DEV Community: Khalid Attar The latest articles on DEV Community by Khalid Attar (@khalid_attar_f0b87efdc31d). https://dev.to/khalid_attar_f0b87efdc31d https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3859987%2F6954d509-890b-4f34-a3cd-5db55b40d123.png DEV Community: Khalid Attar https://dev.to/khalid_attar_f0b87efdc31d en I built a PR merge gate for NestJS backends — scanned a 137-star ecommerce repo and found 58 violations including a silent authorization bypass Khalid Attar Fri, 03 Apr 2026 21:45:52 +0000 https://dev.to/khalid_attar_f0b87efdc31d/i-built-a-pr-merge-gate-for-nestjs-backends-scanned-a-137-star-ecommerce-repo-and-found-58-2dh8 https://dev.to/khalid_attar_f0b87efdc31d/i-built-a-pr-merge-gate-for-nestjs-backends-scanned-a-137-star-ecommerce-repo-and-found-58-2dh8 <p>🔗 <a href="https://www.technicaldebtradar.com" rel="noopener noreferrer">technicaldebtradar.com</a></p> <p>I built <strong>Technical Debt Radar</strong> — a tool that blocks PR merges when it finds dangerous patterns in NestJS backends. Not a linter. Actual enforcement.</p> <p>To validate it, I scanned a real 137-star NestJS + Mongoose ecommerce project.</p> <h2> Results </h2> <p>58 violations — 8 blocking the merge gate:</p> <ul> <li>Architecture: 9 (circular deps, cross-module violations)</li> <li>Reliability: 22 (missing error handling)</li> <li>Performance: 7 (unbounded queries, no pagination)</li> <li>Runtime Risk: 4 (fetch without timeout, ReDoS)</li> <li>Maintainability: 16 (dead code, unused exports)</li> </ul> <h2> The Real Bug </h2> <p>The code checked if a user purchased a product before allowing a review:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">hasPurchased</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">orderModel</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">user</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="dl">'</span><span class="s1">orderItems.productId</span><span class="dl">'</span><span class="p">:</span> <span class="nx">id</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">delivered</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// ← field doesn't exist in schema</span> <span class="p">});</span> </code></pre> </div> <p>The correct field is <code>isDelivered: boolean</code>. This query always returns null — anyone could review any product without purchasing it. Silent, no error thrown.</p> <h2> Auto-Fix </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>radar fix <span class="nt">--auto</span> </code></pre> </div> <ul> <li>47 violations fixed automatically</li> <li>Debt score: 200 → 15</li> <li>Gate result: ✅ PASS</li> </ul> <h2> Try It </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx technical-debt-radar scan <span class="nb">.</span> </code></pre> </div> <p>Free plan — 5 scans/month, no credit card required.</p> <p><em>Happy to scan any public NestJS repo. What patterns do you wish your linter caught?</em></p> nestjs webdev typescript node