Core Code
Core Code Modern Dev Handbook
NODEJS Contents
Foundations & Runtime
Node.js HOME Node.js Intro: What Problem Does It Solve? Event Loop Explained Get Started: Install Node and Run Your First Script System Requirements and LTS Strategy Node.js vs Browser JavaScript V8, libuv, and the Node Runtime Model Node Architecture: Threads, I/O, and the Main Loop Event Loop Basics (What Actually Runs When) Microtasks vs Macrotasks (Promises vs Timers) Concurrency Model: Non-blocking I/O Explained The process Object: Args, Env, Exit Codes Environment Variables: Patterns and Gotchas TypeScript-first Node: Project Setup (Minimal Tooling) JS vs TS in Node: Quick Differences You’ll See Often Node LTS, Releases, and Upgrade Strategy When NOT to Use Node.js (Real Tradeoffs)
Async Programming
Async in Node: Mental Model Callbacks (Why They Still Matter) Promises Deep Dive (Chaining, States, Errors) Async/Await Under the Hood Error Propagation Across Async Boundaries try/catch Pitfalls with Async Code Timeouts & Retries (Without Making a Mess) AbortController in Node (Canceling Work) Parallel vs Concurrent Work in Node Unhandled Rejections: What to Do in Production Common Async Bugs and How to Avoid Them
Modules & Tooling
Modules Overview: CommonJS vs ES Modules ES Modules in Node (import/export, package.json type) CommonJS (require/module.exports) in Legacy Code How Node Resolves Modules (Paths, Exports, Conditions) package.json Essentials (name, main, exports, types) npm Basics: Installing, Lockfiles, and Reproducibility npm Scripts: Dev/Build/Test Workflow Managing Dependencies: Semver, Updates, and Audits Monorepo Basics (When It Helps, When It Hurts) Project Structure: Feature vs Layer Folders Linting & Formatting (ESLint/Prettier strategy)
Core Modules
fs Basics: Reading and Writing Files Safely path vs URL: Correctly Handling Paths and Links Streams Intro: Why Streams Exist Backpressure: The Real Reason Your Server Slows Down Buffer: Binary Data Without Fear events & EventEmitter: Patterns and Pitfalls crypto Basics: Hashing vs Encryption Timers: setTimeout/setInterval and Drift readline: CLI Input for Real Tools util & Debugging Helpers (inspect, promisify) dns Module: When You Actually Need It
HTTP & Networking
Raw HTTP Server: A Minimal API Without Frameworks Routing Basics Without Express Parsing JSON Bodies Safely Status Codes That Don’t Hurt Users HTTPS/TLS Basics for Backend Devs CORS Basics (and Why It’s Not “A Backend Bug”) HTTP/2 Overview (What Changes, What Doesn’t) WebSockets Overview (When REST Isn’t Enough) Socket.IO vs ws: Tradeoffs HTTP Timeouts (Server, Client, and Proxies) Streaming Responses (SSE/Chunked) Overview
Express.js
Express Intro What Express Is (and What It Isn’t) Express + TypeScript: Minimal Setup Routing Patterns (params, query, nesting) Middleware Concept: The Request Pipeline Error Middleware: One Place to Handle Failures Validation Strategy (DTOs + schema validation) Async Errors in Express (the safe pattern) Request Context (correlation id, per-request state) Serving Static Files (and when not to) Rate Limiting: Basic Protection Security Headers with helmet (baseline) HTTP Logging Middleware (what to log) Express Best Practices Checklist Standard Error Response Format in Express Request Validation Pattern (DTO + schema)
API Design
REST vs RPC: Picking the Right Style Resource Modeling: URLs, nouns, and hierarchy DTOs: Input/Output Shapes That Don’t Leak Internals API Versioning Without Chaos Pagination Patterns (cursor vs offset) Filtering & Sorting Patterns Consistent Error Responses (problem details style) Idempotency for Real APIs (POST without duplicates) OpenAPI/Swagger: Practical Documentation Workflow Auth Integration Points (where auth belongs) Node APIs with Frontend Apps (CORS, cookies, tokens) API Rate Limiting Strategy (Concept) Caching Basics for APIs (Where It Fits)
Database Integration
Connection Pooling Transactions Raw SQL vs Query Builder Repository Pattern Migration Strategy Indexing Basics N+1 Query Problem When MongoDB Makes Sense MongoDB Query Patterns Preventing SQL Injection DB Connection Lifecycle (Open/Close, Pool Hygiene) Query Timeouts and Slow Query Diagnosis
Auth Overview
Session vs JWT Password Hashing Basics Refresh Token Flow (Concept) Auth Middleware Pattern Role-Based Access Control Permission Modeling Cookies vs Authorization Header Common Auth Mistakes
Errors & Logging
Operational vs Programmer Errors Centralized Error Handling Structured Logging Correlation IDs Log Redaction Metrics Basics Monitoring & Alerts Debugging Production HTTP Access Logs (what to capture) Tracing Overview (OpenTelemetry concept)
Testing
Why Testing Matters Node Test Runner Unit Testing Integration Testing Testing Express APIs Mocking Strategy Fixtures & Test Data CI Testing Strategy
Performance
Event Loop Lag Profiling CPU & Memory Cluster Module Worker Threads Child Process Memory Leak Detection Scaling Strategy
Deployment
Environment Strategy Process Managers (PM2) Docker Basics CI/CD Basics Reverse Proxy Concept Production Checklist Health Checks & Readiness Probes
Architecture Patterns
Layered Architecture Clean Architecture in Node Feature-Based Structure Monolith vs Microservices API Gateway Concept Event-Driven Architecture Production Folder Template Boundaries & Dependency Direction (Practical)

Managing Dependencies: Semver, Updates, and Audits

Learn how to manage dependencies safely with semver, lockfiles, audits, and update strategies to keep Node.js backends stable in production.
On this page

Why Dependency Management Is Production Work

Most backend incidents are not caused by your code alone. They are caused by dependency changes, transitive vulnerabilities, or breaking updates. Dependency management is part of system reliability.

SemVer Basics

Most Node packages use Semantic Versioning: MAJOR.MINOR.PATCH.

  • MAJOR: breaking changes
  • MINOR: new features, backwards compatible
  • PATCH: bug fixes

Version Ranges in package.json

Common patterns:

  • ^1.2.3 allows minor updates (1.x.x)
  • ~1.2.3 allows patch updates (1.2.x)
  • 1.2.3 pins exact version

Why Lockfiles Matter

package-lock.json pins the full dependency tree. Without it, two developers can install different versions and get different behavior.

Deterministic Installs with npm ci

npm ci

Use npm ci in CI/CD to reproduce the exact locked dependency tree.

Transitive Dependencies

You may not import a package directly, but your dependencies do. A vulnerability can appear deep in the tree.

Auditing

npm audit

Audit checks known vulnerabilities in your dependency graph.

Update Strategy

  • Patch updates: usually safe, still test
  • Minor updates: schedule, test in staging
  • Major updates: treat as a project, plan migration

Production Rule: Update with a Process

Do not “randomly update packages” on a production backend. Have a workflow:

  • Update in a branch
  • Run tests
  • Deploy to staging
  • Monitor
  • Promote to production

Reducing Dependency Risk

  • Keep dependency count low
  • Avoid heavy libraries for small tasks
  • Prefer well-maintained packages
  • Be cautious with abandoned packages

Pinning Node Version

Dependencies behave differently across Node versions. Pin Node in production and keep it aligned with your CI.

JS Note

Dependency behavior is runtime behavior. TypeScript does not protect you from runtime breaking changes in dependencies.

Next Step

Next we will discuss monorepos: when they help, when they hurt, and what “good structure” looks like for growing codebases.

Monorepo Basics (When It Helps, When It Hurts) →