Node.js Backend

Express, Hono, Fastify, Cloudflare Workers, serverless functions. What VibeCode QA checks and which tools power each analysis.

Quick Start

npx @vibecodeqa/cli

Set up CI + auto-fix

npx @vibecodeqa/cli init    # creates .github/workflows/vibecodeqa.yml
npx @vibecodeqa/cli fix     # auto-fix lint issues + show fix suggestions

Auto-detects: TypeScript/JavaScript, test runner, linter, package manager, monorepo workspaces.

Backend-Specific Checks

Security — Critical for backends

Pattern	CWE	What It Catches
SQL Injection	CWE-89	Template literals in query/prepare/execute calls
Command Injection	CWE-78	child_process.exec with string args (prefer execFile)
SSRF	CWE-918	fetch() with user-supplied URLs
Path Traversal	CWE-22	readFile/writeFile with user input in path
Prototype Pollution	CWE-1321	Object.assign/spread from req.body/params
Weak Crypto	CWE-330/328	Math.random for tokens, MD5/SHA1 for hashing
localStorage in auth	CWE-922	Storing tokens/secrets in client-side storage
Cookie Security	CWE-1004/614	document.cookie without HttpOnly, Set-Cookie without Secure

For deeper security analysis, add semgrep in CI/CD — it does proper data-flow tracking.

Error Handling — Essential for servers

Pattern	Why It Matters
Empty catch blocks	Errors silently disappear — users see broken behavior with no logs
Floating promises	Unhandled rejections crash Node.js 15+ in production
`.catch(() => {})`	Swallowed errors — at least log them for debugging
JSON.parse without try-catch	Malformed request body crashes the request handler
while(true) without break	Infinite loop freezes the event loop — all requests hang
process.exit() in library code	Libraries should throw, not exit — callers can't recover
Missing unhandledRejection handler	Uncaught promise rejections crash the server in Node 15+

.env File Audit

The secrets checker verifies:

.env files are in .gitignore
No secrets with long values in committed .env files
Hardcoded API keys/tokens in source code

Recommended Tool Setup

# Core
pnpm add -D typescript @biomejs/biome vitest

# Security
brew install gitleaks              # secret detection (800+ patterns)
# pip install semgrep             # optional: deeper SAST in CI

# Supply chain
# pnpm add -D socket             # optional: pre-install malware detection

# Monitoring (detected by best-practices check)
pnpm add -D @sentry/node          # error tracking

Cloudflare Workers

Workers are detected via wrangler.toml. VibeCode QA:

Runs tsc --noEmit for type checking
Scans for security patterns (SSRF, secrets in code)
Detects Workers as a "container" in the architecture diagram
Checks wrangler.toml for secrets vs. vars separation

Monorepo: Platform Repos

Common pattern: packages/api + packages/sdk + packages/cli. VibeCode QA:

Detects pnpm-workspace.yaml / npm workspaces automatically
Runs TypeScript per-package (project references or individual tsconfigs)
Architecture diagrams show cross-package dependencies
Scoring is proportional — 10 issues in 200 files != 10 issues in 5 files

CI Integration

# .github/workflows/quality.yml
name: Code Quality
on: [pull_request]
permissions: { contents: read }
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npx @vibecodeqa/cli --ci --fail-under 70 --sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: .vibe-check/report.sarif

Home · Tool Decisions · TypeScript + React · Flutter Guide