Skill This
AI Skill Report Card

Reviewing NestJS Applications

B+78·May 4, 2026·Source: Web
YAML
---
name: reviewing-nestjs-applications
description: Reviews NestJS applications for security vulnerabilities, API design issues, performance problems, and code quality. Use when auditing NestJS codebases or reviewing pull requests.
---

Quick Start

TypeScript
// Security audit checklist for NestJS app
npm audit && npm run lint
grep -r "process.env" src/ --include="*.ts"  // Check env usage
grep -r "@Public()" src/ --include="*.ts"   // Review public endpoints
grep -r "ValidationPipe" src/ --include="*.ts" // Verify input validation

Workflow

Complete NestJS Review Process

Progress:

  • Security audit (authentication, authorization, input validation)
  • API design review (REST conventions, DTOs, documentation)
  • Code structure analysis (modules, services, controllers)
  • Performance assessment (database queries, caching, middleware)
  • Testing coverage verification
  • Configuration and environment review

1. Security Audit

Check authentication/authorization:

TypeScript
// Look for proper guard usage
@UseGuards(JwtAuthGuard, RolesGuard)
@Roles(Role.ADMIN)
@Controller('admin')

// Verify input validation
@Post()
create(@Body(ValidationPipe) createDto: CreateUserDto) {}

Scan for vulnerabilities:

  • SQL injection in raw queries
  • Missing rate limiting
  • Exposed sensitive data in responses
  • Improper CORS configuration

2. API Design Review

Check endpoint structure:

TypeScript
// Good: RESTful design
GET    /users
POST   /users
GET    /users/:id
PATCH  /users/:id
DELETE /users/:id

// Bad: Non-RESTful
POST   /getUserById
GET    /deleteUser/:id

Verify DTOs and validation:

TypeScript
export class CreateUserDto {
  @IsEmail()
  @IsNotEmpty()
  email: string;

  @IsString()
  @MinLength(8)
  @Matches(/^(?=.*[A-Za-z])(?=.*\d)/)
  password: string;
}

3. Code Structure Analysis

Review module organization:

TypeScript
@Module({
  imports: [TypeOrmModule.forFeature([User])],
  controllers: [UserController],
  providers: [UserService],
  exports: [UserService], // Only export what's needed
})

Check dependency injection patterns:

TypeScript
// Good: Interface-based injection
constructor(
  private readonly userService: IUserService,
  private readonly logger: Logger,
) {}

4. Performance Review

Database query optimization:

TypeScript
// Check for N+1 queries
const users = await this.userRepository.find({
  relations: ['posts', 'profile'], // Eager loading
});

// Look for proper indexing hints in entities
@Entity()
@Index(['email']) // Add missing indexes

Examples

Example 1: Security Issue Input:

TypeScript
@Get(':id')
getUser(@Param('id') id: string) {
  return this.userService.findById(id);
}

Output: Missing validation pipe, no authorization guard, potential data exposure

Example 2: API Design Issue Input:

TypeScript
@Post('get-user-data')
getUserData(@Body() data: any) {}

Output: Should be GET request, specific DTO needed, RESTful endpoint naming required

Example 3: Performance Issue Input:

TypeScript
async getUsers() {
  const users = await this.userRepository.find();
  for (const user of users) {
    user.posts = await this.postRepository.findByUserId(user.id);
  }
  return users;
}

Output: N+1 query problem, use eager loading or single query with joins

Best Practices

Security:

  • Always use ValidationPipe with whitelist: true
  • Implement rate limiting with @nestjs/throttler
  • Use Helmet for security headers
  • Sanitize all database queries

API Design:

  • Follow RESTful conventions consistently
  • Use OpenAPI decorators for documentation
  • Implement proper error handling with filters
  • Version APIs from the start

Code Quality:

  • Single responsibility principle for services
  • Use interfaces for better testability
  • Implement proper logging with Winston
  • Follow NestJS module boundaries

Performance:

  • Use caching for expensive operations
  • Implement pagination for large datasets
  • Monitor database query performance
  • Use compression middleware

Common Pitfalls

Security Mistakes:

  • Forgetting @UseGuards() on sensitive endpoints
  • Using any type instead of proper DTOs
  • Not validating array inputs properly
  • Exposing internal error details

Architecture Issues:

  • Circular dependencies between modules
  • Direct database access in controllers
  • Missing error boundaries
  • Tight coupling between services

Performance Problems:

  • N+1 database queries
  • Missing database indexes
  • Synchronous operations blocking event loop
  • Lack of connection pooling

Testing Gaps:

  • Missing integration tests for critical paths
  • Not mocking external dependencies
  • Insufficient error case coverage
  • No performance benchmarks
0
Grade B+AI Skill Framework
Scorecard
Criteria Breakdown
Quick Start
15/15
Workflow
14/15
Examples
18/20
Completeness
18/20
Format
15/15
Conciseness
13/15
Save to My Skills