let MUTABLE_GLOBAL = "mutable value"; const GLOBAL_CONSTANT = "immutable value"; const CONFIG = { key: "value", @@ -557,22 +638,29 @@ function doSomething() {
-## ![โ] 3.9 Require modules by folders, as opposed to the files directly +## ![โ] 3.9 Set an explicit entry point to a module/folder + +### `๐ #updated` -**TL;DR:** When developing a module/library in a folder, place an index.js file that exposes the module's internals so every consumer will pass through it. This serves as an 'interface' to your module and eases future changes without breaking the contract +**TL;DR:** When developing a module/library, set an explicit root file that exports the public and interesting code. Discourage the client code from importing deep files and becoming familiar with the internal structure. With commonjs (require), this can be done with an index.js file at the folder's root or the package.json.main field. With ESM (import), if a package.json exists on the root, the field "exports" allow specifying the module's root file. If no package.json exists, you may put an index.js file on the root which re-exports all the public functionality -**Otherwise:** Changing the internal structure of files or the signature may break the interface with clients +**Otherwise:** Having an explicit root file acts like a public 'interface' that encapsulates the internal, directs the caller to the public code and facilitates future changes without breaking the contract -### 3.9 Code example +### 3.9 Code example - avoid coupling the client to the module structure ```javascript -// Do -module.exports.SMSProvider = require("./SMSProvider"); -module.exports.SMSNumberResolver = require("./SMSNumberResolver"); +// Avoid: client has deep familiarity with the internals -// Avoid -module.exports.SMSProvider = require("./SMSProvider/SMSProvider.js"); -module.exports.SMSNumberResolver = require("./SMSNumberResolver/SMSNumberResolver.js"); +// Client code +const SMSWithMedia = require("./SMSProvider/providers/media/media-provider.js"); + +// Better: explicitly export the public functions + +//index.js, module code +module.exports.SMSWithMedia = require("./SMSProvider/providers/media/media-provider.js"); + +// Client code +const { SMSWithMedia } = require("./SMSProvider"); ```
@@ -606,7 +694,7 @@ All statements above will return false if used with `===` ## ![โ] 3.11 Use Async Await, avoid callbacks -**TL;DR:** Node 8 LTS now has full support for Async-await. This is a new way of dealing with asynchronous code which supersedes callbacks and promises. Async-await is non-blocking, and it makes asynchronous code look synchronous. The best gift you can give to your code is using async-await which provides a much more compact and familiar code syntax like try-catch +**TL;DR:** Async-await is the simplest way to express an asynchronous flow as it makes asynchronous code look synchronous. Async-await will also result in much more compact code and support for try-catch. This technique now supersedes callbacks and promises in _most_ cases. Using it in your code is probably the best gift one can give to the code reader **Otherwise:** Handling async errors in callback style are probably the fastest way to hell - this style forces to check errors all over, deal with awkward code nesting, and makes it difficult to reason about the code flow @@ -622,12 +710,28 @@ All statements above will return false if used with `===` ๐ [**Read more: Itโs Time to Embrace Arrow Functions**](https://medium.com/javascript-scene/familiarity-bias-is-holding-you-back-its-time-to-embrace-arrow-functions-3d37e1a9bb75) +
+ +## ![โ] 3.13 Avoid effects outside of functions + +### `๐ #new` + +**TL;DR:** Avoid putting code with effects like network or DB calls outside of functions. Such a code will be executed immediately when another file requires the file. This 'floating' code might get executed when the underlying system is not ready yet. It also comes with a performance penalty even when this module's functions will finally not be used in runtime. Last, mocking these DB/network calls for testing is harder outside of functions. Instead, put this code inside functions that should get called explicitly. If some DB/network code must get executed right when the module loads, consider using the factory or revealing module patterns + +**Otherwise:** A typical web framework sets error handler, environment variables and monitoring. When DB/network calls are made before the web framework is initialized, they won't be monitored or fail due to a lack of configuration data +
# `4. Testing And Overall Quality Practices` +\_We have dedicated guides for testing, see below. The best practices list here is a brief summary of these guides + +a. [JavaScript testing best practices](https://github.com/goldbergyoni/javascript-testing-best-practices) +b. [Node.js testing - beyond the basics](https://github.com/testjavascript/nodejs-integration-tests-best-practices) +\_ + ## ![โ] 4.1 At the very least, write API (component) testing **TL;DR:** Most projects just don't have any automated testing due to short timetables or often the 'testing project' ran out of control and was abandoned. For that reason, prioritize and start with API testing which is the easiest way to write and provides more coverage than unit testing (you may even craft API tests without code using tools like [Postman](https://www.getpostman.com/)). Afterwards, should you have more resources and time, continue with advanced test types like unit testing, DB testing, performance testing, etc @@ -638,6 +742,8 @@ All statements above will return false if used with `===` ## ![โ] 4.2 Include 3 parts in each test name +### `๐ #new` + **TL;DR:** Make the test speak at the requirements level so it's self-explanatory also to QA engineers and developers who are not familiar with the code internals. State in the test name what is being tested (unit under test), under what circumstances, and what is the expected result **Otherwise:** A deployment just failed, a test named โAdd productโ failed. Does this tell you what exactly is malfunctioning? @@ -648,6 +754,8 @@ All statements above will return false if used with `===` ## ![โ] 4.3 Structure tests by the AAA pattern +### `๐ #new` + **TL;DR:** Structure your tests with 3 well-separated sections: Arrange, Act & Assert (AAA). The first part includes the test setup, then the execution of the unit under test, and finally the assertion phase. Following this structure guarantees that the reader spends no brain CPU on understanding the test plan **Otherwise:** Not only you spend long daily hours on understanding the main code, but now also what should have been the simple part of the day (testing) stretches your brain @@ -656,11 +764,13 @@ All statements above will return false if used with `===`
-## ![โ] 4.4 Detect code issues with a linter +## ![โ] 4.4 Ensure Node version is unified + +### `๐ #new` -**TL;DR:** Use a code linter to check the basic quality and detect anti-patterns early. Run it before any test and add it as a pre-commit git-hook to minimize the time needed to review and correct any issue. Also check [Section 3](#3-code-style-practices) on Code Style Practices +**TL;DR:** Use tools that encourage or enforce the same Node.js version across different environments and developers. Tools like [nvm](https://github.com/nvm-sh/nvm), and [Volta](https://volta.sh/) allow specifying the project's version in a file so each team member can run a single command to conform with the project's version. Optionally, this definition can be replicated to CI and the production runtime (e.g., copy the specified value to .Dockerfile build and to the CI declaration file) -**Otherwise:** You may let pass some anti-pattern and possible vulnerable code to your production environment. +**Otherwise:** A developer might face or miss an error because she uses a different Node.js version than her teammates. Even worse - the production runtime might be different than the environment where tests were executed
@@ -674,15 +784,7 @@ All statements above will return false if used with `===`
-## ![โ] 4.6 Constantly inspect for vulnerable dependencies - -**TL;DR:** Even the most reputable dependencies such as Express have known vulnerabilities. This can get easily tamed using community and commercial tools such as ๐ [npm audit](https://docs.npmjs.com/cli/audit) and ๐ [snyk.io](https://snyk.io) that can be invoked from your CI on every build - -**Otherwise:** Keeping your code clean from vulnerabilities without dedicated tools will require to constantly follow online publications about new threats. Quite tedious - -
- -## ![โ] 4.7 Tag your tests +## ![โ] 4.6 Tag your tests **TL;DR:** Different tests must run on different scenarios: quick smoke, IO-less, tests should run when a developer saves or commits a file, full end-to-end tests usually run when a new pull request is submitted, etc. This can be achieved by tagging tests with keywords like #cold #api #sanity so you can grep with your testing harness and invoke the desired subset. For example, this is how you would invoke only the sanity test group with [Mocha](https://mochajs.org/): mocha --grep 'sanity' @@ -690,7 +792,7 @@ All statements above will return false if used with `===`
-## ![โ] 4.8 Check your test coverage, it helps to identify wrong test patterns +## ![โ] 4.7 Check your test coverage, it helps to identify wrong test patterns **TL;DR:** Code coverage tools like [Istanbul](https://github.com/istanbuljs/istanbuljs)/[NYC](https://github.com/istanbuljs/nyc) are great for 3 reasons: it comes for free (no effort is required to benefit this reports), it helps to identify a decrease in testing coverage, and last but not least it highlights testing mismatches: by looking at colored code coverage reports you may notice, for example, code areas that are never tested like catch clauses (meaning that tests only invoke the happy paths and not how the app behaves on errors). Set it to fail builds if the coverage falls under a certain threshold @@ -698,15 +800,7 @@ All statements above will return false if used with `===`
-## ![โ] 4.9 Inspect for outdated packages - -**TL;DR:** Use your preferred tool (e.g. `npm outdated` or [npm-check-updates](https://www.npmjs.com/package/npm-check-updates)) to detect installed outdated packages, inject this check into your CI pipeline and even make a build fail in a severe scenario. For example, a severe scenario might be when an installed package is 5 patch commits behind (e.g. local version is 1.3.1 and repository version is 1.3.8) or it is tagged as deprecated by its author - kill the build and prevent deploying this version - -**Otherwise:** Your production will run packages that have been explicitly tagged by their author as risky - -
- -## ![โ] 4.10 Use production-like environment for e2e testing +## ![โ] 4.8 Use production-like environment for e2e testing **TL;DR:** End to end (e2e) testing which includes live data used to be the weakest link of the CI process as it depends on multiple heavy services like DB. Use an environment which is as close to your real production environment as possible like a-continue (Missed -continue here, needs content. Judging by the **Otherwise** clause, this should mention docker-compose) @@ -714,7 +808,7 @@ All statements above will return false if used with `===`
-## ![โ] 4.11 Refactor regularly using static analysis tools +## ![โ] 4.9 Refactor regularly using static analysis tools **TL;DR:** Using static analysis tools helps by giving objective ways to improve code quality and keeps your code maintainable. You can add static analysis tools to your CI build to fail when it finds code smells. Its main selling points over plain linting are the ability to inspect quality in the context of multiple files (e.g. detect duplications), perform advanced analysis (e.g. code complexity), and follow the history and progress of code issues. Two examples of tools you can use are [Sonarqube](https://www.sonarqube.org/) (2,600+ [stars](https://github.com/SonarSource/sonarqube)) and [Code Climate](https://codeclimate.com/) (1,500+ [stars](https://github.com/codeclimate/codeclimate)). @@ -724,15 +818,17 @@ All statements above will return false if used with `===`
-## ![โ] 4.12 Carefully choose your CI platform (Jenkins vs CircleCI vs Travis vs Rest of the world) +## ![โ] 4.10 Mock responses of external HTTP services -**TL;DR:** Your continuous integration platform (CICD) will host all the quality tools (e.g. test, lint) so it should come with a vibrant ecosystem of plugins. [Jenkins](https://jenkins.io/) used to be the default for many projects as it has the biggest community along with a very powerful platform at the price of a complex setup that demands a steep learning curve. Nowadays, it has become much easier to set up a CI solution using SaaS tools like [CircleCI](https://circleci.com) and others. These tools allow crafting a flexible CI pipeline without the burden of managing the whole infrastructure. Eventually, it's a trade-off between robustness and speed - choose your side carefully +### `๐ #new` -**Otherwise:** Choosing some niche vendor might get you blocked once you need some advanced customization. On the other hand, going with Jenkins might burn precious time on infrastructure setup +**TL;DR:** Use network mocking tools to simulate responses of external collaborators' services that are approached over the network (e.g., REST, Graph). This is imperative not only to isolate the component under test but mostly to simulate non-happy path flows. Tools like [nock](https://github.com/nock/nock) (in-process) or [Mock-Server](https://www.mock-server.com/) allow defining a specific response of external service in a single line of code. Remember to simulate also errors, delays, timeouts, and any other event that is likely to happen in production -๐ [**Read More: Choosing CI platform**](./sections/testingandquality/citools.md) +**Otherwise:** Allowing your component to reach real external services instances will likely result in naive tests that mostly cover happy paths. The tests might also be flaky and slow -## ![โ] 4.13 Test your middlewares in isolation +๐ [**Read More: Mock external services**](./sections/testingandquality/mock-external-services.md) + +## ![โ] 4.11 Test your middlewares in isolation **TL;DR:** When a middleware holds some immense logic that spans many requests, it is worth testing it in isolation without waking up the entire web framework. This can be easily achieved by stubbing and spying on the {req, res, next} objects @@ -740,6 +836,26 @@ All statements above will return false if used with `===` ๐ [**Read More: Test middlewares in isolation**](./sections/testingandquality/test-middlewares.md) +## ![โ] 4.12 Specify a port in production, randomize in testing + +### `๐ #new` + +**TL;DR:** When testing against the API, it's common and desirable to initialize the web server inside the tests. Let the server randomize the web server port in testing to prevent collisions. If you're using Node.js http server (used by most frameworks), doing so demands nothing but passing a port number zero - this will randomize an available port + +**Otherwise:** Specifying a fixed port will prevent two testing processes from running at the same time. Most of the modern test runners run with multiple processes by default + +๐ [**Read More: Randomize a port for testing**](./sections/testingandquality/randomize-port.md) + +## ![โ] 4.13 Test the five possible outcomes + +### `๐ #new` + +**TL;DR:** When testing a flow, ensure to cover five potential categories. Any time some action is triggered (e.g., API call), a reaction occurs, a meaningful **outcome** is produced and calls for testing. There are five possible outcome types for every flow: a response, a visible state change (e.g., DB), an outgoing API call, a new message in a queue, and an observability call (e.g., logging, metric). See a [checklist here](https://testjavascript.com/wp-content/uploads/2021/10/the-backend-checklist.pdf). Each type of outcome comes with unique challenges and techniques to mitigate those challenges - we have a dedicated guide about this topic: [Node.js testing - beyond the basics](https://github.com/testjavascript/nodejs-integration-tests-best-practices) + +**Otherwise:** Consider a case when testing the addition of a new product to the system. It's common to see tests that assert on a valid response only. What if the product was failed to persist regardless of the positive response? what if when adding a new product demands calling some external service, or putting a message in the queue - shouldn't the test assert these outcomes as well? It's easy to overlook various paths, this is where a [checklist comes handy](https://testjavascript.com/wp-content/uploads/2021/10/the-backend-checklist.pdf) + +๐ [**Read More: Test five outcomes**](./sections/testingandquality/test-five-outcomes.md) +
@@ -748,7 +864,7 @@ All statements above will return false if used with `===` ## ![โ] 5.1. Monitoring -**TL;DR:** Monitoring is a game of finding out issues before customers do โ obviously this should be assigned unprecedented importance. The market is overwhelmed with offers thus consider starting with defining the basic metrics you must follow (my suggestions inside), then go over additional fancy features and choose the solution that ticks all boxes. Click โThe Gistโ below for an overview of the solutions +**TL;DR:** Monitoring is a game of finding out issues before customers do โ obviously this should be assigned unprecedented importance. The market is overwhelmed with offers thus consider starting with defining the basic metrics you must follow (my suggestions inside), then go over additional fancy features and choose the solution that ticks all boxes. In any case, the 4 layers of observability must be covered: uptime, metrics with focus on user-facing symptoms and Node.js technical metrics like event loop lag, distributed flows measurement with Open Telemetry and logging. Click โRead Moreโ below for an overview of the solutions **Otherwise:** Failure === disappointed customers. Simple @@ -756,7 +872,7 @@ All statements above will return false if used with `===`
-## ![โ] 5.2. Increase transparency using smart logging +## ![โ] 5.2. Increase the observability using smart logging **TL;DR:** Logs can be a dumb warehouse of debug statements or the enabler of a beautiful dashboard that tells the story of your app. Plan your logging platform from day 1: how logs are collected, stored and analyzed to ensure that the desired information (e.g. error rate, following an entire transaction through services and servers, etc) can really be extracted @@ -768,7 +884,7 @@ All statements above will return false if used with `===` ## ![โ] 5.3. Delegate anything possible (e.g. gzip, SSL) to a reverse proxy -**TL;DR:** Node is awfully bad at doing CPU intensive tasks like gzipping, SSL termination, etc. You should use โrealโ middleware services like nginx, HAproxy or cloud vendor services instead +**TL;DR:** Node is quite bad at doing CPU intensive tasks like gzipping, SSL termination, etc. You should use specialized infrastructure like nginx, HAproxy or cloud vendor services instead **Otherwise:** Your poor single thread will stay busy doing infrastructural tasks instead of dealing with your application core and performance will degrade accordingly @@ -778,7 +894,7 @@ All statements above will return false if used with `===` ## ![โ] 5.4. Lock dependencies -**TL;DR:** Your code must be identical across all environments, but amazingly npm lets dependencies drift across environments by default โ when you install packages at various environments it tries to fetch packagesโ latest patch version. Overcome this by using npm config files, .npmrc, that tell each environment to save the exact (not the latest) version of each package. Alternatively, for finer grained control use `npm shrinkwrap`. \*Update: as of NPM5, dependencies are locked by default. The new package manager in town, Yarn, also got us covered by default +**TL;DR:** Your code must be identical across all environments, but without a special lockfile npm lets dependencies drift across environments. Ensure to commit your package-lock.json so all the environments will be identical **Otherwise:** QA will thoroughly test the code and approve a version that will behave differently in production. Even worse, different servers in the same production cluster might run different code @@ -788,7 +904,7 @@ All statements above will return false if used with `===` ## ![โ] 5.5. Guard process uptime using the right tool -**TL;DR:** The process must go on and get restarted upon failures. For simple scenarios, process management tools like PM2 might be enough but in today's โdockerizedโ world, cluster management tools should be considered as well +**TL;DR:** The process must go on and get restarted upon failures. Modern runtime platforms like Docker-ized platforms (e.g. Kubernetes), and Serverless take care for this automatically. When the app is hosted on a bare metal server, one must take care for a process management tools like [systemd](https://systemd.io/). Avoid including a custom process management tool in a modern platform that monitors an app instance (e.g., Kubernetes) - doing so will hide failures from the infrastructure. When the underlying infrastructure is not aware of errors, it can't perform useful mitigation steps like re-placing the instance in a different location **Otherwise:** Running dozens of instances without a clear strategy and too many tools together (cluster management, docker, PM2) might lead to DevOps chaos @@ -798,7 +914,7 @@ All statements above will return false if used with `===` ## ![โ] 5.6. Utilize all CPU cores -**TL;DR:** At its basic form, a Node app runs on a single CPU core while all others are left idling. Itโs your duty to replicate the Node process and utilize all CPUs โ For small-medium apps you may use Node Cluster or PM2. For a larger app consider replicating the process using some Docker cluster (e.g. K8S, ECS) or deployment scripts that are based on Linux init system (e.g. systemd) +**TL;DR:** At its basic form, a Node app runs on a single CPU core while all others are left idling. Itโs your duty to replicate the Node process and utilize all CPUs. Most of the modern run-times platform (e.g., Kubernetes) allow replicating instances of the app but they won't verify that all cores are utilized - this is your duty. If the app is hosted on a bare server, it's also your duty to use some process replication solution (e.g. systemd) **Otherwise:** Your app will likely utilize only 25% of its available resources(!) or even less. Note that a typical server has 4 CPU cores or more, naive deployment of Node.js utilizes only 1 (even using PaaS services like AWS beanstalk!) @@ -816,9 +932,11 @@ All statements above will return false if used with `===`
-## ![โ] 5.8. Discover errors and downtime using APM products +## ![โ] 5.8. Discover the unknowns using APM products + +### `๐ #updated` -**TL;DR:** Application monitoring and performance products (a.k.a. APM) proactively gauge codebase and API so they can auto-magically go beyond traditional monitoring and measure the overall user-experience across services and tiers. For example, some APM products can highlight a transaction that loads too slow on the end-user's side while suggesting the root cause +**TL;DR:** Consider adding another safety layer to the production stack - APM. While the majority of symptoms and causes can be detected using traditional monitoring techniques, in a distributed system there is more than meets the eye. Application monitoring and performance products (a.k.a. APM) can auto-magically go beyond traditional monitoring and provide additional layer of discovery and developer-experience. For example, some APM products can highlight a transaction that loads too slow on the **end-user's side** while suggesting the root cause. APMs also provide more context for developers who try to troubleshoot a log error by showing what was the server busy with when the error occurred. To name a few example **Otherwise:** You might spend great effort on measuring API performance and downtimes, probably youโll never be aware which is your slowest code parts under real-world scenario and how these affect the UX @@ -828,7 +946,7 @@ All statements above will return false if used with `===` ## ![โ] 5.9. Make your code production-ready -**TL;DR:** Code with the end in mind, plan for production from day 1. This sounds a bit vague so Iโve compiled a few development tips that are closely related to production maintenance (click Gist below) +**TL;DR:** Code with the end in mind, plan for production from day 1. This sounds a bit vague so Iโve compiled a few development tips that are closely related to production maintenance (click 'Read More') **Otherwise:** A world champion IT/DevOps guy wonโt save a system that is badly written @@ -848,7 +966,7 @@ All statements above will return false if used with `===` ## ![โ] 5.11. Get your frontend assets out of Node -**TL;DR:** Serve frontend content using dedicated middleware (nginx, S3, CDN) because Node performance really gets hurt when dealing with many static files due to its single-threaded model +**TL;DR:** Serve frontend content using a specialized infrastructure (nginx, S3, CDN) because Node performance gets hurt when dealing with many static files due to its single-threaded model. One exception to this guideline is when doing server-side rendering **Otherwise:** Your single Node thread will be busy streaming hundreds of html/images/angular/react files instead of allocating all its resources for the task it was born for โ serving dynamic content @@ -856,9 +974,9 @@ All statements above will return false if used with `===`
-## ![โ] 5.12. Be stateless, kill your servers almost every day +## ![โ] 5.12. Strive to be stateless -**TL;DR:** Store any type of data (e.g. user sessions, cache, uploaded files) within external data stores. Consider โkillingโ your servers periodically or use โserverlessโ platform (e.g. AWS Lambda) that explicitly enforces a stateless behavior +**TL;DR:** Store any type of _data_ (e.g. user sessions, cache, uploaded files) within external data stores. When the app holds data in-process this adds additional layer of maintenance complexity like routing users to the same instance and higher cost of restarting a process. To enforce and encourage a stateless approach, most modern runtime platforms allows 'reapp-ing' instances periodically **Otherwise:** Failure at a given server will result in application downtime instead of just killing a faulty machine. Moreover, scaling-out elasticity will get more challenging due to the reliance on a specific server @@ -878,9 +996,7 @@ All statements above will return false if used with `===` ## ![โ] 5.14. Assign a transaction id to each log statement -Also known as correlation id / transit id / tracing id / request id / request context / etc. - -**TL;DR:** Assign the same identifier, transaction-id: {some value}, to each log entry within a single request. Then when inspecting errors in logs, easily conclude what happened before and after. Until version 14 of Node, this was not easy to achieve due to Node's async nature, but since AsyncLocalStorage came to town, this became possible and easy than ever. see code examples inside +**TL;DR:** Assign the same identifier, transaction-id: uuid(), to each log entry within a single request (also known as correlation-id/tracing-id/request-context). Then when inspecting errors in logs, easily conclude what happened before and after. Node has a built-in mechanism, [AsyncLocalStorage](https://nodejs.org/api/async_context.html), for keeping the same context across asynchronous calls. see code examples inside **Otherwise:** Looking at a production error log without the context โ what happened before โ makes it much harder and slower to reason about the issue @@ -890,9 +1006,9 @@ Also known as correlation id / transit id / tracing id / request id / request co ## ![โ] 5.15. Set `NODE_ENV=production` -**TL;DR:** Set the environment variable `NODE_ENV` to โproductionโ or โdevelopmentโ to flag whether production optimizations should get activated โ many npm packages determine the current environment and optimize their code for production +**TL;DR:** Set the environment variable `NODE_ENV` to โproductionโ or โdevelopmentโ to flag whether production optimizations should get activated โ some npm packages determine the current environment and optimize their code for production -**Otherwise:** Omitting this simple property might greatly degrade performance. For example, when using Express for server-side rendering omitting `NODE_ENV` makes it slower by a factor of three! +**Otherwise:** Omitting this simple property might greatly degrade performance when dealing with some specific libraries like Express server-side rendering ๐ [**Read More: Set NODE_ENV=production**](./sections/production/setnodeenv.md) @@ -916,11 +1032,13 @@ Also known as correlation id / transit id / tracing id / request id / request co
-## ![โ] 5.18. Don't route logs within the app +## ![โ] 5.18. Log to stdout, avoid specifying log destination within the app + +### `๐ #updated` **TL;DR:** Log destinations should not be hard-coded by developers within the application code, but instead should be defined by the execution environment the application runs in. Developers should write logs to `stdout` using a logger utility and then let the execution environment (container, server, etc.) pipe the `stdout` stream to the appropriate destination (i.e. Splunk, Graylog, ElasticSearch, etc.). -**Otherwise:** Application handling log routing === hard to scale, loss of logs, poor separation of concerns +**Otherwise:** If developers set the log routing, less flexibility is left for the ops professional who wishes to customize it. Beyond this, if the app tries to log directly to a remote location (e.g., Elastic Search), in case of panic or crash - further logs that might explain the problem won't arrive ๐ [**Read More: Log Routing**](./sections/production/logrouting.md) @@ -928,7 +1046,7 @@ Also known as correlation id / transit id / tracing id / request id / request co ## ![โ] 5.19. Install your packages with `npm ci` -**TL;DR:** You have to be sure that production code uses the exact version of the packages you have tested it with. Run `npm ci` to strictly do a clean install of your dependencies matching package.json and package-lock.json. Using this command is recommended in automated environments such as continuous integration pipelines. +**TL;DR:** Run `npm ci` to strictly do a clean install of your dependencies matching package.json and package-lock.json. Obviously production code must use the exact version of the packages that were used for testing. While package-lock.json file sets strict version for dependencies, in case of mismatch with the file package.json, the command 'npm install' will treat package.json as the source of truth. On the other hand, the command 'npm ci' will exit with error in case of mismatch between these files **Otherwise:** QA will thoroughly test the code and approve a version that will behave differently in production. Even worse, different servers in the same production cluster might run different code. @@ -1236,6 +1354,39 @@ Also known as correlation id / transit id / tracing id / request id / request co **Otherwise:** Your project's API keys, passwords or other secrets are open to be abused by anyone who comes across them, which may result in financial loss, impersonation, and other risks. ๐ [**Read More: Avoid publishing secrets**](./sections/security/avoid_publishing_secrets.md) + +
+ +## ![โ] 6.26 Inspect for outdated packages + +**TL;DR:** Use your preferred tool (e.g. `npm outdated` or [npm-check-updates](https://www.npmjs.com/package/npm-check-updates)) to detect installed outdated packages, inject this check into your CI pipeline and even make a build fail in a severe scenario. For example, a severe scenario might be when an installed package is 5 patch commits behind (e.g. local version is 1.3.1 and repository version is 1.3.8) or it is tagged as deprecated by its author - kill the build and prevent deploying this version + +**Otherwise:** Your production will run packages that have been explicitly tagged by their author as risky + +
+ +## ![โ] 6.27. Import built-in modules using the 'node:' protocol + +### `๐ #new` + +
+
+**TL;DR:** Import or require built-in Node.js modules using the 'node protocol' syntax:
+
+```javascript
+import { functionName } from "node:module"; // note that 'node:' prefix
+```
+
+For example:
+
+```javascript
+import { createServer } from "node:http";
+```
+
+This style ensures that there is no ambiguity with global npm packages and makes it clear for the reader that the code refers to a well-trusted official module. This style can be enforced with the eslint rule ['prefer-node-protocol'](https://github.com/sindresorhus/eslint-plugin-unicorn/blob/main/docs/rules/prefer-node-protocol.md)
+
+**Otherwise:** Using the import syntax without 'node:' prefix opens the door for [typosquatting attacks](https://en.wikipedia.org/wiki/Typosquatting) where one could mistakenly mistype a module name (e.g., 'event' instead of 'events) and get a malicious package that was built only to trick users into installing them
+
@@ -1307,9 +1458,11 @@ CMD [ "node", "dist/app.js" ] ## ![โ] 8.2. Bootstrap using `node` command, avoid `npm start` -**TL;DR:** use `CMD ['node','server.js']` to start your app, avoid using npm scripts which don't pass OS signals to the code. This prevents problems with child-processes, signal handling, graceful shutdown and having zombie processes. +**TL;DR:** Use `CMD ['node','server.js']` to start your app, avoid using npm scripts which don't pass OS signals to the code. This prevents problems with child-processes, signal handling, graceful shutdown and having zombie processes -**Otherwise:** When no signals are passed, your code will never be notified about shutdowns. Without this, it will lose its chance to close properly possibly losing current requests and/or data. +Update: [Starting from npm 7, npm claim](https://docs.npmjs.com/cli/v7/using-npm/changelog#706-2020-10-27) to pass signals. We follow and will update accordingly + +**Otherwise:** When no signals are passed, your code will never be notified about shutdowns. Without this, it will lose its chance to close properly possibly losing current requests and/or data [**Read More: Bootstrap container using node command, avoid npm start**](./sections/docker/bootstrap-using-node.md) @@ -1347,7 +1500,7 @@ CMD [ "node", "dist/app.js" ] ## ![โ] 8.6. Shutdown smartly and gracefully -**TL;DR:** Handle the process SIGTERM event and clean-up all existing connection and resources. This should be done while responding to ongoing requests. In Dockerized runtimes shutting down containers is not a rare event, rather a frequent occurrence that happen as part of routine work. Achieving this demands some thoughtful code to orchestrate several moving parts: The load balancer, keep-alive connections, the HTTP server and other resources +**TL;DR:** Handle the process SIGTERM event and clean-up all existing connection and resources. This should be done while responding to ongoing requests. In Dockerized runtimes, shutting down containers is not a rare event, rather a frequent occurrence that happen as part of routine work. Achieving this demands some thoughtful code to orchestrate several moving parts: The load balancer, keep-alive connections, the HTTP server and other resources **Otherwise:** Dying immediately means not responding to thousands of disappointed users @@ -1399,6 +1552,8 @@ In addition, referring to an image tag means that the base image is subject to c ## ![โ] 8.11. Clean-out build-time secrets, avoid secrets in args +### `๐ #new` + **TL;DR:** Avoid secrets leaking from the Docker build environment. A Docker image is typically shared in multiple environment like CI and a registry that are not as sanitized as production. A typical example is an npm token which is usually passed to a dockerfile as argument. This token stays within the image long after it is needed and allows the attacker indefinite access to a private npm registry. This can be avoided by coping a secret file like `.npmrc` and then removing it using multi-stage build (beware, build history should be deleted as well) or by using Docker build-kit secret feature which leaves zero traces **Otherwise:** Everyone with access to the CI and docker registry will also get access to some precious organization secrets as a bonus @@ -1437,6 +1592,8 @@ In addition, referring to an image tag means that the base image is subject to c ## ![โ] 8.15. Lint your Dockerfile +### `๐ #new` + **TL;DR:** Linting your Dockerfile is an important step to identify issues in your Dockerfile which differ from best practices. By checking for potential flaws using a specialised Docker linter, performance and security improvements can be easily identified, saving countless hours of wasted time or security issues in production code. **Otherwise:** Mistakenly the Dockerfile creator left Root as the production user, and also used an image from unknown source repository. This could be avoided with with just a simple linter. @@ -1469,7 +1626,7 @@ All translations are contributed by the community. We will be happy to get any h ### Translations in progress -  [French](./README.french.md) ([Discussion](https://github.com/goldbergyoni/nodebestpractices/issues/129)) --  Hebrew ([Discussion](https://github.com/goldbergyoni/nodebestpractices/issues/156)) +-  [Hebrew](./README.hebrew.md) ([Discussion](https://github.com/goldbergyoni/nodebestpractices/issues/156)) -  [Korean](README.korean.md) - Courtesy of [Sangbeom Han](https://github.com/uronly14me) ([Discussion](https://github.com/goldbergyoni/nodebestpractices/issues/94)) -  [Spanish](https://github.com/goldbergyoni/nodebestpractices/blob/spanish-translation/README.spanish.md) ([Discussion](https://github.com/goldbergyoni/nodebestpractices/issues/95)) -  Turkish ([Discussion](https://github.com/goldbergyoni/nodebestpractices/issues/139)) @@ -1771,6 +1928,7 @@ Thanks goes to these wonderful people who have contributed to this repository!
Scc
๐
Mauro Accornero
๐
no-yan
๐
hodbauer
๐
@@ -87,7 +87,7 @@ async function asyncFn () { return await syncFn() } -// ๐ syncFn would be missing in the stacktrace because it returns a promise while been sync +// ๐ syncFn would be missing in the stacktrace because it returns a promise while being sync asyncFn().catch(console.log) ``` @@ -165,7 +165,7 @@ Error: stacktrace is missing the place where getUser has been called at async Promise.all (index 2) ``` -*Side-note*: it may looks like `Promise.all (index 2)` can help understanding the place where `getUser` has been called, +*Side-note*: it may look like `Promise.all (index 2)` can help understanding the place where `getUser` has been called, but due to a [completely different bug in v8](https://bugs.chromium.org/p/v8/issues/detail?id=9023), `(index 2)` is a line from internals of v8 @@ -177,9 +177,9 @@ a line from internals of v8
Javascript
-*Note 1*: in case if you control the code of the function that would call the callback - just change that function to
-async and add `await` before the callback call. Below I assume that you are not in charge of the code that is calling
-the callback (or it's change is unacceptable for example because of backward compatibility)
+*Note 1*: if you control the code of the function that would call the callback - just change that function to
+`async` and add `await` before the callback call. Below I assume that you are not in charge of the code that is calling
+the callback (or its change is unacceptable for example because of backward compatibility)
*Note 2*: quite often usage of async callback in places where sync one is expected would not work at all. This is not about
how to fix the code that is not working - it's about how to fix stacktrace in case if code is already working as
@@ -210,8 +210,8 @@ Error: with all frames present
where thanks to explicit `await` in `map`, the end of the line `at async ([...])` would point to the exact place where
`getUser` has been called
-*Side-note*: if async function that wrap `getUser` would miss `await` before return (anti-pattern #1 + anti-pattern #3)
-then only one frame would left in the stacktrace:
+*Side-note*: if async function that wrap `getUser` lacks `await` before return (anti-pattern #1 + anti-pattern #3)
+then only one frame would be left in the stacktrace:
```javascript
[...]
@@ -235,12 +235,12 @@ Error: [...]
## Advanced explanation
The mechanisms behind sync functions stacktraces and async functions stacktraces in v8 implementation are quite different:
-sync stacktrace is based on **stack** provided by operating system Node.js is running on (just like in most programming
-languages). When an async function is executing, the **stack** of operating system is popping it out as soon as the
-function is getting to it's first `await`. So async stacktrace is a mix of operating system **stack** and a rejected
-**promise resolution chain**. Zero-cost async stacktraces implementation is extending the **promise resolution chain**
+sync stacktrace is based on **stack** provided by the operating system Node.js is running on (just like in most programming
+languages). When an async function is executing, the **stack** of the operating system is popping it out as soon as the
+function gets to its first `await`. So async stacktrace is a mix of operating system **stack** and a rejected
+**promise resolution chain**. Zero-cost async stacktraces implementation extends the **promise resolution chain**
only when the promise is getting `awaited` [ยน](#1). Because only `async` functions may `await`,
-sync function would always be missed in async stacktrace if any async operation has been performed after the function
+sync function would always be missing from async stacktrace if any async operation has been performed after the function
has been called [ยฒ](#2)
### The tradeoff
@@ -256,13 +256,13 @@ definitely should never be done up-front
### Why return await was considered as anti-pattern in the past
-There is a number of [excellent articles](https://jakearchibald.com/2017/await-vs-return-vs-return-await/) explained
+There is a number of [excellent articles](https://jakearchibald.com/2017/await-vs-return-vs-return-await/) explaining
why `return await` should never be used outside of `try` block and even an
[ESLint rule](https://eslint.org/docs/rules/no-return-await) that disallows it. The reason for that is the fact that
since async/await become available with transpilers in Node.js 0.10 (and got native support in Node.js 7.6) and until
"zero-cost async stacktraces" was introduced in Node.js 10 and unflagged in Node.js 12, `return await` was absolutely
equivalent to `return` for any code outside of `try` block. It may still be the same for some other ES engines. This
-is why resolving promises before returning them is the best practice for Node.js and not for the EcmaScript in general
+is why resolving promises before returning them is the best practice for Node.js and not for ECMAScript in general
### Notes:
@@ -270,7 +270,7 @@ is why resolving promises before returning them is the best practice for Node.js
must always be built synchronously, on the same tick of event loop [ยน](#1)
2. Without `await` in `throwAsync` the code would be executed in the same phase of event loop. This is a
degenerated case when OS **stack** would not get empty and stacktrace be full even without explicitly
-awaiting the function result. Usually usage of promises include some async operations and so parts of
+awaiting the function result. Common usage of promises includes some async operations and so parts of
the stacktrace would get lost
3. Zero-cost async stacktraces still would not work for complicated promise usages e.g. single promise
awaited many times in different places
diff --git a/sections/errorhandling/testingerrorflows.md b/sections/errorhandling/testingerrorflows.md
index 552ca1f53..ac03f4146 100644
--- a/sections/errorhandling/testingerrorflows.md
+++ b/sections/errorhandling/testingerrorflows.md
@@ -10,72 +10,69 @@ Testing โhappyโ paths is no better than testing failures. Good testing code
Javascript
```javascript
-describe('Facebook chat', () => {
- it('Notifies on new chat message', () => {
+describe("Facebook chat", () => {
+ it("Notifies on new chat message", () => {
const chatService = new chatService();
chatService.participants = getDisconnectedParticipants();
- expect(chatService.sendMessage.bind({ message: 'Hi' })).to.throw(ConnectionError);
+ expect(chatService.sendMessage.bind({ message: "Hi" })).to.throw(ConnectionError);
});
});
```
+
-
-### Code example: ensuring API returns the right HTTP error code
+### Code example: ensuring that are uncaught exceptions are handled as well
Typescript
+Javascript
-```typescript -describe('Facebook chat', () => { - it('Notifies on new chat message', () => { - const chatService = new chatService(); - chatService.participants = getDisconnectedParticipants(); - expect(chatService.sendMessage.bind({ message: 'Hi' })).to.throw(ConnectionError); +```javascript +test("When exception is throw during request, Then logger reports the mandatory fields", async () => { + //Arrange + const orderToAdd = { + userId: 1, + productId: 2, + }; + + sinon + .stub(OrderRepository.prototype, "addOrder") + .rejects(new AppError("saving-failed", "Order could not be saved", 500)); + const loggerDouble = sinon.stub(logger, "error"); + + //Act + const receivedResponse = await axiosAPIClient.post("/order", orderToAdd); + + //Assert + expect(receivedResponse.status).toBe(500); + expect(loggerDouble.lastCall.firstArg).toMatchObject({ + name: "saving-failed", + status: 500, + stack: expect.any(String), + message: expect.any(String), }); }); ``` +Javascript
```javascript -it('Creates new Facebook group', () => { - const invalidGroupInfo = {}; - return httpRequest({ - method: 'POST', - uri: 'facebook.com/api/groups', - resolveWithFullResponse: true, - body: invalidGroupInfo, - json: true - }).then((response) => { - expect.fail('if we were to execute the code in this block, no error was thrown in the operation above') - }).catch((response) => { - expect(400).to.equal(response.statusCode); - }); -}); -``` -
-
\ No newline at end of file
+
+
diff --git a/sections/production/lockdependencies.md b/sections/production/lockdependencies.md
index 1698c9bbb..61800062f 100644
--- a/sections/production/lockdependencies.md
+++ b/sections/production/lockdependencies.md
@@ -4,9 +4,7 @@
### One Paragraph Explainer
-Your code depends on many external packages, letโs say it โrequiresโ and use momentjs-2.1.4, then by default when you deploy to production npm might fetch momentjs 2.1.5 which unfortunately brings some new bugs to the table. Using npm config files and the argument ```โsave-exact=true``` instructs npm to refer to the *exact* same version that was installed so the next time you run ```npm install``` (in production or within a Docker container you plan to ship forward for testing) the same dependent version will be fetched. An alternative and popular approach is using a `.shrinkwrap` file (easily generated using npm) that states exactly which packages and versions should be installed so no environment can get tempted to fetch newer versions than expected.
-
-* **Update:** as of npm 5, dependencies are locked automatically using .shrinkwrap. Yarn, an emerging package manager, also locks down dependencies by default.
+Your code depends on many external packages, letโs say it โrequiresโ and use momentjs-2.1.4, then by default when you deploy to production npm might fetch momentjs 2.1.5 which unfortunately brings some new bugs to the table. Using npm config files and the argument `โsave-exact=true` instructs npm to refer to the _exact_ same version that was installed so the next time you run `npm install` (in production or within a Docker container you plan to ship forward for testing) the same dependent version will be fetched. Due to this, starting from npm version 5 a package-lock.json file is generated in every install. This lock file pins all the dependencies and child dependencies versions. When the file is committed, any future install the gets a copy of the app will install the same dependencies version
Typescript
- -```typescript -it('Creates new Facebook group', async () => { - let invalidGroupInfo = {}; - try { - const response = await httpRequest({ - method: 'POST', - uri: 'facebook.com/api/groups', - resolveWithFullResponse: true, - body: invalidGroupInfo, - json: true - }) - // if we were to execute the code in this block, no error was thrown in the operation above - expect.fail('The request should have failed') - } catch(response) { - expect(400).to.equal(response.statusCode); - } + //Act + process.emit("uncaughtException", errorToThrow); + + // Assert + expect(loggerDouble.calledWith(errorToThrow)); }); ``` -@@ -19,51 +17,31 @@ save-exact:true
-### Code example: shrinkwrap.json file that distills the exact dependency tree - -```json -{ - "name": "A", - "dependencies": { - "B": { - "version": "0.0.1", - "dependencies": { - "C": { - "version": "0.1.0" - } - } - } - } -} -``` - -
- ### Code example: npm 5 dependencies lock file โ package-lock.json ```json { - "name": "package-name", - "version": "1.0.0", - "lockfileVersion": 1, - "dependencies": { - "cacache": { - "version": "9.2.6", - "resolved": "https://registry.npmjs.org/cacache/-/cacache-9.2.6.tgz", - "integrity": "sha512-YK0Z5Np5t755edPL6gfdCeGxtU0rcW/DBhYhYVDckT+7AFkCCtedf2zru5NRbBLFk6e7Agi/RaqTOAfiaipUfg==" - }, - "duplexify": { - "version": "3.5.0", - "resolved": "https://registry.npmjs.org/duplexify/-/duplexify-3.5.0.tgz", - "integrity": "sha1-GqdzAC4VeEV+nZ1KULDMquvL1gQ=", - "dependencies": { - "end-of-stream": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.0.0.tgz", - "integrity": "sha1-1FlucCc0qT5A6a+GQxnqvZn/Lw4=" - } - } + "name": "package-name", + "version": "1.0.0", + "lockfileVersion": 1, + "dependencies": { + "cacache": { + "version": "9.2.6", + "resolved": "https://registry.npmjs.org/cacache/-/cacache-9.2.6.tgz", + "integrity": "sha512-YK0Z5Np5t755edPL6gfdCeGxtU0rcW/DBhYhYVDckT+7AFkCCtedf2zru5NRbBLFk6e7Agi/RaqTOAfiaipUfg==" + }, + "duplexify": { + "version": "3.5.0", + "resolved": "https://registry.npmjs.org/duplexify/-/duplexify-3.5.0.tgz", + "integrity": "sha1-GqdzAC4VeEV+nZ1KULDMquvL1gQ=", + "dependencies": { + "end-of-stream": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.0.0.tgz", + "integrity": "sha1-1FlucCc0qT5A6a+GQxnqvZn/Lw4=" } + } } + } } ``` diff --git a/sections/production/productioncode.md b/sections/production/productioncode.md index a86047312..6fb624a6c 100644 --- a/sections/production/productioncode.md +++ b/sections/production/productioncode.md @@ -6,11 +6,12 @@ Following is a list of development tips that greatly affect the production maintenance and stability: -* The twelve-factor guide โ Get familiar with the [Twelve factors](https://12factor.net/) guide -* Be stateless โ Save no data locally on a specific web server (see separate bullet โ โBe Statelessโ) -* Cache โ Utilize cache heavily, yet never fail because of cache mismatch -* Test memory โ gauge memory usage and leaks as part your development flow, tools such as โmemwatchโ can greatly facilitate this task -* Name functions โ Minimize the usage of anonymous functions (i.e. inline callback) as a typical memory profiler will provide memory usage per method name -* Use CI tools โ Use CI tool to detect failures before sending to production. For example, use ESLint to detect reference errors and undefined variables. Use โtrace-sync-io to identify code that uses synchronous APIs (instead of the async version) -* Log wisely โ Include in each log statement contextual information, hopefully in JSON format so log aggregators tools such as Elastic can search upon those properties (see separate bullet โ โIncrease visibility using smart logsโ). Also, include transaction-id that identifies each request and allows to correlate lines that describe the same transaction (see separate bullet โ โInclude Transaction-IDโ) -* Error management โ Error handling is the Achillesโ heel of Node.js production sites โ many Node processes are crashing because of minor errors while others hang on alive in a faulty state instead of crashing. Setting your error handling strategy is absolutely critical, read here my [error handling best practices](http://goldbergyoni.com/checklist-best-practices-of-node-js-error-handling/) +- The twelve-factor guide โ Get familiar with the [Twelve factors](https://12factor.net/) guide +- Be stateless โ Save no data locally on a specific web server (see separate bullet โ โBe Statelessโ) +- Cache โ Utilize cache heavily, yet never fail because of cache mismatch +- Test memory โ gauge memory usage and leaks as part your development flow, tools such as โmemwatchโ can greatly facilitate this task +- Name functions โ Minimize the usage of anonymous functions (i.e. inline callback) as a typical memory profiler will provide memory usage per method name +- Use CI tools โ Use CI tool to detect failures before sending to production. For example, use ESLint to detect reference errors and undefined variables. Use โtrace-sync-io to identify code that uses synchronous APIs (instead of the async version) +- Log wisely โ Include in each log statement contextual information, hopefully in JSON format so log aggregators tools such as Elastic can search upon those properties (see separate bullet โ โIncrease visibility using smart logsโ). Also, include transaction-id that identifies each request and allows to correlate lines that describe the same transaction (see separate bullet โ โInclude Transaction-IDโ) +- Test like production - Make developers machine quite close to the production infrastructure (e.g., with Docker-Compose). Avoid if/else clauses in testing that check if we're in testing environment but rather run the same code always +- Error management โ Error handling is the Achillesโ heel of Node.js production sites โ many Node processes are crashing because of minor errors while others hang on alive in a faulty state instead of crashing. Setting your error handling strategy is absolutely critical, read here my [error handling best practices](http://goldbergyoni.com/checklist-best-practices-of-node-js-error-handling/) diff --git a/sections/projectstructre/breakintcomponents.md b/sections/projectstructre/breakintcomponents.md index 297daaa55..91df46d17 100644 --- a/sections/projectstructre/breakintcomponents.md +++ b/sections/projectstructre/breakintcomponents.md @@ -4,7 +4,7 @@ ### One Paragraph Explainer -For medium sized apps and above, monoliths are really bad - having one big software with many dependencies is just hard to reason about and often leads to spaghetti code. Even smart architects โ those who are skilled enough to tame the beast and 'modularize' it โ spend great mental effort on design, and each change requires carefully evaluating the impact on other dependent objects. The ultimate solution is to develop small software: divide the whole stack into self-contained components that don't share files with others, each constitutes very few files (e.g. API, service, data access, test, etc.) so that it's very easy to reason about it. Some may call this 'microservices' architecture โ it's important to understand that microservices are not a spec which you must follow, but rather a set of principles. You may adopt many principles into a full-blown microservices architecture or adopt only a few. Both are good as long as you keep the software complexity low. The very least you should do is create basic borders between components, assign a folder in your project root for each business component and make it self-contained - other components are allowed to consume its functionality only through its public interface or API. This is the foundation for keeping your components simple, avoid dependency hell and pave the way to full-blown microservices in the future once your app grows. +For medium sized apps and above, *non-modular* monoliths are really bad - having one big software with 'spaghetti' of dependencies is just hard to reason about. The ultimate solution is to develop smaller software: divide the whole stack into self-contained components that don't share files with others, each is a standalone logical app (e.g. has its own API, service, data access, test, etc.) so that onboarding into it and changing the code is much easier than dealing with the whole system. Some may call this 'microservices' architecture โ it's important to understand that microservices are not a spec which you must follow, but rather a set of principles. You may adopt many principles into a full-blown microservices architecture or adopt only a few. The very least you should do is create basic borders between components, assign a folder or repository in your system root for each business component and make it self-contained. Other components are allowed to consume its functionality only through its public interface or API. This is the foundation for keeping your components simple, avoid dependency hell and pave the way to full-blown microservices in the future once your app grows
@@ -28,10 +28,38 @@ So what does the architecture of your application scream? When you look at the t ### Good: Structure your solution by self-contained components - +```bash +my-system +โโ apps (components) +โ โโ orders +โ โ โโ package.json +โ โ โโ api +โ โ โโ domain +โ โ โโ data-access +โ โโ users +โ โโ payments +โโ libraries (generic cross-component functionality) +โ โโ logger +โ โโ authenticator +``` +
### Bad: Group your files by technical role - +```bash +my-system +โโ controllers +โ โโ user-controller.js +โ โโ order-controller.js +โ โโ payment-controller.js +โโ services +โ โโ user-service.js +โ โโ order-service.js +โ โโ payment-service.js +โโ models +โ โโ user-model.js +โ โโ order-model.js +โ โโ payment-model.js +``` \ No newline at end of file diff --git a/sections/projectstructre/choose-framework.md b/sections/projectstructre/choose-framework.md new file mode 100644 index 000000000..6af330a0f --- /dev/null +++ b/sections/projectstructre/choose-framework.md @@ -0,0 +1,39 @@ +# Consider all the consequences when choosing the main framework + +
+ +### Recommended frameworks: Pros and cons + +Unlike other choices, choosing the core framework determines strategic factors like the development style and how likely the team is to hit a wall. We believe that framework popularity is a supreme consideration and put our focus on the top 4 most popular frameworks in terms of downloads and GitHub stars. The text below outlines the pros and cons of each framework and how to match a framework to the right application type + +**express.js** + +Pros: Unmatched popularity; gigantic eco-system of extensions and middleware; simple to learn and use; familiar to almost every Node.js developer; tons of community articles and videos are based on express + +Cons: Covers a small subset of a typical application needs - merely a web server that invokes the app function per URL. Choosing express means leaving a handful of app concerns uncovered; outdated mechanics - no native support for async-await; barely maintained and updated; Slower than others + +**Nest.js** + +Pros: More batteries than any other option - covers many application concern including message queues, scheduled jobs and more; OOP-style is an advantage for teams who appreciate this design style; awesome docs; well-maintained; high popularity with a vibrant community + +Cons: High-level abstractions that cloud built-in Node.js conventions; The inclusion of many features, heavy usage of TypeScript and reference to sophisticated patterns might push teams for increased complexity; Steeper learning curve due to a handful of unique narratives (e.g., interceptors, guards, modules, and more); Highly opinionated + +**Fastify** + +Pros: Relatively simple and lean; mostly based on Node.js/JavaScript standards; relatively shallow learning curve; with its official plugins cover many application concerns though not as rich as Nest.js; + +Cons: Younger than others and not as popular yet; smaller eco-system compared to express and Nest.js + +**Koa** + +Pros: When compared with express: it's Simpler and nimbler; modern API with async/await support; better performance + +Cons: Covers a small subset of a typical application needs - leaves a handful of app concerns uncovered; Not as popular as express and Nest.js + +### A brief choosing guide + +**Prefer express.js when** - having an experienced architect onboard _and_ in a need to control the fine-grained pieces of the puzzle. In this circumstances, Koa is also a solid option with a more modern API than express but a much smaller eco-system + +**Prefer Fastify when -** The app consists of reasonably-sized components/Microservices (i.e., not a huge monolith); for teams who have solid JavaScript & Node.js knowledge; when sticking to Node.js narratives and spirit is desirable + +**Prefer Nest.js when** - It's desirable to design and code in OOP style; when the team is highly experienced with Java/Spring/Angular or similar; for large size app that can't be broken down (i.e. monolith) to autonomous component; for a team that lacks fundamental JavaScript/Node.js skills (not exclusively, this yet another consideration); when the decision-making overhead should be minimized; when the time to the first delivery is a critical factor diff --git a/sections/projectstructre/createlayers.md b/sections/projectstructre/createlayers.md index bd02a1af0..f67f88cec 100644 --- a/sections/projectstructre/createlayers.md +++ b/sections/projectstructre/createlayers.md @@ -2,12 +2,27 @@
- ### Separate component code into layers: web, services, and Data Access Layer (DAL) +### Separate component code into 3 layers - +The root of every component should hold 3 folders that represent common concerns and stages of every transaction: -
+```bash +my-system +โโ apps (components) +โ โโ component-a + โ โโ entry-points + โ โ โโ api # controller comes here + โ โ โโ message-queue # message consumer comes here + โ โโ domain # features and flows: DTO, services, logic + โ โโ data-access # DB calls w/o ORM +``` -### 1 min explainer: The downside of mixing layers +**- Entry-points -** This is where requests and flows start, whether it's REST API, Graph, message queue, scheduled jobs or any other _door_ to the application. This layer's responsibility is quite minimal - adapt the payload (e.g., JSON) to the app format, including first validation, call the logic/domain layer and return a response. This is typically achieved with a few lines of code. Many use the term "controller" for this type of code also technically, its just an adapter - +**- Domain -** This is where the app flows, logic and data live. This layer accepts protocol-agnostic payload, plain JavaScript object and returns one as well. Technically it contains common code objects like services, dto/entities, and clients that call external services. It also typically calls the data-access layer to retrieve or persist information + +**- Data-access -** This is where the app holds code that interacts with DB. Ideally, it should externalize an interface that returns/gets plain JavaScript object that is DB agnostic (also known as the repository-pattern). This layer involves DB helper utilities like query builders, ORMs, DB drivers and other implementation libraries + +**What is the merit? -** When having flexible infrastructure that allows adding more API calls and DB queries promptly, a developer can code a feature faster by focusing on the domain folder. In other words, less time is spent on technical activities and more on activities with added value. This is a ubiquitous trait that is at the heart of most software architectures like DDD, hexagonal, clean-architecture and others. On top of this, when the domain layer is not aware of any edge protocol, it can serve any client and not only HTTP calls + +**Why not MVC or clean architecture? -** The 3-tier pattern strikes a great balance between achieving the separation goal while still keeping the structure simple. It also lacks abstractions - each tier represents real-world physical tier where every request will visit. On the other hand, MVC is a simplistic pattern where the letters VC represent a few lines of a code only and the letter M means anything else. Clean architecture is architecture with high level of abstractions that can achieve even greater separation but the price tag is unproportionally higher due to the increased complexity \ No newline at end of file diff --git a/sections/projectstructre/separateexpress.md b/sections/projectstructre/separateexpress.md deleted file mode 100644 index e35c67d24..000000000 --- a/sections/projectstructre/separateexpress.md +++ /dev/null @@ -1,100 +0,0 @@ -# Separate Express 'app' and 'server' - -
- -### One Paragraph Explainer - -The latest Express generator comes with a great practice that is worth to keep - the API declaration is separated from the network related configuration (port, protocol, etc). This allows testing the API in-process, without performing network calls, with all the benefits that it brings to the table: fast testing execution and getting coverage metrics of the code. It also allows deploying the same API under flexible and different network conditions. Bonus: better separation of concerns and cleaner code - -
- -### Code example: API declaration, should reside in app.js/app.ts - -```javascript -const app = express(); -app.use(bodyParser.json()); -app.use('/api/events', events.API); -app.use('/api/forms', forms); -``` - -### Code example: Server network declaration, should reside in /bin/www - -
-
-
-Javascript
- -```javascript -const app = require('../app'); -const http = require('http'); - -// Get port from environment and store in Express. -const port = normalizePort(process.env.PORT || '3000'); -app.set('port', port); - -// Create HTTP server. -const server = http.createServer(app); -``` -
-
-
-### Example: test your API in-process using supertest (popular testing package)
-
-Typescript
- -```typescript -import app from '../app'; -import http from 'http'; - -// Get port from environment and store in Express. -const port = normalizePort(process.env.PORT || '3000'); -app.set('port', port); - -// Create HTTP server. -const server = http.createServer(app); -``` -
-
-
-
-Javascript
- -```javascript -const request = require('supertest'); -const app = express(); - -app.get('/user', (req, res) => { - res.status(200).json({ name: 'tobi' }); -}); - -request(app) - .get('/user') - .expect('Content-Type', /json/) - .expect('Content-Length', '15') - .expect(200) - .end((err, res) => { - if (err) throw err; - }); -``` -
-
diff --git a/sections/projectstructre/typescript-considerations.md b/sections/projectstructre/typescript-considerations.md
new file mode 100644
index 000000000..fcf881111
--- /dev/null
+++ b/sections/projectstructre/typescript-considerations.md
@@ -0,0 +1,23 @@
+# Use TypeScript sparingly and thoughtfully
+
+Typescript
- -```typescript -import * as request from "supertest"; -const app = express(); - -app.get('/user', (req: Request, res: Response) => { - res.status(200).json({ name: 'tobi' }); -}); - -request(app) - .get('/user') - .expect('Content-Type', /json/) - .expect('Content-Length', '15') - .expect(200) - .end((err: Error) => { - if (err) throw err; - }); - -``` -+ +### One Paragraph Explainer + +TypeScript has won the community's hearts and is almost a standard for modern JavaScript apps. Compared to plain JS, it brings much better coding ergonomics, facilitates editor code completions, even for historical libraries that were written with JavaScript and was proven to [prevent specific type of bugs](https://earlbarr.com/publications/typestudy.pdf). With that, if you look carefully under the hype, TypeScript actually brings two **mutually-exclusive** offerings to the table: type-safety and advanced design constructs like abstract classes, interfaces, namespaces and more. Many teams chose TypeScript for better type safety yet _unintentionally_, without any proper planning, use it for other purposes, such as OOP. These teams change their design style unintentionally due to the ['law of the instruments'](https://en.wikipedia.org/wiki/Law_of_the_instrument) โ a cognitive bias that involves using the tooling in hand whether they are the right choice for the mission or not. In other words, if an 'abstract class' exists in the toolbox โ developers will use it. If teams consciously opted for the coding techniques mentioned above โ that's fair and legit. For others, positively consider coding with classic JavaScript, plain functions and objects, which are simply decorated with primitive types. The latter option is likely to result in lower complexity + +
+ +### Research Quote: "15% less bugs" + +From the research [To Type or Not to Type](https://earlbarr.com/publications/typestudy.pdf) + +> "our central finding is that both static type systems find an important percentage of public bugs: both Flow 0.30 and TypeScript 2.0 successfully detect 15%!" + +
+ +### Blog Quote: "TypeScript will always miss 80% of bugs" + +From the post [The TypeScript tax](https://medium.com/javascript-scene/the-typescript-tax-132ff4cb175b) + +> "Some will argue that TypeScript provides realtime bug feedback, so you can catch the bugs earlier, but so do type inference, lint, and testing... You may argue that these other measures have a cost, but because TypeScript will always miss 80% of bugs, you canโt safely skip them either way, so their cost applies to both sides of the ROI math, and is already factored in" diff --git a/sections/security/limitrequests.md b/sections/security/limitrequests.md index 21482d050..0763a3b57 100644 --- a/sections/security/limitrequests.md +++ b/sections/security/limitrequests.md @@ -8,12 +8,10 @@ Rate limiting should be implemented in your application to protect a Node.js app ```javascript const http = require('http'); - const redis = require('redis'); + const IoRedis = require('ioredis'); const { RateLimiterRedis } = require('rate-limiter-flexible'); - const redisClient = redis.createClient({ - enable_offline_queue: false, - }); + const redisClient = new IoRedis({ enableOfflineQueue: false }); // Maximum 20 requests per second const rateLimiter = new RateLimiterRedis({ diff --git a/sections/testingandquality/citools.md b/sections/testingandquality/citools.md deleted file mode 100644 index 375e89fea..000000000 --- a/sections/testingandquality/citools.md +++ /dev/null @@ -1,51 +0,0 @@ -# Carefully choose your CI platform - -
- -### One Paragraph Explainer - -The CI world used to be the flexibility of [Jenkins](https://jenkins.io/) vs the simplicity of SaaS vendors. The game is now changing as SaaS providers like [CircleCI](https://circleci.com/) and [Travis](https://travis-ci.org/) offer robust solutions including Docker containers with minimum setup time while Jenkins tries to compete on 'simplicity' segment as well. Though one can setup rich CI solution in the cloud, should it required to control the finest details Jenkins is still the platform of choice. The choice eventually boils down to which extent the CI process should be customized: free and setup free cloud vendors allow to run custom shell commands, custom docker images, adjust the workflow, run matrix builds and other rich features. However, if controlling the infrastructure or programming the CI logic using a formal programming language like Java is desired - Jenkins might still be the choice. Otherwise, consider opting for the simple and setup free cloud option - -
- -### Code Example โ a typical cloud CI configuration. Single .yml file and that's it - -```yaml -version: 2 -jobs: - build: - docker: - - image: circleci/node:4.8.2 - - image: mongo:3.4.4 - steps: - - checkout - - run: - name: Install npm wee - command: npm install - test: - docker: - - image: circleci/node:4.8.2 - - image: mongo:3.4.4 - steps: - - checkout - - run: - name: Test - command: npm test - - run: - name: Generate code coverage - command: './node_modules/.bin/nyc report --reporter=text-lcov' - - store_artifacts: - path: coverage - prefix: coverage - -``` - -### Circle CI - almost zero setup cloud CI - - - -### Jenkins - sophisticated and robust CI - - - -
diff --git a/sections/testingandquality/mock-external-services.md b/sections/testingandquality/mock-external-services.md new file mode 100644 index 000000000..6def85708 --- /dev/null +++ b/sections/testingandquality/mock-external-services.md @@ -0,0 +1,88 @@ +# Mock responses of external HTTP services + +
+ +### One Paragraph Explainer + +Isolate the component under test by intercepting any outgoing HTTP request and providing the desired response so the collaborator HTTP API won't get hit. Nock is a great tool for this mission as it provides a convenient syntax for defining external services behavior. Isolation is a must to prevent noise and slow performance but mostly to simulate various scenarios and responses - A good flight simulator is not about painting clear blue sky rather bringing safe storms and chaos. This is reinforced in a Microservice architecture where the focus should always be on a single component without involving the rest of the world. Though it's possible to simulate external service behavior using test doubles (mocking), it's preferable not to touch the deployed code and act on the network level to keep the tests pure black-box. The downside of isolation is not detecting when the collaborator component changes and not realizing misunderstandings between the two services - Make sure to compensate for this using a few contract or E2E tests. + + +
+ +### Code Example โ a simple mock using nock + +```javascript +// Intercept requests for internal or 3rd party APIs and return a predefined response +beforeEach(() => { + nock("http://localhost/user/").get(`/1`).reply(200, { + id: 1, + name: "John", + }); +}); +``` + +### Code Example โ simulating an important scenario inside the test + +```javascript +// Using an uncommon user id (7) and create a compatible interceptor +test("When the user does not exist, return http 404", async () => { + //Arrange + const orderToAdd = { + userId: 7, + productId: 2, + mode: "draft", + }; + + nock("http://localhost/user/").get(`/7`).reply(404, { + message: "User does not exist", + code: "nonExisting", + }); + + //Act + const orderAddResult = await axiosAPIClient.post("/order", orderToAdd); + + //Assert + expect(orderAddResult.status).toBe(404); +}); +``` + +### Code Example โ preventing requests from going outside to the real-world + +```javascript +beforeAll(async () => { + // ... + // ๏ธ๏ธ๏ธEnsure that this component is isolated by preventing unknown calls + nock.disableNetConnect(); + // Enable only requests for the API under test + nock.enableNetConnect("127.0.0.1"); +}); +``` + +### Code Example โ ensuring that the outgoing request schema is correct + +```javascript +// ๏ธ๏ธ๏ธAssert that the app called the mailer service appropriately with the right input +test("When order failed, send mail to admin", async () => { + //Arrange + // ... + let emailPayload; + nock("http://mailer.com") + .post("/send", (payload) => ((emailPayload = payload), true)) + .reply(202); + const orderToAdd = { + userId: 1, + productId: 2, + mode: "approved", + }; + + //Act + await axiosAPIClient.post("/order", orderToAdd); + + // ๏ธ๏ธ๏ธAssert + expect(emailPayload).toMatchObject({ + subject: expect.any(String), + body: expect.any(String), + recipientAddress: expect.stringMatching(/^[\w-\.]+@([\w-]+\.)+[\w-]{2,4}$/), + }); +}); +``` diff --git a/sections/testingandquality/randomize-port.md b/sections/testingandquality/randomize-port.md new file mode 100644 index 000000000..28af118df --- /dev/null +++ b/sections/testingandquality/randomize-port.md @@ -0,0 +1,31 @@ +# Specify a port in production, randomize in testing + +
+ +### One Paragraph Explainer + +When writing component/integration tests, the web server should be started by the tests in the same process - this opens the door for many desirable testing features like mocking, coverage, and more. In a multi-process test runner, multiple web server instances will be opened. If these instances try to open the same port, they will collide. In testing only, let the server randomize a port to prevent collisions. This can easily achieved by providing an [ephemeral port](https://en.wikipedia.org/wiki/Ephemeral_port), the number zero, so the operating system will allocate an available port + +
+ +### Code Example โ starting the web server with testing in-mind + +```javascript +// api-under-test.js +const initializeWebServer = async () => { + return new Promise((resolve, reject) => { + // Fixed port in production, a zero port (ephemeral) for testing + const webServerPort = process.env.PORT ? process.env.PORT : 0; + expressApp = express(); + connection = expressApp.listen(webServerPort, () => { + // No port + resolve(expressApp); + }); + }); +}; + +// test.js +beforeAll(async () => { + expressApp = await initializeWebServer(); // No port +}); +``` diff --git a/sections/testingandquality/test-five-outcomes.md b/sections/testingandquality/test-five-outcomes.md new file mode 100644 index 000000000..d87386207 --- /dev/null +++ b/sections/testingandquality/test-five-outcomes.md @@ -0,0 +1,23 @@ +# Test the five potential outcomes + +
+ +### One Paragraph Explainer + +When planning your tests, consider covering the five typical flow's outputs. When your test is triggering some action (e.g., API call), a reaction is happening, something meaningful occurs and calls for testing. Note that we don't care about how things work. Our focus is on outcomes, things that are noticeable from the outside and might affect the user. These outcomes/reactions can be put in 5 categories: + +โข Response - the test invokes an action (e.g., via API) and gets a response. It's now concerned with checking the response data correctness, schema, and HTTP status. + +โข A new state - after invoking an action, some data is probably modified. For example, when updating a user, it may be that the new data was not saved. Commonly and mistakenly, testers check only the response and not whether the data is updated correctly. Testing data and databases raises multiple interesting challenges that are greatly covered below in the ๐ section 'Dealing with data'. + +โข External calls - after invoking an action, the app might call an external component via HTTP or any other transport. For example, a call to send SMS, email or charge a credit card. Anything that goes outside and might affect the user - should be tested. Testing integrations is a broad topic which is discussed in the ๐ section 'Testing integrations' below. + +โข Message queues - the outcome of a flow might be a message in a queue. In our example application, once a new order was saved, the app puts a message in some MQ product. Now other components can consume this message and continue the flow. This is very similar to testing integrations, only working with message queues is different technically and tricky. The ๐ section 'Message Queues' below delve into this topic. + +โข Observability - some things must be monitored, like errors or remarkable business events. When a transaction fails, not only do we expect the right response but also the correct error handling and proper logging/metrics. This information goes directly to a very important user - the ops user (i.e., production SRE/admin). Testing error handlers isn't very straightforward because many types of errors might get thrown, where some errors should lead to process crashing, and there are many other details to cover. We plan to write the ๐ section on 'Observability and errors' soon. + +
+ +### Example: The backend testing checklist + +