Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
node-style-guide
Advanced tools
This is a guide for writing consistent and aesthetically pleasing node.js code. It is inspired by what is popular within the community, and flavored with some personal opinions.
There is a .jshintrc which enforces these rules as closely as possible. You can either use that and adjust it, or use this script to make your own.
This guide was created by Felix Geisendörfer and is licensed under the CC BY-SA 3.0 license. You are encouraged to fork this repository and make adjustments according to your preferences.
Use 2 spaces for indenting your code and swear an oath to never mix tabs and spaces - a special kind of hell is awaiting you otherwise.
Use UNIX-style newlines (\n
), and a newline character as the last character
of a file. Windows-style newlines (\r\n
) are forbidden inside any repository.
Just like you brush your teeth after every meal, you clean up any trailing whitespace in your JS files before committing. Otherwise the rotten smell of careless neglect will eventually drive away contributors and/or co-workers.
According to scientific research, the usage of semicolons is a core value of our community. Consider the points of the opposition, but be a traditionalist when it comes to abusing error correction mechanisms for cheap syntactic pleasures.
Limit your lines to 80 characters. Yes, screens have gotten much bigger over the last few years, but your brain has not. Use the additional room for split screen, your editor supports that, right?
Use single quotes, unless you are writing JSON.
Right:
var foo = 'bar';
Wrong:
var foo = "bar";
Your opening braces go on the same line as the statement.
Right:
if (true) {
console.log('winning');
}
Wrong:
if (true)
{
console.log('losing');
}
Also, notice the use of whitespace before and after the condition statement.
Declare one variable per var statement, it makes it easier to re-order the lines. However, ignore Crockford when it comes to declaring variables deeper inside a function, just put the declarations wherever they make sense.
Right:
var keys = ['foo', 'bar'];
var values = [23, 42];
var object = {};
while (keys.length) {
var key = keys.pop();
object[key] = values.pop();
}
Wrong:
var keys = ['foo', 'bar'],
values = [23, 42],
object = {},
key;
while (keys.length) {
key = keys.pop();
object[key] = values.pop();
}
Variables, properties and function names should use lowerCamelCase
. They
should also be descriptive. Single character variables and uncommon
abbreviations should generally be avoided.
Right:
var adminUser = db.query('SELECT * FROM users ...');
Wrong:
var admin_user = db.query('SELECT * FROM users ...');
Class names should be capitalized using UpperCamelCase
.
Right:
function BankAccount() {
}
Wrong:
function bank_Account() {
}
Constants should be declared as regular variables or static class properties, using all uppercase letters.
Node.js / V8 actually supports mozilla's const extension, but unfortunately that cannot be applied to class members, nor is it part of any ECMA standard.
Right:
var SECOND = 1 * 1000;
function File() {
}
File.FULL_PERMISSIONS = 0777;
Wrong:
const SECOND = 1 * 1000;
function File() {
}
File.fullPermissions = 0777;
Use trailing commas and put short declarations on a single line. Only quote keys when your interpreter complains:
Right:
var a = ['hello', 'world'];
var b = {
good: 'code',
'is generally': 'pretty',
};
Wrong:
var a = [
'hello', 'world'
];
var b = {"good": 'code'
, is generally: 'pretty'
};
Programming is not about remembering stupid rules. Use the triple equality operator as it will work just as expected.
Right:
var a = 0;
if (a !== '') {
console.log('winning');
}
Wrong:
var a = 0;
if (a == '') {
console.log('losing');
}
The ternary operator should not be used on a single line. Split it up into multiple lines instead.
Right:
var foo = (a === b)
? 1
: 2;
Wrong:
var foo = (a === b) ? 1 : 2;
Any non-trivial conditions should be assigned to a descriptively named variable or function:
Right:
var isValidPassword = password.length >= 4 && /^(?=.*\d).{4,}$/.test(password);
if (isValidPassword) {
console.log('winning');
}
Wrong:
if (password.length >= 4 && /^(?=.*\d).{4,}$/.test(password)) {
console.log('losing');
}
Keep your functions short. A good function fits on a slide that the people in the last row of a big room can comfortably read. So don't count on them having perfect vision and limit yourself to ~15 lines of code per function.
To avoid deep nesting of if-statements, always return a function's value as early as possible.
Right:
function isPercentage(val) {
if (val < 0) {
return false;
}
if (val > 100) {
return false;
}
return true;
}
Wrong:
function isPercentage(val) {
if (val >= 0) {
if (val < 100) {
return true;
} else {
return false;
}
} else {
return false;
}
}
Or for this particular example it may also be fine to shorten things even further:
function isPercentage(val) {
var isInRange = (val >= 0 && val <= 100);
return isInRange;
}
Feel free to give your closures a name. It shows that you care about them, and will produce better stack traces, heap and cpu profiles.
Right:
req.on('end', function onEnd() {
console.log('winning');
});
Wrong:
req.on('end', function() {
console.log('losing');
});
Use closures, but don't nest them. Otherwise your code will become a mess.
Right:
setTimeout(function() {
client.connect(afterConnect);
}, 1000);
function afterConnect() {
console.log('winning');
}
Wrong:
setTimeout(function() {
client.connect(function() {
console.log('losing');
});
}, 1000);
One method per line should be used if you want to chain methods.
You should also indent these methods so it's easier to tell they are part of the same chain.
Right:
User
.findOne({ name: 'foo' })
.populate('bar')
.exec(function(err, user) {
return true;
});
Wrong:
User
.findOne({ name: 'foo' })
.populate('bar')
.exec(function(err, user) {
return true;
});
User.findOne({ name: 'foo' })
.populate('bar')
.exec(function(err, user) {
return true;
});
User.findOne({ name: 'foo' }).populate('bar')
.exec(function(err, user) {
return true;
});
User.findOne({ name: 'foo' }).populate('bar')
.exec(function(err, user) {
return true;
});
Use slashes for both single line and multi line comments. Try to write comments that explain higher level mechanisms or clarify difficult segments of your code. Don't use comments to restate trivial things.
Right:
// 'ID_SOMETHING=VALUE' -> ['ID_SOMETHING=VALUE', 'SOMETHING', 'VALUE']
var matches = item.match(/ID_([^\n]+)=([^\n]+)/));
// This function has a nasty side effect where a failure to increment a
// redis counter used for statistics will cause an exception. This needs
// to be fixed in a later iteration.
function loadUser(id, cb) {
// ...
}
var isSessionValid = (session.expires < Date.now());
if (isSessionValid) {
// ...
}
Wrong:
// Execute a regex
var matches = item.match(/ID_([^\n]+)=([^\n]+)/);
// Usage: loadUser(5, function() { ... })
function loadUser(id, cb) {
// ...
}
// Check if the session is valid
var isSessionValid = (session.expires < Date.now());
// If the session is valid
if (isSessionValid) {
// ...
}
Crazy shit that you will probably never need. Stay away from it.
Do not use setters, they cause more problems for people who try to use your software than they can solve.
Feel free to use getters that are free from side effects, like providing a length property for a collection class.
Do not extend the prototype of native JavaScript objects. Your future self will be forever grateful.
Right:
var a = [];
if (!a.length) {
console.log('winning');
}
Wrong:
Array.prototype.empty = function() {
return !this.length;
}
var a = [];
if (a.empty()) {
console.log('losing');
}
FAQs
A guide for styling your node.js / JavaScript code.
We found that node-style-guide demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.