2025 Node.js 最佳实践指南：框架选择、架构原则与异步模式

nodejs-best-practices by claudiodearaujo/izacenter

1 周安装量

1 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/claudiodearaujo/izacenter --skill nodejs-best-practices

Node.js 代码规范系统架构

🇨🇳中文介绍

Node.js 最佳实践

2025 年 Node.js 开发的原则与决策指南。学会思考，而非死记代码模式。

⚠️ 如何使用此技能

此技能教授的是决策原则，而非固定的代码以供复制。

当情况不明确时，询问用户的偏好
基于上下文选择框架/模式
不要每次都默认使用相同的解决方案

1. 框架选择 (2025)

决策树

What are you building?
│
├── Edge/Serverless (Cloudflare, Vercel)
│   └── Hono (zero-dependency, ultra-fast cold starts)
│
├── High Performance API
│   └── Fastify (2-3x faster than Express)
│
├── Enterprise/Team familiarity
│   └── NestJS (structured, DI, decorators)
│
├── Legacy/Stable/Maximum ecosystem
│   └── Express (mature, most middleware)
│
└── Full-stack with frontend
    └── Next.js API Routes or tRPC

比较原则

因素	Hono	Fastify	Express

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

选择时需要询问的问题：

部署目标是什么？
冷启动时间是否至关重要？
团队是否有现有经验？
是否有遗留代码需要维护？

2. 运行时考量 (2025)

Node.js 22+: --experimental-strip-types
├── 直接运行 .ts 文件
├── 简单项目无需构建步骤
└── 考虑用于：脚本，简单 API

ESM (import/export)
├── 现代标准
├── 更好的 Tree-shaking
├── 异步模块加载
└── 用于：新项目

CommonJS (require)
├── 遗留兼容性
├── 更多 npm 包支持
└── 用于：现有代码库，某些边缘情况

运行时	最适合
Node.js	通用目的，最大的生态系统
Bun	性能，内置打包器
Deno	安全优先，内置 TypeScript

Request Flow:
│
├── Controller/Route Layer
│   ├── 处理 HTTP 具体细节
│   ├── 在边界进行输入验证
│   └── 调用服务层
│
├── Service Layer
│   ├── 业务逻辑
│   ├── 与框架无关
│   └── 调用仓库层
│
└── Repository Layer
    ├── 仅数据访问
    ├── 数据库查询
    └── ORM 交互

可测试性：可以独立模拟各层
灵活性：更换数据库无需触及业务逻辑
清晰性：每层职责单一

小型脚本 → 单文件即可
原型 → 结构可以少一些
始终要问："这个项目会增长吗？"

4. 错误处理原则

集中式错误处理

Pattern:
├── 创建自定义错误类
├── 从任何层抛出
├── 在顶层捕获（中间件）
└── 格式化一致的响应

Client gets:
├── 适当的 HTTP 状态码
├── 用于编程处理的错误代码
├── 用户友好的消息
└── 不包含内部细节（安全！）

Logs get:
├── 完整的堆栈跟踪
├── 请求上下文
├── 用户 ID（如适用）
└── 时间戳

情况	状态码	时机
错误输入	400	客户端发送了无效数据
未认证	401	缺少或凭据无效
无权限	403	认证有效，但不允许操作
未找到	404	资源不存在
冲突	409	重复或状态冲突
验证失败	422	模式有效但业务规则失败
服务器错误	500	我们的错误，记录所有信息

5. 异步模式原则

何时使用每种模式

模式	使用时机
`async/await`	顺序的异步操作
`Promise.all`	并行的独立操作
`Promise.allSettled`	并行操作，允许部分失败
`Promise.race`	超时或首个响应胜出

I/O-bound (async helps):
├── 数据库查询
├── HTTP 请求
├── 文件系统
└── 网络操作

CPU-bound (async doesn't help):
├── 加密操作
├── 图像处理
├── 复杂计算
└── → 使用工作线程或卸载处理

避免阻塞事件循环

切勿在生产环境中使用同步方法（如 fs.readFileSync 等）
卸载 CPU 密集型工作
处理大数据时使用流

在边界进行验证

Where to validate:
├── API 入口点（请求体/参数）
├── 数据库操作之前
├── 外部数据（API 响应，文件上传）
└── 环境变量（启动时）

库	最适合
Zod	TypeScript 优先，类型推断
Valibot	更小的包体积（可 Tree-shake）
ArkType	性能关键
Yup	已有 React Form 使用场景

快速失败：尽早验证
具体明确：清晰的错误消息
不要信任：即使是"内部"数据

安全检查清单（非代码）

输入验证：验证所有输入
参数化查询：SQL 查询不使用字符串拼接
密码哈希：使用 bcrypt 或 argon2
JWT 验证：始终验证签名和过期时间
速率限制：防止滥用
安全头：使用 Helmet.js 或等效方案
HTTPS：生产环境全程使用
CORS：正确配置
密钥：仅使用环境变量
依赖项：定期审计

Trust nothing:
├── 查询参数 → 验证
├── 请求体 → 验证
├── 请求头 → 验证
├── Cookies → 验证
├── 文件上传 → 扫描
└── 外部 API → 验证响应

类型	目的	工具
单元测试	业务逻辑	node:test, Vitest
集成测试	API 端点	Supertest
端到端测试	完整流程	Playwright

测试什么（优先级）

关键路径：认证、支付、核心业务
边界情况：空输入、边界值
错误处理：失败时会发生什么？
不值得测试：框架代码、简单的 getter

内置测试运行器 (Node.js 22+)

node --test src/**/*.test.ts
├── 无需外部依赖
├── 良好的覆盖率报告
└── 支持监视模式

10. 需要避免的反模式

在新边缘项目中使用 Express（使用 Hono）
在生产代码中使用同步方法
将业务逻辑放在控制器中
跳过输入验证
硬编码密钥
不经验证就信任外部数据
用 CPU 工作阻塞事件循环

根据上下文选择框架
情况不明确时询问用户偏好
对增长型项目使用分层架构
验证所有输入
使用环境变量存储密钥
优化前先进行性能分析

询问过用户关于技术栈的偏好吗？
是否为这个上下文选择了框架？（不仅仅是默认选择）
考虑过部署目标吗？
规划好错误处理策略了吗？
识别出验证点了吗？
考虑过安全要求吗？

记住：Node.js 最佳实践关乎决策，而非死记模式。每个项目都应根据其需求进行全新的考量。

🇺🇸English

Node.js Best Practices

Principles and decision-making for Node.js development in 2025. Learn to THINK, not memorize code patterns.

⚠️ How to Use This Skill

This skill teaches decision-making principles , not fixed code to copy.

ASK user for preferences when unclear
Choose framework/pattern based on CONTEXT
Don't default to same solution every time

1. Framework Selection (2025)

Decision Tree

What are you building?
│
├── Edge/Serverless (Cloudflare, Vercel)
│   └── Hono (zero-dependency, ultra-fast cold starts)
│
├── High Performance API
│   └── Fastify (2-3x faster than Express)
│
├── Enterprise/Team familiarity
│   └── NestJS (structured, DI, decorators)
│
├── Legacy/Stable/Maximum ecosystem
│   └── Express (mature, most middleware)
│
└── Full-stack with frontend
    └── Next.js API Routes or tRPC

Comparison Principles

Factor	Hono	Fastify	Express
Best for	Edge, serverless	Performance	Legacy, learning
Cold start	Fastest	Fast	Moderate
Ecosystem	Growing	Good	Largest
TypeScript	Native	Excellent	Good
Learning curve	Low	Medium	Low

Selection Questions to Ask:

What's the deployment target?
Is cold start time critical?
Does team have existing experience?
Is there legacy code to maintain?

2. Runtime Considerations (2025)

Native TypeScript

Node.js 22+: --experimental-strip-types
├── Run .ts files directly
├── No build step needed for simple projects
└── Consider for: scripts, simple APIs

Module System Decision

ESM (import/export)
├── Modern standard
├── Better tree-shaking
├── Async module loading
└── Use for: new projects

CommonJS (require)
├── Legacy compatibility
├── More npm packages support
└── Use for: existing codebases, some edge cases

Runtime Selection

Runtime	Best For
Node.js	General purpose, largest ecosystem
Bun	Performance, built-in bundler
Deno	Security-first, built-in TypeScript

3. Architecture Principles

Layered Structure Concept

Request Flow:
│
├── Controller/Route Layer
│   ├── Handles HTTP specifics
│   ├── Input validation at boundary
│   └── Calls service layer
│
├── Service Layer
│   ├── Business logic
│   ├── Framework-agnostic
│   └── Calls repository layer
│
└── Repository Layer
    ├── Data access only
    ├── Database queries
    └── ORM interactions

Why This Matters:

Testability : Mock layers independently
Flexibility : Swap database without touching business logic
Clarity : Each layer has single responsibility

When to Simplify:

Small scripts → Single file OK
Prototypes → Less structure acceptable
Always ask: "Will this grow?"

4. Error Handling Principles

Centralized Error Handling

Pattern:
├── Create custom error classes
├── Throw from any layer
├── Catch at top level (middleware)
└── Format consistent response

Error Response Philosophy

Client gets:
├── Appropriate HTTP status
├── Error code for programmatic handling
├── User-friendly message
└── NO internal details (security!)

Logs get:
├── Full stack trace
├── Request context
├── User ID (if applicable)
└── Timestamp

Status Code Selection

Situation	Status	When
Bad input	400	Client sent invalid data
No auth	401	Missing or invalid credentials
No permission	403	Valid auth, but not allowed
Not found	404	Resource doesn't exist
Conflict	409	Duplicate or state conflict
Validation	422	Schema valid but business rules fail
Server error	500	Our fault, log everything

5. Async Patterns Principles

When to Use Each

Pattern	Use When
`async/await`	Sequential async operations
`Promise.all`	Parallel independent operations
`Promise.allSettled`	Parallel where some can fail
`Promise.race`	Timeout or first response wins

Event Loop Awareness

I/O-bound (async helps):
├── Database queries
├── HTTP requests
├── File system
└── Network operations

CPU-bound (async doesn't help):
├── Crypto operations
├── Image processing
├── Complex calculations
└── → Use worker threads or offload

Avoiding Event Loop Blocking

Never use sync methods in production (fs.readFileSync, etc.)
Offload CPU-intensive work
Use streaming for large data

6. Validation Principles

Validate at Boundaries

Where to validate:
├── API entry point (request body/params)
├── Before database operations
├── External data (API responses, file uploads)
└── Environment variables (startup)

Validation Library Selection

Library	Best For
Zod	TypeScript first, inference
Valibot	Smaller bundle (tree-shakeable)
ArkType	Performance critical
Yup	Existing React Form usage

Validation Philosophy

Fail fast: Validate early
Be specific: Clear error messages
Don't trust: Even "internal" data

7. Security Principles

Security Checklist (Not Code)

Input validation : All inputs validated
Parameterized queries : No string concatenation for SQL
Password hashing : bcrypt or argon2
JWT verification : Always verify signature and expiry
Rate limiting : Protect from abuse
Security headers : Helmet.js or equivalent
HTTPS : Everywhere in production
CORS : Properly configured
Secrets : Environment variables only
Dependencies : Regularly audited

Security Mindset

Trust nothing:
├── Query params → validate
├── Request body → validate
├── Headers → verify
├── Cookies → validate
├── File uploads → scan
└── External APIs → validate response

8. Testing Principles

Test Strategy Selection

Type	Purpose	Tools
Unit	Business logic	node:test, Vitest
Integration	API endpoints	Supertest
E2E	Full flows	Playwright

What to Test (Priorities)

Critical paths : Auth, payments, core business
Edge cases : Empty inputs, boundaries
Error handling : What happens when things fail?
Not worth testing : Framework code, trivial getters

Built-in Test Runner (Node.js 22+)

node --test src/**/*.test.ts
├── No external dependency
├── Good coverage reporting
└── Watch mode available

10. Anti-Patterns to Avoid

❌ DON'T:

Use Express for new edge projects (use Hono)
Use sync methods in production code
Put business logic in controllers
Skip input validation
Hardcode secrets
Trust external data without validation
Block event loop with CPU work

✅ DO:

Choose framework based on context
Ask user for preferences when unclear
Use layered architecture for growing projects
Validate all inputs
Use environment variables for secrets
Profile before optimizing

11. Decision Checklist

Before implementing:

Asked user about stack preference?
Chosen framework for THIS context? (not just default)
Considered deployment target?
Planned error handling strategy?
Identified validation points?
Considered security requirements?

Remember : Node.js best practices are about decision-making, not memorizing patterns. Every project deserves fresh consideration based on its requirements.

Weekly Installs

Repository

claudiodearaujo…zacenter

GitHub Stars

First Seen

1 day ago

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

zencoder1

amp1

cline1

openclaw1

opencode1

cursor1

Android 整洁架构指南：模块化设计、依赖注入与数据层实现

1,100 周安装