Node.js Coding Practice

Event1 fired!
Event2 fired!
Event3 fired!
// ... repeats indefinitely
Event1 fired!
Event2 fired!
Event3 fired!

The code creates an infinite loop. Each event handler schedules the next emit() via process.nextTick(), which queues the callback before any I/O events in the current event loop iteration. Because the callbacks are deferred rather than called recursively, there is no stack overflow — the process simply runs forever until killed.

Node.js 14.18+ recommendation: Use the node: URL scheme for built-in modules to avoid conflicts with third-party packages of the same name:

const { EventEmitter } = require("node:events"); // CommonJS
// or
import { EventEmitter } from "node:events";       // ES Module

// Option 1: Early-return pattern
async function getData(req, res) {
  const a = await functionA().catch((error) => res.send(error.stack));
  if (!a) return;
  const b = await functionB().catch((error) => res.send(error.stack));
  if (!b) return;
  res.send("some result");
}

// Option 2: Error-first tuple pattern (Node.js 16+ style with Error.cause support)
async function getData(req, res) {
  const [errorA, a] = await functionA()
    .then((value) => [null, value])
    .catch((error) => [error, null]);

  const [errorB, b] = await functionB()
    .then((value) => [null, value])
    .catch((error) => [error, null]);

  if (errorA || errorB) {
    return res.send((errorA ?? errorB).stack);
  }
  res.send("some result");
}

Within a web browser such as Chrome, declaring the variable i outside of any function's scope makes it global and therefore binds it as a property of the window object. As a result, running this code in a web browser requires repeatedly resolving the property i within the heavily populated window namespace in each iteration of the for loop.

In Node.js, however, declaring any variable outside of any function's scope binds it only to the module's own scope (not the window object) which therefore makes it much easier and faster to resolve.

Note (Node.js 22+): Modern Node.js ships with V8 12+, which includes the Maglev mid-tier JIT compiler and an improved TurboFan pipeline. These optimizations have significantly narrowed the property-resolution performance gap between browser and Node.js globals. Additionally, console.time() / console.timeEnd() in Node.js 22 internally uses high-resolution performance.now() timestamps, so measurements are more precise than in earlier versions.

// Standard async/await with try/catch replacement
async function asyncTask() {
  try {
    const valueA = await functionA();
    const valueB = await functionB(valueA);
    const valueC = await functionC(valueB);
    return await functionD(valueC);
  } catch (err) {
    logger.error(err);
  }
}

// Node.js 18+ alternative: propagate error cause for better stack traces
async function asyncTask() {
  try {
    const valueA = await functionA();
    const valueB = await functionB(valueA);
    const valueC = await functionC(valueB);
    return await functionD(valueC);
  } catch (err) {
    throw new Error("asyncTask failed", { cause: err }); // Error.cause (Node.js 16.9+)
  }
}

1 - start
6 - end
5 - nextTick
4 - Promise.then
3 - setImmediate
2 - setTimeout

Explanation — Node.js event loop phase priority:

1. Synchronous code runs first (lines 1 and 6).
2. process.nextTick() callbacks drain completely before any microtask or I/O phase.
3. Microtask queue (Promise.then, queueMicrotask) runs after all nextTick callbacks.
4. setImmediate() runs in the check phase of the current event loop iteration.
5. setTimeout(delay: 0) runs in the timers phase of the next event loop iteration (minimum ~1 ms delay applies).

Note (Node.js 11+): Microtasks (Promises, queueMicrotask) and process.nextTick callbacks are now drained between each individual timer callback and between each individual setImmediate callback — not only between phases.

// Node.js 10+ — fs.promises; prefer 'node:' prefix (Node.js 14.18+)
import { readFile } from "node:fs/promises";
import { fileURLToPath } from "node:url";
import { dirname, join } from "node:path";

const __dirname = dirname(fileURLToPath(import.meta.url)); // ES module equivalent of __dirname

async function printFile(filename) {
  try {
    const content = await readFile(join(__dirname, filename), "utf8");
    console.log(content);
  } catch (err) {
    // Error.cause available since Node.js 16.9+
    throw new Error(`Failed to read "${filename}"`, { cause: err });
  }
}

printFile("data.txt");

CommonJS version:

const { readFile } = require("node:fs/promises");
const { join } = require("node:path");

async function printFile(filename) {
  const content = await readFile(join(__dirname, filename), "utf8");
  console.log(content);
}

printFile("data.txt").catch(console.error);

fs.promises was promoted to stable in Node.js 10. Avoid the callback-based fs.readFile in new code; use fs.promises or the node:fs/promises named import instead.

// Node.js 18+ — native fetch, structuredClone, and node: prefix available
import { createServer } from "node:http";

const PORT = process.env.PORT ?? 3000;

const server = createServer((req, res) => {
  if (req.method === "GET" && req.url === "/health") {
    res.writeHead(200, { "Content-Type": "application/json" });
    res.end(JSON.stringify({ status: "ok", uptime: process.uptime() }));
    return;
  }

  res.writeHead(404, { "Content-Type": "application/json" });
  res.end(JSON.stringify({ error: "Not Found" }));
});

server.listen(PORT, () => {
  console.log(`Server running at http://localhost:${PORT}`);
});

// Graceful shutdown (Node.js 18.2+ server.closeAllConnections())
process.on("SIGTERM", () => {
  server.closeAllConnections();
  server.close(() => process.exit(0));
});

For production use, prefer a framework like Express or Fastify, but understanding the raw node:http module is essential for interviews and debugging.

import { promisify } from "node:util";
import { readFile as readFileCb } from "node:fs";
import { readFile } from "node:fs/promises"; // preferred for built-ins

// Option 1: util.promisify (useful for any Node-style callback API)
const readFileAsync = promisify(readFileCb);

async function main() {
  const data = await readFileAsync("./data.txt", "utf8");
  console.log(data);
}

main().catch(console.error);

// Option 2: use fs.promises directly (Node.js 10+ — no promisify needed)
async function mainV2() {
  const data = await readFile("./data.txt", "utf8");
  console.log(data);
}

mainV2().catch(console.error);

util.promisify works with any function that follows the error-first callback convention (err, value) => {}. For built-in Node.js modules, always prefer the native node:fs/promises, node:dns/promises, etc., which exist since Node.js 10 and avoid the overhead of wrapping.

// Node.js 16+ — stream.pipeline with async/await (replaces the error-prone .pipe())
import { pipeline } from "node:stream/promises";
import { createReadStream, createWriteStream } from "node:fs";

async function copyFile(src, dest) {
  await pipeline(
    createReadStream(src),
    createWriteStream(dest)
  );
  console.log(`Copied "${src}" → "${dest}"`);
}

copyFile("input.txt", "output.txt").catch(console.error);

Why stream/promises over .pipe()? .pipe() does not propagate errors — if the source stream errors, the destination is not automatically destroyed, causing resource leaks. stream.pipeline (and its promise version from Node.js 15+) handles cleanup automatically and rejects on any stream error.

Reading a stream chunk by chunk (Node.js 16+ async iteration):

import { createReadStream } from "node:fs";

async function readChunks(filepath) {
  const stream = createReadStream(filepath, { encoding: "utf8" });
  for await (const chunk of stream) {
    process.stdout.write(chunk);
  }
}

readChunks("input.txt").catch(console.error);

// Option 1: Promise.allSettled (Node.js 12+) — never rejects; returns all results
async function getDashboard(userId) {
  const [profileResult, ordersResult, prefsResult] = await Promise.allSettled([
    fetchProfile(userId),
    fetchOrders(userId),
    fetchPreferences(userId),
  ]);

  return {
    profile:     profileResult.status === "fulfilled" ? profileResult.value : null,
    orders:      ordersResult.status  === "fulfilled" ? ordersResult.value  : [],
    preferences: prefsResult.status   === "fulfilled" ? prefsResult.value   : {},
  };
}

// Option 2: Promise.all — rejects immediately if any promise rejects (fail-fast)
async function getDashboardStrict(userId) {
  const [profile, orders, preferences] = await Promise.all([
    fetchProfile(userId),
    fetchOrders(userId),
    fetchPreferences(userId),
  ]);
  return { profile, orders, preferences };
}

// Option 3: Promise.any (Node.js 15+) — resolves with the FIRST fulfilled value
async function getFastestSource(userId) {
  const profile = await Promise.any([
    fetchFromPrimaryDB(userId),
    fetchFromReplicaDB(userId),
    fetchFromCache(userId),
  ]);
  return profile;
}

// Node.js 18+ — fetch and AbortController are available globally (no import needed)

async function fetchWithTimeout(url, timeoutMs = 5000) {
  const controller = new AbortController();
  const timer = setTimeout(() => controller.abort(), timeoutMs);

  try {
    const response = await fetch(url, { signal: controller.signal });
    if (!response.ok) {
      throw new Error(`HTTP error ${response.status}`, { cause: response });
    }
    return await response.json();
  } catch (err) {
    if (err.name === "AbortError") {
      throw new Error(`Request to ${url} timed out after ${timeoutMs}ms`);
    }
    throw err;
  } finally {
    clearTimeout(timer);
  }
}

// Node.js 17.3+ shorthand: AbortSignal.timeout()
async function fetchWithTimeoutShort(url, timeoutMs = 5000) {
  const response = await fetch(url, {
    signal: AbortSignal.timeout(timeoutMs), // auto-aborts after timeoutMs
  });
  return response.json();
}

AbortController / AbortSignal are available globally since Node.js 15. fetch is global since Node.js 18. AbortSignal.timeout() was added in Node.js 17.3.

// worker.js — runs in a separate thread
import { workerData, parentPort } from "node:worker_threads";

function fibonacci(n) {
  if (n <= 1) return n;
  return fibonacci(n - 1) + fibonacci(n - 2);
}

parentPort.postMessage(fibonacci(workerData.n));

// main.js
import { Worker } from "node:worker_threads";
import { fileURLToPath } from "node:url";
import { dirname, join } from "node:path";

const __dirname = dirname(fileURLToPath(import.meta.url));

function runFibonacciInWorker(n) {
  return new Promise((resolve, reject) => {
    const worker = new Worker(join(__dirname, "worker.js"), {
      workerData: { n },
    });
    worker.on("message", resolve);
    worker.on("error", reject);
    worker.on("exit", (code) => {
      if (code !== 0) reject(new Error(`Worker exited with code ${code}`));
    });
  });
}

const result = await runFibonacciInWorker(42);
console.log(`fibonacci(42) = ${result}`);

Worker Threads (stable since Node.js 12) share memory via SharedArrayBuffer and Atomics. They are ideal for CPU-bound tasks (e.g., image processing, cryptography, data transformation). For I/O-bound tasks, async/await is sufficient since Node.js handles I/O non-blocking by default.

import cluster from "node:cluster";
import { createServer } from "node:http";
import { availableParallelism } from "node:os"; // Node.js 19+ (replaces os.cpus().length)
import process from "node:process";

const numCPUs = availableParallelism();

if (cluster.isPrimary) {
  console.log(`Primary ${process.pid} is running`);

  // Fork a worker for each logical CPU
  for (let i = 0; i < numCPUs; i++) {
    cluster.fork();
  }

  cluster.on("exit", (worker, code, signal) => {
    console.log(`Worker ${worker.process.pid} died (${signal ?? code}). Restarting…`);
    cluster.fork(); // auto-restart crashed workers
  });
} else {
  // Each worker shares the same TCP port
  createServer((req, res) => {
    res.writeHead(200);
    res.end(`Handled by worker ${process.pid}\n`);
  }).listen(3000);

  console.log(`Worker ${process.pid} started`);
}

Cluster vs Worker Threads:

• Cluster forks separate OS processes — each has its own memory and event loop. Best for scaling HTTP servers across CPU cores.
• Worker Threads share memory within one process. Best for parallelising CPU-intensive computations.

os.availableParallelism() was added in Node.js 19 and reports the number of logical CPUs available to the current process (respects cgroup/container CPU limits unlike os.cpus().length).

import { scrypt, randomBytes, timingSafeEqual } from "node:crypto";
import { promisify } from "node:util";

const scryptAsync = promisify(scrypt);

const SALT_LENGTH = 32;
const KEY_LENGTH  = 64;

/**
 * Hash a plaintext password. Returns "<salt>:<hash>" (both hex-encoded).
 */
async function hashPassword(password) {
  const salt = randomBytes(SALT_LENGTH).toString("hex");
  const derivedKey = await scryptAsync(password, salt, KEY_LENGTH);
  return `${salt}:${derivedKey.toString("hex")}`;
}

/**
 * Verify a plaintext password against a stored hash string.
 */
async function verifyPassword(password, stored) {
  const [salt, storedHash] = stored.split(":");
  const derivedKey = await scryptAsync(password, salt, KEY_LENGTH);
  const storedBuffer = Buffer.from(storedHash, "hex");
  // timingSafeEqual prevents timing attacks
  return timingSafeEqual(derivedKey, storedBuffer);
}

// Usage
const hashed = await hashPassword("mySecret123");
console.log(hashed); // e.g. "a3f2...:b8c9..."

const valid = await verifyPassword("mySecret123", hashed);
console.log(valid); // true

Why scrypt over MD5/SHA-256? Hash functions like SHA-256 are fast by design, making brute-force attacks cheap. scrypt (and bcrypt/argon2) are deliberately slow and memory-hard, making them suitable for password hashing. Never use MD5 or plain SHA for passwords.

timingSafeEqual prevents timing attacks where an attacker infers the correct hash by measuring how long the comparison takes.

false
true
SGVsbG8=
2

Explanation:

• buf1 === buf2 → false — === compares object references; these are two distinct Buffer instances.
• buf1.equals(buf2) → true — .equals() compares the raw bytes.
• buf1.toString("base64") → "SGVsbG8=" — Base64 encoding of "Hello".
• Buffer.byteLength("é") → 2 — Buffer.byteLength counts UTF-8 bytes, not characters. The character é (U+00E9) is encoded as two bytes (0xC3 0xA9) in UTF-8, so byteLength returns 2 even though "é".length === 1.

Node.js 22+ — safe Buffer creation:

// NEVER use: new Buffer() — deprecated and removed
// ALWAYS use one of:
Buffer.alloc(10);            // zero-filled, safe
Buffer.from("Hello");        // from string
Buffer.from([0x48, 0x69]);   // from byte array
Buffer.allocUnsafe(10);      // fast but uninitialized — fill before reading

import process from "node:process";

// Unhandled promise rejection — Node.js 15+ exits by default (exit code 1)
process.on("unhandledRejection", (reason, promise) => {
  console.error("Unhandled Rejection at:", promise, "reason:", reason);
  // Recommended: let the process crash so a process manager (PM2, systemd) restarts it
  process.exit(1);
});

// Uncaught synchronous exception — always results in an unstable process state
process.on("uncaughtException", (err) => {
  console.error("Uncaught Exception:", err);
  // Perform synchronous cleanup only, then exit
  process.exit(1);
});

// Graceful shutdown on SIGTERM (sent by Docker, Kubernetes, PM2, etc.)
process.on("SIGTERM", () => {
  console.log("SIGTERM received — shutting down gracefully");
  server.close(() => {
    console.log("HTTP server closed");
    process.exit(0);
  });
});

Best practices:

• Do not swallow errors — always log and exit so a process supervisor restarts the app in a clean state.
• Use process.on("unhandledRejection") as a last resort safety net, not a substitute for proper try/catch or .catch() chains.
• In Node.js 15+, an unhandled rejection causes the process to exit with code 1 by default — configure --unhandled-rejections=throw|none|warn via CLI if you need legacy behaviour.
• Pair with a process manager (PM2, systemd, Kubernetes liveness probes) to automatically restart crashed services.

outer setImmediate   ← or outer setTimeout (order is non-deterministic outside I/O)
outer setTimeout     ← or outer setImmediate
setImmediate         ← always before setTimeout inside an I/O callback
setTimeout

Explanation:

• Outside an I/O callback (top-level script): the ordering depends on the performance of the process and the system clock — either can run first.
• Inside an I/O callback: setImmediate is always guaranteed to run before setTimeout(fn, 0) because the check phase comes before the timers phase resumes in the same loop tick.

Use setImmediate() when you want to run something after the current I/O events are handled. Use setTimeout(fn, 0) when you need a minimum delay before execution.

// process.argv — array: [ 'node', 'app.js', '--port', '4000', '--env', 'production' ]
const args = process.argv.slice(2); // drop 'node' and script path

// Parse into an object: { port: '4000', env: 'production' }
function parseArgs(argv) {
  return argv.reduce((acc, val, i, arr) => {
    if (val.startsWith("--")) {
      acc[val.slice(2)] = arr[i + 1] ?? true;
    }
    return acc;
  }, {});
}

const { port = 3000, env = "development" } = parseArgs(args);

// process.env — all environment variables as strings
const apiKey = process.env.API_KEY;
if (!apiKey) {
  console.error("API_KEY is required");
  process.exit(1);
}

console.log(`Starting on port ${port} in ${env} mode`);
console.log(`API_KEY length: ${apiKey.length}`);

Node.js 18.3+ built-in argument parsing (util.parseArgs):

import { parseArgs } from "node:util";

const { values } = parseArgs({
  args: process.argv.slice(2),
  options: {
    port: { type: "string", short: "p", default: "3000" },
    env:  { type: "string", short: "e", default: "development" },
  },
});

console.log(values.port, values.env); // '4000' 'production'

util.parseArgs was added in Node.js 18.3 and stabilised in Node.js 20. Prefer it over manual parsing or third-party libraries like yargs/minimist for simple CLIs.

// Using the built-in EventEmitter (Node.js 0.1+)
import { EventEmitter } from "node:events";

class Logger extends EventEmitter {
  log(message) {
    this.emit("log", { message, timestamp: new Date().toISOString() });
  }
}

const logger = new Logger();

// .on() — persistent listener
logger.on("log", (data) => console.log("[persistent]", data.message));

// .once() — fires once then auto-removes itself
logger.once("log", (data) => console.log("[once]", data.message));

// .off() — remove a named listener
const handler = (data) => console.log("[removable]", data.message);
logger.on("log", handler);
logger.off("log", handler); // same as logger.removeListener("log", handler)

logger.log("Hello");  // prints: [persistent] Hello, [once] Hello
logger.log("World");  // prints: [persistent] World  (once already removed)

// Node.js 12+ — EventEmitter.on() async iterator
import { on } from "node:events";

async function consumeLogs() {
  for await (const [data] of on(logger, "log")) {
    console.log("[async iter]", data.message);
    if (data.message === "stop") break;
  }
}

consumeLogs();
logger.log("tick");
logger.log("stop");

EventEmitter memory leak warning: The default max listener count is 10. Increase it with emitter.setMaxListeners(n) or set it globally with EventEmitter.defaultMaxListeners. Always call .off() / .removeAllListeners() to avoid leaks in long-running processes.

// Sequential — each request waits for the previous one to finish
async function fetchSequential(urls) {
  const results = [];
  for (const url of urls) {
    const response = await fetch(url);            // waits here
    const data = await response.json();
    results.push(data);
    console.log(`Fetched: ${url}`);
  }
  return results;
}

// ❌ Common mistake: Array.forEach does NOT await async callbacks
async function fetchWrong(urls) {
  const results = [];
  urls.forEach(async (url) => {           // forEach ignores returned promises
    const data = await fetch(url).then(r => r.json());
    results.push(data);                   // race condition — order not guaranteed
  });
  return results;                         // returns before any fetch completes!
}

// ✅ Parallel — all requests start at once (faster, but order not guaranteed)
async function fetchParallel(urls) {
  return Promise.all(urls.map(url => fetch(url).then(r => r.json())));
}

// ✅ Parallel with concurrency limit (e.g. max 2 at a time)
async function fetchWithConcurrency(urls, concurrency = 2) {
  const results = [];
  for (let i = 0; i < urls.length; i += concurrency) {
    const batch = urls.slice(i, i + concurrency);
    const batchResults = await Promise.all(
      batch.map(url => fetch(url).then(r => r.json()))
    );
    results.push(...batchResults);
  }
  return results;
}

catch: oops
after catch: 42

Explanation:

1. Promise.resolve(1) → value 1
2. First .then: 1 + 1 → value 2
3. Second .then: throws Error("oops") → promise rejects; the next .then is skipped
4. .catch: receives the error, logs "catch: oops", returns 42 → the catch handler converts the rejection back to a fulfilled promise with value 42
5. Final .then: receives 42, logs "after catch: 42"

Key rules:

• A .then() after a rejection is skipped until a .catch() or .then(null, onReject) is encountered.
• Returning a value from .catch() resolves the chain — subsequent .then() handlers run normally.
• Throwing inside .catch() keeps the chain rejected.

Equivalent async/await version:

async function run() {
  try {
    let x = await Promise.resolve(1);
    x = x + 1;
    throw new Error("oops");         // jumps to catch
    console.log("never reached");
  } catch (err) {
    console.log("catch:", err.message); // catch: oops
    return 42;
  }
}

const x = await run();
console.log("after catch:", x);  // after catch: 42

/**
 * Retry an async function up to `retries` times with exponential back-off.
 * @param {() => Promise<T>} fn       - async function to call
 * @param {number}           retries  - max attempts (default 3)
 * @param {number}           delay    - initial delay in ms (default 200)
 */
async function retry(fn, retries = 3, delay = 200) {
  let lastError;
  for (let attempt = 1; attempt <= retries; attempt++) {
    try {
      return await fn();
    } catch (err) {
      lastError = err;
      if (attempt === retries) break;

      const backoff = delay * 2 ** (attempt - 1); // 200, 400, 800 …
      console.warn(`Attempt ${attempt} failed. Retrying in ${backoff}ms…`);
      await new Promise((resolve) => setTimeout(resolve, backoff));
    }
  }
  throw new Error(`All ${retries} attempts failed`, { cause: lastError });
}

// Usage
async function unstableApiCall() {
  if (Math.random() < 0.7) throw new Error("Service unavailable");
  return { data: "success" };
}

const result = await retry(unstableApiCall, 4, 100);
console.log(result);

With AbortSignal support (Node.js 17.3+):

async function retry(fn, { retries = 3, delay = 200, signal } = {}) {
  for (let attempt = 1; attempt <= retries; attempt++) {
    signal?.throwIfAborted(); // Node.js 17.3+
    try {
      return await fn({ signal });
    } catch (err) {
      if (attempt === retries || signal?.aborted) throw err;
      await new Promise((resolve, reject) => {
        const timer = setTimeout(resolve, delay * 2 ** (attempt - 1));
        signal?.addEventListener("abort", () => { clearTimeout(timer); reject(signal.reason); });
      });
    }
  }
}

// app.js
import express from "express";
import usersRouter from "./routes/users.js";

const app = express();

// Built-in middleware — parses application/json bodies (replaces body-parser since Express 4.16)
app.use(express.json());
app.use(express.urlencoded({ extended: false }));

// Mount router
app.use("/api/users", usersRouter);

// 404 handler — must be after all routes
app.use((_req, res) => {
  res.status(404).json({ error: "Not Found" });
});

// Global error handler — must have exactly 4 parameters
app.use((err, _req, res, _next) => {
  console.error(err.stack);
  const status = err.status ?? 500;
  res.status(status).json({
    error: err.message ?? "Internal Server Error",
    ...(process.env.NODE_ENV === "development" && { stack: err.stack }),
  });
});

export default app;

// routes/users.js
import { Router } from "express";

const router = Router();
const users = new Map();

router.get("/",       (_req, res) => res.json([...users.values()]));
router.get("/:id",    (req, res, next) => {
  const user = users.get(req.params.id);
  if (!user) return next(Object.assign(new Error("User not found"), { status: 404 }));
  res.json(user);
});
router.post("/",      (req, res) => {
  const { name, email } = req.body;
  const id = crypto.randomUUID();          // Node.js 19+ — global crypto
  users.set(id, { id, name, email });
  res.status(201).json({ id, name, email });
});
router.put("/:id",    (req, res, next) => {
  if (!users.has(req.params.id)) return next(Object.assign(new Error("Not found"), { status: 404 }));
  const updated = { ...users.get(req.params.id), ...req.body, id: req.params.id };
  users.set(req.params.id, updated);
  res.json(updated);
});
router.delete("/:id", (req, res) => {
  users.delete(req.params.id);
  res.status(204).send();
});

export default router;

// server.js
import app from "./app.js";

const PORT = process.env.PORT ?? 3000;
const server = app.listen(PORT, () =>
  console.log(`Server listening on http://localhost:${PORT}`)
);

process.on("SIGTERM", () => server.close(() => process.exit(0)));

Express 5 (released 2024) automatically passes errors thrown inside async route handlers to next(err) — no try/catch wrapper needed. With Express 4, wrap async handlers or use a wrapper like express-async-errors.

// middleware/logger.js — request/response logging
export function requestLogger(req, res, next) {
  const start = Date.now();
  const { method, url } = req;

  res.on("finish", () => {
    const duration = Date.now() - start;
    console.log(`${method} ${url} ${res.statusCode} — ${duration}ms`);
  });

  next(); // MUST call next() or the request will hang
}

// middleware/auth.js — Bearer token authentication
export function requireAuth(req, res, next) {
  const authHeader = req.headers["authorization"];
  if (!authHeader?.startsWith("Bearer ")) {
    return res.status(401).json({ error: "Missing or invalid Authorization header" });
  }

  const token = authHeader.slice(7);
  try {
    // In production, verify a JWT here (e.g. with jsonwebtoken or jose)
    if (token !== process.env.API_TOKEN) throw new Error("Invalid token");
    req.user = { token }; // attach to request for downstream handlers
    next();
  } catch (err) {
    res.status(403).json({ error: "Forbidden" });
  }
}

// middleware/validate.js — request body validation
export function validateBody(schema) {
  return (req, res, next) => {
    const { error } = schema.safeParse(req.body); // Zod example
    if (error) {
      return res.status(422).json({ error: "Validation failed", details: error.format() });
    }
    next();
  };
}

// Usage in app.js
import { requestLogger, requireAuth, validateBody } from "./middleware/index.js";
import { z } from "zod";

const CreateUserSchema = z.object({
  name:  z.string().min(1).max(100),
  email: z.string().email(),
});

app.use(requestLogger);                                       // global
app.post("/api/users", requireAuth, validateBody(CreateUserSchema), createUser); // route-level

Middleware execution order:

Request → requestLogger → requireAuth → validateBody → createUser → response
                                             ↓ (if invalid)
                                          422 Validation failed

// ❌ Express 4 — unhandled async rejection crashes the process
app.get("/users/:id", async (req, res) => {
  const user = await User.findById(req.params.id); // if this throws, error is unhandled
  res.json(user);
});

// ✅ Express 4 — wrap with try/catch and forward to error middleware
app.get("/users/:id", async (req, res, next) => {
  try {
    const user = await User.findById(req.params.id);
    if (!user) return next(Object.assign(new Error("Not found"), { status: 404 }));
    res.json(user);
  } catch (err) {
    next(err); // forwards to global error handler
  }
});

// ✅ Express 4 — asyncHandler wrapper utility (eliminates repetitive try/catch)
const asyncHandler = (fn) => (req, res, next) =>
  Promise.resolve(fn(req, res, next)).catch(next);

app.get("/users/:id", asyncHandler(async (req, res) => {
  const user = await User.findById(req.params.id);
  res.json(user);
}));

// ✅ Express 5 (npm install express@5) — async errors forwarded to next() automatically
// No wrapper needed
app.get("/users/:id", async (req, res) => {
  const user = await User.findById(req.params.id); // thrown errors go to error middleware
  res.json(user);
});

// Global error middleware (required in both versions)
app.use((err, req, res, next) => {
  console.error(err);
  res.status(err.status ?? 500).json({ error: err.message });
});

// ─── CommonJS (CJS) ───────────────────────────────────────────────────────────
// File: math.cjs  or  "type": "commonjs" in package.json

const add = (a, b) => a + b;
const PI = 3.14;

module.exports = { add, PI };

// Require is synchronous — fine for local files
const { add: addFn } = require("./math.cjs");

// ─── ES Modules (ESM) ────────────────────────────────────────────────────────
// File: math.mjs  or  "type": "module" in package.json

export const PI = 3.14;
export function add(a, b) { return a + b; }
export default { add, PI };   // default export

import { add, PI } from "./math.mjs";           // named imports
import math from "./math.mjs";                   // default import
import * as MathLib from "./math.mjs";           // namespace import

// Dynamic import — lazy-loads a module, returns a Promise (works in both CJS and ESM)
const { add: lazyAdd } = await import("./math.mjs");

Key differences:

// Interoperability
import cjsModule from "./legacy.cjs"; // ✅ ESM can import CJS
const esmModule = require("./modern.mjs"); // ❌ throws ERR_REQUIRE_ESM (Node.js < 22)
// Node.js 22+ — require(esm) supported experimentally (--experimental-require-module)

import {
  writeFile, appendFile, readFile,
  unlink, mkdir, rm,
  readdir, stat, rename,
} from "node:fs/promises";
import { join } from "node:path";

const BASE = "./sandbox";

async function demo() {
  // 1. Create directory (recursive: true won\'t throw if exists — Node.js 10.12+)
  await mkdir(BASE, { recursive: true });

  // 2. Write a file (creates or overwrites)
  await writeFile(join(BASE, "hello.txt"), "Hello, Node.js!\n", "utf8");

  // 3. Append to a file
  await appendFile(join(BASE, "hello.txt"), "Appended line.\n", "utf8");

  // 4. Read file
  const content = await readFile(join(BASE, "hello.txt"), "utf8");
  console.log(content);

  // 5. List directory contents with type info
  const entries = await readdir(BASE, { withFileTypes: true }); // Node.js 10.10+
  for (const entry of entries) {
    console.log(entry.name, entry.isFile() ? "(file)" : "(dir)");
  }

  // 6. File metadata
  const info = await stat(join(BASE, "hello.txt"));
  console.log("Size:", info.size, "bytes", "| Modified:", info.mtime);

  // 7. Rename / move
  await rename(join(BASE, "hello.txt"), join(BASE, "renamed.txt"));

  // 8. Delete a file
  await unlink(join(BASE, "renamed.txt"));

  // 9. Remove directory recursively (Node.js 14.14+)
  await rm(BASE, { recursive: true, force: true });
}

demo().catch(console.error);

Watch a file/directory for changes (Node.js 18.11+ fs.watch with recursive):

import { watch } from "node:fs/promises";

const watcher = watch("./src", { recursive: true });
for await (const event of watcher) {
  console.log(`${event.eventType}: ${event.filename}`);
}

import path from "node:path";
import { fileURLToPath } from "node:url";

// ── ESM equivalent of __dirname ──────────────────────────────────────────────
const __filename = fileURLToPath(import.meta.url);
const __dirname  = path.dirname(__filename);
// Node.js 21.2+ shorthand:
// const __dirname  = import.meta.dirname;
// const __filename = import.meta.filename;

// ── Common path operations ────────────────────────────────────────────────────
const filePath = path.join(__dirname, "data", "users.json");
// → /project/data/users.json  (OS-aware separator)

path.resolve("data", "users.json");        // absolute path from cwd
path.basename("/foo/bar/baz.txt");         // "baz.txt"
path.basename("/foo/bar/baz.txt", ".txt"); // "baz"
path.extname("index.html");                // ".html"
path.dirname("/foo/bar/baz.txt");          // "/foo/bar"

path.parse("/foo/bar/baz.txt");
// { root: '/', dir: '/foo/bar', base: 'baz.txt', ext: '.txt', name: 'baz' }

// ── Path traversal prevention (security) ─────────────────────────────────────
const BASE_DIR = path.resolve("./public");

function safeJoin(base, userInput) {
  const resolved = path.resolve(base, userInput);
  if (!resolved.startsWith(base + path.sep) && resolved !== base) {
    throw new Error("Path traversal detected");
  }
  return resolved;
}

safeJoin(BASE_DIR, "images/logo.png");    // ✅ safe
safeJoin(BASE_DIR, "../../etc/passwd");   // ❌ throws

// ── Option 1: Global fetch (Node.js 18+, no import needed) ───────────────────
async function getUser(id) {
  const response = await fetch(`https://jsonplaceholder.typicode.com/users/${id}`, {
    headers: { Accept: "application/json" },
    signal: AbortSignal.timeout(5000), // auto-cancel after 5 s (Node.js 17.3+)
  });

  if (!response.ok) {
    throw new Error(`HTTP ${response.status}: ${response.statusText}`);
  }

  return response.json();
}

async function postUser(payload) {
  const response = await fetch("https://jsonplaceholder.typicode.com/users", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify(payload),
  });
  return response.json();
}

// ── Option 2: node:https (Node.js built-in, useful without fetch) ─────────────
import https from "node:https";

function httpsGet(url) {
  return new Promise((resolve, reject) => {
    https.get(url, (res) => {
      let body = "";
      res.on("data", (chunk) => (body += chunk));
      res.on("end", () => {
        try { resolve(JSON.parse(body)); }
        catch (err) { reject(err); }
      });
    }).on("error", reject);
  });
}

Choosing the right HTTP client:

// routes/products.js
import { Router } from "express";

const router = Router();
const db = new Map(); // replace with a real DB in production

// ── Validation helper ────────────────────────────────────────────────────────
function validateProduct({ name, price }) {
  const errors = [];
  if (!name || typeof name !== "string" || name.trim().length === 0)
    errors.push("name is required");
  if (price == null || typeof price !== "number" || price < 0)
    errors.push("price must be a non-negative number");
  return errors;
}

// GET /api/products — 200 OK
router.get("/", (_req, res) => {
  res.status(200).json([...db.values()]);
});

// GET /api/products/:id — 200 OK | 404 Not Found
router.get("/:id", (req, res) => {
  const product = db.get(req.params.id);
  if (!product) return res.status(404).json({ error: "Product not found" });
  res.status(200).json(product);
});

// POST /api/products — 201 Created | 422 Unprocessable Entity
router.post("/", (req, res) => {
  const errors = validateProduct(req.body);
  if (errors.length) return res.status(422).json({ errors });

  const id = crypto.randomUUID();
  const product = { id, name: req.body.name.trim(), price: req.body.price };
  db.set(id, product);
  res.status(201).json(product);
});

// PUT /api/products/:id — 200 OK | 404 | 422
router.put("/:id", (req, res) => {
  if (!db.has(req.params.id)) return res.status(404).json({ error: "Not found" });
  const errors = validateProduct(req.body);
  if (errors.length) return res.status(422).json({ errors });

  const updated = { id: req.params.id, name: req.body.name.trim(), price: req.body.price };
  db.set(req.params.id, updated);
  res.status(200).json(updated);
});

// PATCH /api/products/:id — 200 OK | 404
router.patch("/:id", (req, res) => {
  const product = db.get(req.params.id);
  if (!product) return res.status(404).json({ error: "Not found" });
  const updated = { ...product, ...req.body, id: req.params.id };
  db.set(req.params.id, updated);
  res.status(200).json(updated);
});

// DELETE /api/products/:id — 204 No Content | 404
router.delete("/:id", (req, res) => {
  if (!db.has(req.params.id)) return res.status(404).json({ error: "Not found" });
  db.delete(req.params.id);
  res.status(204).send();
});

export default router;

HTTP status code cheat-sheet:

import { Transform } from "node:stream";
import { pipeline } from "node:stream/promises";
import { createReadStream, createWriteStream } from "node:fs";

// ── Custom Transform stream ───────────────────────────────────────────────────
class UpperCaseTransform extends Transform {
  _transform(chunk, _encoding, callback) {
    this.push(chunk.toString().toUpperCase());
    callback(); // signal ready for next chunk
  }
}

// ── Using stream/promises pipeline (Node.js 15+) ──────────────────────────────
async function processFile(inputPath, outputPath) {
  await pipeline(
    createReadStream(inputPath),
    new UpperCaseTransform(),
    createWriteStream(outputPath)
  );
  console.log("Done");
}

processFile("input.txt", "output.txt").catch(console.error);

// ── Inline Transform (no class needed) ───────────────────────────────────────
const csvToJson = new Transform({
  readableObjectMode: true,
  transform(chunk, _enc, cb) {
    const lines = chunk.toString().split("\n").filter(Boolean);
    for (const line of lines) {
      const [id, name, price] = line.split(",");
      this.push({ id, name, price: parseFloat(price) }); // push objects
    }
    cb();
  },
});

// ── Measure throughput with perf_hooks ────────────────────────────────────────
import { performance, PerformanceObserver } from "node:perf_hooks";

const obs = new PerformanceObserver((list) => {
  for (const entry of list.getEntries()) {
    console.log(`${entry.name}: ${entry.duration.toFixed(2)}ms`);
  }
});
obs.observe({ type: "measure" });

performance.mark("stream:start");
await processFile("large.txt", "large-upper.txt");
performance.mark("stream:end");
performance.measure("File processing", "stream:start", "stream:end");

Backpressure occurs when a writable stream cannot consume data as fast as a readable stream produces it, causing the internal buffer to fill up and memory to grow unboundedly.

import { createReadStream, createWriteStream } from "node:fs";

// ── ❌ Ignoring backpressure (memory leak risk) ───────────────────────────────
const readable = createReadStream("huge.file");
const writable = createWriteStream("output.file");

readable.on("data", (chunk) => {
  const ok = writable.write(chunk); // returns false when buffer is full
  // ❌ we never check the return value — buffer grows unboundedly
});

// ── ✅ Handling backpressure manually ─────────────────────────────────────────
const src = createReadStream("huge.file");
const dst = createWriteStream("output.file");

src.on("data", (chunk) => {
  const ok = dst.write(chunk);
  if (!ok) {
    src.pause();                           // stop reading until buffer drains
    dst.once("drain", () => src.resume()); // resume when writable drains
  }
});

src.on("end", () => dst.end());

// ── ✅ Best practice: use pipeline (handles backpressure + errors automatically) ──
import { pipeline } from "node:stream/promises";

await pipeline(
  createReadStream("huge.file"),
  createWriteStream("output.file")
);
// pipeline pauses the readable when writable.write() returns false,
// and resumes on 'drain' — zero manual backpressure handling needed.

Key methods and events:

Always use stream.pipeline() from node:stream/promises instead of .pipe() — it automatically handles backpressure, error propagation, and stream cleanup.

import { performance, PerformanceObserver, monitorEventLoopDelay } from "node:perf_hooks";

// ── 1. Basic timing with marks and measures ───────────────────────────────────
performance.mark("start");
await heavyComputation();
performance.mark("end");
performance.measure("heavyComputation", "start", "end");

const [measure] = performance.getEntriesByName("heavyComputation");
console.log(`Duration: ${measure.duration.toFixed(2)}ms`);
performance.clearMarks();
performance.clearMeasures();

// ── 2. PerformanceObserver — observe automatically ────────────────────────────
const obs = new PerformanceObserver((list) => {
  for (const entry of list.getEntries()) {
    console.log(`[perf] ${entry.name}: ${entry.duration.toFixed(2)}ms`);
  }
  obs.disconnect();
});
obs.observe({ entryTypes: ["measure"] });

// ── 3. timerify — wrap a sync function to auto-measure it ────────────────────
const obs2 = new PerformanceObserver((list) => {
  list.getEntries().forEach(e => console.log(e.name, e.duration));
});
obs2.observe({ entryTypes: ["function"] });

const wrapped = performance.timerify(function sortArray(arr) {
  return arr.slice().sort((a, b) => a - b);
});
wrapped([5, 3, 1, 4, 2]);

// ── 4. Event loop lag monitoring ──────────────────────────────────────────────
const monitor = monitorEventLoopDelay({ resolution: 10 });
monitor.enable();

setTimeout(() => {
  monitor.disable();
  console.log("Event loop delay (p99):", monitor.percentile(99), "ns");
  console.log("Event loop delay (mean):", monitor.mean, "ns");
}, 5000);

// ── Node.js 20.6+ built-in .env loading (no dotenv package needed) ────────────
// CLI: node --env-file=.env app.js
// or:  node --env-file=.env --env-file=.env.local app.js (layered)

// Accessing variables:
const dbUrl = process.env.DATABASE_URL;
const port  = parseInt(process.env.PORT ?? "3000", 10);

// ── Traditional approach: dotenv package ─────────────────────────────────────
// import "dotenv/config";       // ES module auto-load
// require("dotenv").config();   // CommonJS

// ── Validate required env vars at startup ─────────────────────────────────────
function requireEnv(keys) {
  const missing = keys.filter((k) => !process.env[k]);
  if (missing.length > 0) {
    console.error(`Missing required environment variables: ${missing.join(", ")}`);
    process.exit(1);
  }
}

requireEnv(["DATABASE_URL", "JWT_SECRET", "PORT"]);

.env file example:

# .env  — never commit this file to source control
DATABASE_URL=postgresql://user:password@localhost:5432/mydb
JWT_SECRET=a-very-long-random-secret-at-least-32-chars
PORT=3000
NODE_ENV=development

.gitignore:

.env
.env.local
.env.*.local

Environment-specific loading pattern:

// config/env.js — typed config object
const config = {
  port:        parseInt(process.env.PORT ?? "3000", 10),
  nodeEnv:     process.env.NODE_ENV ?? "development",
  db: {
    url:       process.env.DATABASE_URL,
    poolSize:  parseInt(process.env.DB_POOL_SIZE ?? "10", 10),
  },
  jwt: {
    secret:    process.env.JWT_SECRET,
    expiresIn: process.env.JWT_EXPIRES_IN ?? "1h",
  },
  isDev:  process.env.NODE_ENV === "development",
  isProd: process.env.NODE_ENV === "production",
};

export default config;

Security rules: Never commit .env files. Never log process.env. Pass config via function arguments, not global reads throughout the codebase. Use secrets managers (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault) for production credentials.

import express from "express";
import helmet from "helmet";               // npm install helmet
import cors from "cors";                   // npm install cors
import { rateLimit } from "express-rate-limit"; // npm install express-rate-limit

const app = express();

// ── 1. Helmet — sets secure HTTP response headers ────────────────────────────
app.use(helmet());
// Enabled by default: X-Content-Type-Options, X-Frame-Options, HSTS,
// X-XSS-Protection, Content-Security-Policy, etc.

// Custom CSP:
app.use(
  helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc:  ["'self'"],
      styleSrc:   ["'self'", "https://fonts.googleapis.com"],
    },
  })
);

// ── 2. CORS — restrict allowed origins ───────────────────────────────────────
const ALLOWED_ORIGINS = (process.env.ALLOWED_ORIGINS ?? "").split(",");

app.use(
  cors({
    origin(origin, cb) {
      if (!origin || ALLOWED_ORIGINS.includes(origin)) return cb(null, true);
      cb(new Error("CORS: origin not allowed"));
    },
    methods:          ["GET", "POST", "PUT", "PATCH", "DELETE"],
    allowedHeaders:   ["Content-Type", "Authorization"],
    credentials:      true,
    maxAge:           86400, // preflight cache: 24 h
  })
);

// ── 3. Rate limiting — prevent brute-force and DoS ───────────────────────────
const apiLimiter = rateLimit({
  windowMs:         15 * 60 * 1000, // 15 minutes
  max:              100,
  standardHeaders:  "draft-7",
  legacyHeaders:    false,
  message:          { error: "Too many requests, please try again later." },
});

const authLimiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max:      10, // only 10 login attempts per 15 min
  standardHeaders: "draft-7",
  legacyHeaders:   false,
});

app.use("/api/", apiLimiter);
app.use("/api/auth/", authLimiter);

app.use(express.json({ limit: "10kb" })); // limit body size to prevent DoS

export default app;

Security checklist for Express APIs:

• helmet() — secure response headers
• CORS — whitelist allowed origins
• Rate limiting — prevent brute-force
• Body size limit — express.json({ limit: "10kb" })
• Input validation — Zod / Joi / express-validator
• Parameterised queries — prevent SQL injection
• httpOnly + Secure cookies — prevent XSS cookie theft
• HTTPS only in production
• No sensitive data in logs or error responses

// npm install jose  (Web-standard JWT — works in Node.js, Edge, and browsers)
import { SignJWT, jwtVerify } from "jose";
import { createSecretKey } from "node:crypto";

const SECRET = createSecretKey(
  Buffer.from(process.env.JWT_SECRET, "utf8") // must be ≥ 32 chars
);

const ISSUER   = "api.example.com";
const AUDIENCE = "app.example.com";

// ── Sign a JWT ────────────────────────────────────────────────────────────────
async function signToken(payload) {
  return new SignJWT(payload)
    .setProtectedHeader({ alg: "HS256" })
    .setIssuedAt()
    .setIssuer(ISSUER)
    .setAudience(AUDIENCE)
    .setExpirationTime("1h")
    .sign(SECRET);
}

// ── Verify a JWT ──────────────────────────────────────────────────────────────
async function verifyToken(token) {
  const { payload } = await jwtVerify(token, SECRET, {
    issuer:   ISSUER,
    audience: AUDIENCE,
  });
  return payload; // throws JWTExpired, JWTInvalid, etc. on failure
}

// ── Express middleware ────────────────────────────────────────────────────────
async function authenticate(req, res, next) {
  const authHeader = req.headers.authorization;
  if (!authHeader?.startsWith("Bearer ")) {
    return res.status(401).json({ error: "Authorization header required" });
  }
  try {
    const token = authHeader.slice(7);
    req.user = await verifyToken(token);
    next();
  } catch (err) {
    const status = err.code === "ERR_JWT_EXPIRED" ? 401 : 403;
    res.status(status).json({ error: err.message });
  }
}

// ── Login route ───────────────────────────────────────────────────────────────
app.post("/api/auth/login", async (req, res) => {
  const { email, password } = req.body;
  const user = await findUserByEmail(email);

  if (!user || !(await verifyPassword(password, user.passwordHash))) {
    return res.status(401).json({ error: "Invalid credentials" });
  }

  const token = await signToken({ sub: user.id, email: user.email, role: user.role });
  res.json({ token, expiresIn: 3600 });
});

// Protected route
app.get("/api/profile", authenticate, (req, res) => {
  res.json({ user: req.user });
});

JWT security best practices:

• Use HS256 (symmetric) for internal services; RS256 / ES256 (asymmetric) for public APIs.
• Set short expiry (1h) + refresh token rotation instead of long-lived tokens.
• Store tokens in httpOnly cookies (not localStorage) to prevent XSS theft.
• Always validate iss, aud, and exp claims.
• Never put sensitive data (passwords, PII) in the JWT payload — it is only base64-encoded, not encrypted.

// ── SQL Injection prevention ───────────────────────────────────────────────────

// ❌ NEVER: string interpolation in queries
const userId = req.params.id;
db.query(`SELECT * FROM users WHERE id = ${userId}`); // attacker sends "1 OR 1=1"

// ✅ Parameterised queries — the only safe approach
import postgres from "postgres"; // npm install postgres (or pg, mysql2, etc.)

const sql = postgres(process.env.DATABASE_URL);

async function getUserById(id) {
  const [user] = await sql`SELECT * FROM users WHERE id = ${id}`; // auto-escaped
  return user;
}

// ✅ With 'pg' (node-postgres)
import { Pool } from "pg";
const pool = new Pool({ connectionString: process.env.DATABASE_URL });

async function getUserByEmail(email) {
  const { rows } = await pool.query(
    "SELECT id, name, email FROM users WHERE email = \$1",
    [email] // parameterised — never interpolated
  );
  return rows[0];
}

// ── XSS prevention ───────────────────────────────────────────────────────────

// ✅ Sanitise user input before storing / rendering HTML
import DOMPurify from "isomorphic-dompurify"; // npm install isomorphic-dompurify

function sanitizeHtml(dirty) {
  return DOMPurify.sanitize(dirty, {
    ALLOWED_TAGS:  ["b", "i", "em", "strong", "a", "p"],
    ALLOWED_ATTR:  ["href", "title"],
  });
}

// ✅ Encode output when inserting into HTML (server-side rendering)
import escape from "escape-html"; // npm install escape-html

app.get("/greet", (req, res) => {
  const name = escape(req.query.name ?? "World"); // <script> → &lt;script&gt;
  res.send(`<h1>Hello, ${name}!</h1>`);
});

// ✅ Content-Security-Policy via Helmet (prevents XSS even if output not escaped)
app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc:  ["'self'"],   // no inline scripts
  },
}));