This project uses Husky and lint-staged to automatically check your code before commits. This ensures code quality, security, and consistency.
Runs automatically before every commit:
-
Prevents .env files from being committed
- Blocks
.env,.env.localfiles - These contain secrets and should never be in git
- For production, use secrets managers (GitHub Secrets, AWS Secrets Manager, etc.)
- Blocks
-
Detects hardcoded secrets
- Scans for patterns like
password=,secret:,api_key,token, etc. - Prevents accidental credential leaks
- Can bypass with
--no-verifyif needed (not recommended)
- Scans for patterns like
-
Runs ESLint on staged files
- Auto-fixes fixable issues (spacing, formatting)
- Reports unfixable issues that must be manually corrected
- Uses security-focused ESLint configuration
- Fails commit if errors found
-
Validates package-lock.json sync
- If
package.jsonchanges,package-lock.jsonmust also change - Ensures dependency lockfile stays in sync
- Prevents inconsistent installs
- If
Validates commit messages for clarity:
-
Minimum 10 characters for simple messages
-
Recommended format:
<type>(<scope>): <subject>- Examples:
feat(auth): add JWT token refreshfix(validation): handle null values correctlysecurity: fix SQL injection vulnerabilitydocs(readme): update installation steps
- Examples:
-
Valid types: feat, fix, docs, style, refactor, perf, test, chore, security, ci
The hooks are automatically installed when you run:
npm installThis runs the prepare script which executes husky install.
# Make changes
git add src/auth/jwt.js
# Try to commit
git commit -m "fix(jwt): improve token validation"
# Pre-commit hook runs automatically:
# 1. Checks for .env files
# 2. Scans for hardcoded secrets
# 3. Runs ESLint (auto-fixes some issues)
# 4. Checks package-lock.json
# 5. Validates commit message
# If all pass, commit succeeds!If ESLint fails:
# Review the errors
npm run lint
# Fix automatically (some issues only)
npx eslint src --fix
# Stage the fixed files
git add src/
# Try commit again
git commit -m "fix: lint issues"Only use if absolutely necessary:
# Bypass all pre-commit checks
git commit --no-verify -m "fix: emergency patch"
# Bypass only the commit message check
git commit -m "wip: work in progress" # Triggers "wip" bypassLocated in .eslintrc.cjs (if you create one). The default setup includes:
- Security plugin checks
- Best practices
- No hardcoded secrets
In package.json:
"lint-staged": {
"src/**/*.js": [
"eslint --fix",
"eslint"
],
".env*": [
"git rm --cached"
]
}npm install
# or
npm ci# Reinstall hooks
npm run prepare
# or
npx husky install# Check all files
npm run lint
# Fix what you can
npx eslint src --fix
# See remaining issues
npm run lint- Update your
.env.locallocally (don't commit) - For development: Keep
.env.locallocal, never commit it - For production: Use secrets managers (GitHub Secrets, AWS Secrets Manager, etc.) to manage environment variables
# Remove from git history (careful!)
git rm --cached .env
git commit -m "chore: remove .env from tracking"
# Add to .gitignore if not already there
echo ".env*" >> .gitignore
git add .gitignore
git commit -m "chore: add .env to gitignore"
# Force push if needed (only if no one else pulled)
git push --force-with-lease| Check | Type | Bypass | Risk |
|---|---|---|---|
| .env files blocked | 🔒 Error | ❌ No | Critical - Secrets leak |
| Hardcoded secrets | ✓ Yes | High - Credentials exposed | |
| ESLint | ✓ Yes | Medium - Code quality | |
| package-lock.json sync | 🔒 Error | ❌ No | High - Version inconsistency |
| Commit message format | ✓ Yes | Low - History clarity |
-
Always fix ESLint issues locally
- Don't bypass lint checks
- Better code quality = fewer bugs
-
Never bypass .env checks
- This prevents accidental secret leaks
- For production, use secrets managers (GitHub Secrets, AWS Secrets Manager, etc.)
-
Write meaningful commit messages
- Helps with git history and debugging
- Team members can understand changes
-
Keep dependencies updated
- Always run
npm installafter modifyingpackage.json - Hooks prevent out-of-sync lockfiles
- Always run