The latest articles on DEV Community by Sandeep Bansod (@sandeepbansod). https://dev.to/sandeepbansod https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3862004%2F98e0b4d6-409e-4e2a-a1af-9d4e79da48f2.png https://dev.to/sandeepbansod en Sandeep Bansod Fri, 17 Apr 2026 08:11:19 +0000 https://dev.to/sandeepbansod/we-deployed-a-small-fix-and-took-down-production-heres-what-actually-happened-4ph8 https://dev.to/sandeepbansod/we-deployed-a-small-fix-and-took-down-production-heres-what-actually-happened-4ph8 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxzzho4invcpl57ngo29n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxzzho4invcpl57ngo29n.png" alt=" " width="800" height="533"></a></p> <p>A minor backend change caused a production outage, high CPU usage, and API failures. Here's how it happened, what we missed, and how we fixed it.</p> <h2> The Incident </h2> <p>It started as a simple task.</p> <blockquote> <p>"Just add one more field to the API response."</p> </blockquote> <p>No major logic change. No risky deployment.<br> Just a small enhancement.</p> <p>We deployed it to production… and within minutes:</p> <ul> <li>API response time jumped from 120ms → 5s</li> <li>CPU usage hit 95%</li> <li>Some endpoints started timing out</li> <li>Users began reporting failures</li> </ul> <p>At first, nothing made sense.</p> <h2> What Changed? </h2> <p>Here's the actual change:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Before</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">find</span><span class="p">({</span> <span class="na">isActive</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="c1">// After</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">find</span><span class="p">({</span> <span class="na">isActive</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">.</span><span class="nf">populate</span><span class="p">(</span><span class="dl">"</span><span class="s2">orders</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>Looks harmless, right?</p> <p>That <code>.populate("orders")</code> was the killer.</p> <h2> The Real Problem </h2> <p>Each user had <strong>multiple orders</strong>.</p> <p>So instead of:</p> <ul> <li>1 query</li> </ul> <p>We now had:</p> <ul> <li>1 query + N additional queries (for each user)</li> </ul> <p>This is called:</p> <blockquote> <p>N+1 Query Problem</p> </blockquote> <p>With ~2,000 users:</p> <ul> <li>That turned into <strong>2,001 database queries per request</strong> </li> </ul> <h2> Why It Broke Production </h2> <ul> <li>MongoDB connections got saturated</li> <li>CPU usage spiked due to excessive queries</li> <li>API latency exploded</li> <li>Node.js event loop got blocked</li> </ul> <p>Even worse:</p> <ul> <li>This endpoint was used in the dashboard</li> <li>Every page load triggered this heavy query</li> </ul> <h2> Why We Didn't Catch It </h2> <p>Because:</p> <ul> <li>Local data was small (10–20 users)</li> <li>No load testing</li> <li>No query monitoring in staging</li> <li>No performance checks before deploy</li> </ul> <p>Everything worked "fine" locally.</p> <h2> The Fix </h2> <p>We replaced <code>.populate()</code> with a controlled query:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">find</span><span class="p">({</span> <span class="na">isActive</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}).</span><span class="nf">lean</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">userIds</span> <span class="o">=</span> <span class="nx">users</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">u</span> <span class="o">=&gt;</span> <span class="nx">u</span><span class="p">.</span><span class="nx">_id</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">orders</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">Order</span><span class="p">.</span><span class="nf">find</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="p">{</span> <span class="na">$in</span><span class="p">:</span> <span class="nx">userIds</span> <span class="p">}</span> <span class="p">}).</span><span class="nf">lean</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">ordersMap</span> <span class="o">=</span> <span class="nx">orders</span><span class="p">.</span><span class="nf">reduce</span><span class="p">((</span><span class="nx">acc</span><span class="p">,</span> <span class="nx">order</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">acc</span><span class="p">[</span><span class="nx">order</span><span class="p">.</span><span class="nx">userId</span><span class="p">]</span> <span class="o">=</span> <span class="nx">acc</span><span class="p">[</span><span class="nx">order</span><span class="p">.</span><span class="nx">userId</span><span class="p">]</span> <span class="o">||</span> <span class="p">[];</span> <span class="nx">acc</span><span class="p">[</span><span class="nx">order</span><span class="p">.</span><span class="nx">userId</span><span class="p">].</span><span class="nf">push</span><span class="p">(</span><span class="nx">order</span><span class="p">);</span> <span class="k">return</span> <span class="nx">acc</span><span class="p">;</span> <span class="p">},</span> <span class="p">{});</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nx">users</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">user</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="p">...</span><span class="nx">user</span><span class="p">,</span> <span class="na">orders</span><span class="p">:</span> <span class="nx">ordersMap</span><span class="p">[</span><span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">]</span> <span class="o">||</span> <span class="p">[]</span> <span class="p">}));</span> </code></pre> </div> <h2> Result After Fix </h2> <ul> <li>API response time: <strong>5s → 180ms</strong> </li> <li>DB queries: <strong>2000+ → 2 queries</strong> </li> <li>CPU usage normalized</li> <li>System stable again</li> </ul> <h2> Lessons Learned </h2> <h3> 1. Never trust <code>.populate()</code> blindly </h3> <p>It looks simple but can be expensive at scale.</p> <h3> 2. Always think in queries </h3> <p>Ask yourself:</p> <blockquote> <p>"How many DB calls will this line generate?"</p> </blockquote> <h3> 3. Test with realistic data </h3> <p>Your local environment lies.</p> <h3> 4. Add performance monitoring </h3> <p>Track:</p> <ul> <li>query count</li> <li>response time</li> <li>CPU usage</li> </ul> <h3> 5. Use <code>.lean()</code> when possible </h3> <p>It reduces memory overhead and improves performance.</p> <h2> Bonus: Safer Alternative Pattern </h2> <p>For large datasets:</p> <ul> <li>Use aggregation pipelines</li> <li>Use pagination</li> <li>Limit populated fields</li> <li>Cache frequently used data</li> </ul> <h2> Final Thought </h2> <blockquote> <p>Most production outages don't come from big changes.<br> They come from small changes that scale badly.</p> </blockquote> <p><em>Originally published at <a href="https://www.stackdevlife.com/blog/small-fix-broke-production-real-story" rel="noopener noreferrer">stackdevlife.com</a></em></p> mongodb node performance debugging Sandeep Bansod Sun, 12 Apr 2026 10:06:51 +0000 https://dev.to/sandeepbansod/we-ran-git-rebase-on-a-shared-branch-and-lost-three-days-of-work-4jpg https://dev.to/sandeepbansod/we-ran-git-rebase-on-a-shared-branch-and-lost-three-days-of-work-4jpg <p>It was a Thursday afternoon. Developer 1 had been working on a feature for four days. Clean commits, good code, reviewed and approved. He was about to open the final PR when he ran one command.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6tfny4t7s9xpi3ui77ka.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6tfny4t7s9xpi3ui77ka.png" alt=" "></a></p> <p><code>git rebase main</code></p> <p>Then <code>git push --force</code>.</p> <p>By the time anyone realized what had happened, four developers had lost their local branches. Two PRs were silently broken. One developer's two days of work had simply vanished from the remote. The CI pipeline was green — because it was running against old commits.</p> <p>We spent three days untangling it. Here's exactly what happened, why it happens, and how we recovered — so you don't have to learn this the same way we did.</p> <h2> What git rebase Actually Does to History </h2> <p>Most explanations of rebase start with diagrams. Let's start with the thing that matters: rebase rewrites commits. It doesn't move them. It creates brand new commits with new hashes that contain the same changes.</p> <p>Before rebase, your feature branch's commits have specific SHA hashes — say <code>a1b2c3</code> and <code>d4e5f6</code>. After you rebase onto main, those same commits become <code>x7y8z9</code> and <code>m1n2o3</code>. Different hashes. Different objects in Git's database. As far as Git is concerned, those are completely different commits.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Before rebase</span> git log <span class="nt">--oneline</span> feature/payments <span class="c"># d4e5f6 Add payment validation</span> <span class="c"># a1b2c3 Add payment model</span> <span class="c"># 9g8h7i Initial setup (base commit on main)</span> <span class="c"># After git rebase main</span> git log <span class="nt">--oneline</span> feature/payments <span class="c"># m1n2o3 Add payment validation ← new hash, same change</span> <span class="c"># x7y8z9 Add payment model ← new hash, same change</span> <span class="c"># 3k4l5m Latest commit on main</span> </code></pre> </div> <p>This is fine when the branch only exists on your machine. The problem starts the moment that branch lives on the remote and someone else has based work on it.</p> <h2> How the Disaster Unfolded </h2> <p>Here's what our team's branch situation looked like that Thursday:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>main └── feature/payments ← Developer 1's branch, pushed to remote 4 days ago └── feature/payments-ui ← Developer 2's branch, based off Developer 1's </code></pre> </div> <p>Developer 2 had been building the UI layer on top of Developer 1's branch for two days. Her local branch pointed to Developer 1's old commits — <code>a1b2c3</code> and <code>d4e5f6</code>.</p> <p>Then Developer 1 rebased and force-pushed.</p> <p>The remote <code>feature/payments</code> now had completely different commits. Developer 2's branch still pointed to the old ones — which now existed nowhere except her local machine and Git's reflog.</p> <p>When Developer 2 ran <code>git pull origin feature/payments</code>, Git saw her branch had diverged from remote. She assumed it was a normal conflict. She merged. Git dutifully merged two versions of the same code — the original and the rebased copy — creating a mess of duplicate changes, phantom conflicts, and commits that referenced parents that no longer existed on the remote.</p> <p>And because two other developers had also pulled from <code>feature/payments</code> earlier that week, their local branches were in the same broken state.</p> <h2> The Error That Should Have Stopped It </h2> <p>The actual signal was there. When Developer 1 tried to push after rebasing, Git rejected it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git push origin feature/payments <span class="c"># error: failed to push some refs to 'origin/github.com/team/repo'</span> <span class="c"># hint: Updates were rejected because the tip of your current branch is behind</span> <span class="c"># hint: its remote counterpart.</span> </code></pre> </div> <p>Git was saying: the remote has commits you don't have. Your histories have diverged. Stop.</p> <p>Instead of reading this as a warning, Developer 1 added <code>--force</code> to make it go away.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git push <span class="nt">--force</span> origin feature/payments <span class="c"># Everything up to date. ← the most dangerous success message in Git</span> </code></pre> </div> <p>The push succeeded. The damage was done.</p> <h2> How We Recovered </h2> <p>Recovery took three steps. The order matters — don't skip step one.</p> <h3> Step 1: Stop everyone from pulling or pushing immediately </h3> <p>The moment you realize a shared branch has been force-pushed, message the team. Anyone who pulls will compound the damage. Anyone who pushes will overwrite the recovery.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># On Slack / Teams immediately:</span> <span class="c"># "Do NOT pull feature/payments. Do NOT push anything to it.</span> <span class="c"># Stay on your current branch. We're recovering."</span> </code></pre> </div> <h3> Step 2: Find the lost commits with git reflog </h3> <p><code>git reflog</code> is Git's black box recorder. It tracks every position HEAD has been at, including commits that are no longer reachable from any branch. On Developer 1's machine — because the original commits existed there before the rebase — reflog still had them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git reflog <span class="c"># m1n2o3 HEAD@{0}: rebase finished: returning to refs/heads/feature/payments</span> <span class="c"># x7y8z9 HEAD@{1}: rebase: Add payment model</span> <span class="c"># d4e5f6 HEAD@{2}: commit: Add payment validation ← original commit</span> <span class="c"># a1b2c3 HEAD@{3}: commit: Add payment model ← original commit</span> <span class="c"># 9g8h7i HEAD@{4}: checkout: moving from main to feature/payments</span> </code></pre> </div> <p><code>d4e5f6</code> and <code>a1b2c3</code> — the original commits — were still there in reflog. Git never actually deleted them. It just stopped pointing any branch at them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a recovery branch at the last good state</span> git checkout <span class="nt">-b</span> feature/payments-recovered d4e5f6 </code></pre> </div> <h3> Step 3: Restore the remote branch from the recovery point </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Force-push the recovered branch back to remote</span> <span class="c"># (yes, another force-push — but this time intentional and coordinated)</span> git push <span class="nt">--force-with-lease</span> origin feature/payments-recovered:feature/payments </code></pre> </div> <p>We used <code>--force-with-lease</code> instead of <code>--force</code>. This flag checks whether the remote has changed since you last fetched — if someone else has pushed in the meantime, it fails instead of overwriting. Much safer.</p> <h3> Step 4: Help teammates rebase their local branches onto the restored remote </h3> <p>Once the remote was restored, each developer on the team needed to update their local branch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Each affected developer runs:</span> git fetch origin git checkout feature/payments git reset <span class="nt">--hard</span> origin/feature/payments </code></pre> </div> <p>For Developer 2, whose branch was derived from the broken state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Find the last good commit on her branch before the bad merge</span> git log <span class="nt">--oneline</span> feature/payments-ui <span class="c"># Identify the commit just before the bad pull</span> <span class="c"># Rebase her work on top of the restored branch</span> git rebase <span class="nt">--onto</span> origin/feature/payments &lt;bad-merge-commit&gt; feature/payments-ui </code></pre> </div> <p>It took about 90 minutes of careful, coordinated work. But every commit was recovered.</p> <h2> The Actual Fix: Never Let This Happen Again </h2> <p>The root cause wasn't Developer 1 making a mistake. The root cause was that the repo allowed it.</p> <p><strong>Fix 1: Use <code>--force-with-lease</code> instead of <code>--force</code> — always</strong></p> <p><code>--force</code> overwrites whatever is on remote, no questions asked. <code>--force-with-lease</code> checks first. If the remote has commits you haven't seen, it refuses. Make this a team standard.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Never</span> git push <span class="nt">--force</span> origin feature/branch <span class="c"># Always</span> git push <span class="nt">--force-with-lease</span> origin feature/branch </code></pre> </div> <p><strong>Fix 2: Enable branch protection on shared branches</strong></p> <p>In GitHub, go to Settings → Branches → Branch protection rules. For any branch that more than one developer works from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>☑ Require pull request reviews before merging ☑ Require status checks to pass ☑ Do not allow bypassing the above settings ☑ Restrict force pushes ← this is the one that prevents the whole incident </code></pre> </div> <p>Force push to a protected branch returns an error immediately — before any damage is done.</p> <p><strong>Fix 3: The golden rule of rebase</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Only rebase branches that exist only on your machine. Once a branch is pushed and someone else might have it — merge, don't rebase. </code></pre> </div> <p>If you want a clean linear history, use squash merge when closing the PR. That gives you one clean commit on main without rewriting anyone's history mid-flight.</p> <p><strong>Fix 4: Enable <code>git rerere</code> for teams doing a lot of rebasing</strong></p> <p><code>rerere</code> — Reuse Recorded Resolution — caches how you resolve a conflict. If the same conflict appears again (which happens constantly when multiple developers are rebasing against main), Git resolves it automatically.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable globally</span> git config <span class="nt">--global</span> rerere.enabled <span class="nb">true</span> </code></pre> </div> <h2> The Takeaway </h2> <p><code>git rebase</code> is not dangerous. Force-pushing a rebased branch to a remote that others are working from is dangerous. The commands are the same. The context is what changes everything.</p> <p>The rule is simple: if your branch exists only locally, rebase freely. The moment it's pushed — especially if someone else might have pulled it — treat it as immutable. Merge onto it. Squash when you close the PR.</p> <p>And if it's already happened: breathe, message the team to stop, open reflog, and work backwards. The commits are almost certainly still there.</p> <p>Git doesn't delete things. It just stops showing them to you.</p> <h2> <em>Originally published at <a href="https://www.stackdevlife.com/blog/git-rebase-shared-branch-lost-work-fix" rel="noopener noreferrer">stackdevlife.com</a></em> </h2> git devops rebase teamworkflow Sandeep Bansod Wed, 08 Apr 2026 13:10:42 +0000 https://dev.to/sandeepbansod/esm-vs-cjs-why-your-import-still-breaks-in-2026-and-how-to-finally-fix-it-5doh https://dev.to/sandeepbansod/esm-vs-cjs-why-your-import-still-breaks-in-2026-and-how-to-finally-fix-it-5doh <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx1vi7e6j4zkpinmd6hxl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx1vi7e6j4zkpinmd6hxl.png" alt=" "></a></p> <p>You install a package. You import it the normal way. Node throws <code>ERR_REQUIRE_ESM</code>. You switch to <code>require()</code>. Now TypeScript complains. You add <code>"type": "module"</code> to <code>package.json</code>. Now half your other imports break. You spend two hours on Stack Overflow reading answers that contradict each other.</p> <p>This is the ESM/CJS trap. And in 2026, it's still catching experienced developers completely off guard.</p> <p>Here's everything you need to actually understand what's happening — and the exact fixes for each scenario.</p> <h2> The Root Problem: Two Module Systems That Don't Like Each Other </h2> <p>JavaScript has two completely different module systems running side by side:</p> <p><strong>CommonJS (CJS)</strong> — Node's original system, introduced in 2009. Uses <code>require()</code> and <code>module.exports</code>. Synchronous. Still the default in Node.js if you don't configure anything.</p> <p><strong>ES Modules (ESM)</strong> — The official JavaScript standard, introduced in ES2015. Uses <code>import</code> and <code>export</code>. Asynchronous. The default in browsers, and increasingly the default in Node.js and the npm ecosystem.</p> <p>The problem: they're fundamentally incompatible at the loading level. CJS loads synchronously. ESM loads asynchronously. This means:</p> <ul> <li>ESM can <code>import</code> from CJS packages — Node does the interop for you</li> <li>CJS <strong>cannot</strong> <code>require()</code> an ESM package — this is a hard error, by design</li> </ul> <p>This asymmetry is why half your googled fixes don't work. The direction of the import matters.</p> <h2> How Node Decides Which System to Use </h2> <p>Before fixing anything, you need to know how Node chooses CJS or ESM for each file. The rules are:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code>File extension .mjs → always ESM File extension .cjs → always CJS File extension .js → depends on nearest package.json "type" field "type": "module" → .js files are ESM "type": "commonjs" → .js files are CJS (this is the default if "type" is missing) </code></pre> </div> <p>This is the source of most confusion. The same <code>.js</code> file can be CJS or ESM depending entirely on where it lives and what the nearest <code>package.json</code> says.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check what mode a specific file runs in</span> node <span class="nt">--input-type</span><span class="o">=</span>module <span class="c"># forces ESM for stdin</span> node <span class="nt">-e</span> <span class="s2">"console.log(typeof require)"</span> <span class="c"># 'function' = CJS, 'undefined' = ESM</span> </code></pre> </div> <h2> The Five Errors You'll Actually Hit </h2> <h3> Error 1: ERR_REQUIRE_ESM </h3> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Error [ERR_REQUIRE_ESM]: require() of ES Module not supported. require() of /node_modules/some-package/index.js is not supported. </span></code></pre> </div> <p>This means you're in a CJS context trying to <code>require()</code> a package that only ships ESM. You cannot fix this with a different import syntax. Your options:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// This is what you tried</span> <span class="kd">const</span> <span class="nx">pkg</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">esm-only-package</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Option A: Use dynamic import() — works in CJS files</span> <span class="kd">const</span> <span class="nx">pkg</span> <span class="o">=</span> <span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">esm-only-package</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Note: this makes your function async</span> <span class="c1">// Option B: Convert your file to ESM</span> <span class="c1">// Rename file.js → file.mjs, or add "type": "module" to package.json</span> <span class="k">import</span> <span class="nx">pkg</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">esm-only-package</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Option C: Find an older version that still ships CJS</span> <span class="c1">// Check the package's CHANGELOG for when they dropped CJS</span> <span class="nx">npm</span> <span class="nx">install</span> <span class="nx">some</span><span class="o">-</span><span class="kr">package</span><span class="p">@</span><span class="nd">2</span> <span class="c1">// many packages kept CJS through v2</span> </code></pre> </div> <h3> Error 2: ERR_MODULE_NOT_FOUND with ESM </h3> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Error [ERR_MODULE_NOT_FOUND]: Cannot find module './utils' </span></code></pre> </div> <p>In CJS, Node resolves <code>./utils</code> to <code>./utils.js</code> automatically. In ESM, it does not. You must include the extension explicitly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Works in CJS, breaks in ESM</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">helper</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./utils</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">config</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./config/index</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// ESM requires explicit file extensions</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">helper</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./utils.js</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">config</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./config/index.js</span><span class="dl">'</span><span class="p">;</span> </code></pre> </div> <p>Yes, even if the file is TypeScript. When you compile TS to ESM, the import paths need <code>.js</code> extensions in your source files — TypeScript will resolve them correctly during compilation.</p> <h3> Error 3: __dirname and __filename are not defined </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">ReferenceError</span><span class="p">:</span> <span class="nx">__dirname</span> <span class="nx">is</span> <span class="nx">not</span> <span class="nx">defined</span> <span class="k">in</span> <span class="nx">ES</span> <span class="nx">module</span> <span class="nx">scope</span> </code></pre> </div> <p>These are CJS globals. They don't exist in ESM. Here's the replacement:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// CJS-only globals</span> <span class="kd">const</span> <span class="nx">dir</span> <span class="o">=</span> <span class="nx">__dirname</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">file</span> <span class="o">=</span> <span class="nx">__filename</span><span class="p">;</span> <span class="c1">// ESM equivalent using import.meta.url</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">fileURLToPath</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">url</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">dirname</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">__filename</span> <span class="o">=</span> <span class="nf">fileURLToPath</span><span class="p">(</span><span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">url</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">__dirname</span> <span class="o">=</span> <span class="nf">dirname</span><span class="p">(</span><span class="nx">__filename</span><span class="p">);</span> <span class="c1">// Or using the newer import.meta.dirname (Node 21.2+)</span> <span class="kd">const</span> <span class="nx">dir</span> <span class="o">=</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">dirname</span><span class="p">;</span> </code></pre> </div> <h3> Error 4: Named exports break from CJS packages </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// This breaks with some CJS packages</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">readFileSync</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">some-cjs-package</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// SyntaxError: The requested module does not provide an export named 'readFileSync'</span> <span class="c1">// Use default import then destructure</span> <span class="k">import</span> <span class="nx">pkg</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">some-cjs-package</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">readFileSync</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">pkg</span><span class="p">;</span> </code></pre> </div> <p>CJS packages export a single <code>module.exports</code> object. When Node does the ESM interop, it wraps this as the default export. Named export destructuring only works if the package explicitly defines named exports in its <code>exports</code> field.</p> <h3> Error 5: Dual package hazard — the silent one </h3> <p>This one doesn't throw an error, which makes it worse. If a package ships both CJS and ESM (a dual package), and your app loads it via both code paths, you can end up with two separate instances of the module. Singletons break. State doesn't share. Caches are split.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// If somehow two paths in your app load the same package differently:</span> <span class="c1">// path A (ESM): import { store } from 'state-lib' → instance #1</span> <span class="c1">// path B (CJS): const { store } = require('state-lib') → instance #2</span> <span class="c1">// store in A and store in B are different objects</span> </code></pre> </div> <p>The fix is consistency: pick one module system for your entire app and stick to it.</p> <h2> The Real Fix: Converting a Node.js Project to Pure ESM </h2> <p>If you're starting fresh or have the bandwidth to migrate, pure ESM is the right call in 2026. Here's the complete migration checklist:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">package.json</span><span class="w"> </span><span class="err">—</span><span class="w"> </span><span class="err">add</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"module"</span><span class="w"> </span><span class="err">and</span><span class="w"> </span><span class="err">update</span><span class="w"> </span><span class="err">exports</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"my-app"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"module"</span><span class="p">,</span><span class="w"> </span><span class="nl">"main"</span><span class="p">:</span><span class="w"> </span><span class="s2">"./dist/index.js"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exports"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"."</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"import"</span><span class="p">:</span><span class="w"> </span><span class="s2">"./dist/index.js"</span><span class="p">,</span><span class="w"> </span><span class="nl">"types"</span><span class="p">:</span><span class="w"> </span><span class="s2">"./dist/index.d.ts"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"engines"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"node"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&gt;=18"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Before: CJS entry point</span> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">join</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes</span><span class="dl">'</span><span class="p">);</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">startServer</span> <span class="p">};</span> <span class="c1">// After: ESM entry point</span> <span class="k">import</span> <span class="nx">express</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">join</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">router</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./routes.js</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// note: .js extension required</span> <span class="k">export</span> <span class="p">{</span> <span class="nx">startServer</span> <span class="p">};</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// tsconfig.json — TypeScript ESM config</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">compilerOptions</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">target</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ES2022</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">module</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">NodeNext</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// critical: enables ESM-aware resolution</span> <span class="dl">"</span><span class="s2">moduleResolution</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">NodeNext</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">outDir</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">./dist</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">rootDir</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">./src</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">strict</span><span class="dl">"</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>NodeNext</code> module setting in TypeScript is the key change most migration guides miss. Without it, TypeScript won't enforce the <code>.js</code> extensions in imports, and your compiled output will have missing extensions that break at runtime.</p> <h2> When You Can't Migrate: The Dynamic Import Workaround </h2> <p>If you're stuck in a CJS codebase and need to use an ESM-only package, dynamic <code>import()</code> is your escape hatch. It works in CJS files and returns a Promise.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// In a CJS file (.js without "type":"module", or .cjs)</span> <span class="c1">// Using an ESM-only package like 'chalk' v5+ or 'node-fetch' v3+</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">sendRequest</span><span class="p">(</span><span class="nx">url</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">default</span><span class="p">:</span> <span class="nx">fetch</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">node-fetch</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">default</span><span class="p">:</span> <span class="nx">chalk</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">chalk</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">chalk</span><span class="p">.</span><span class="nf">green</span><span class="p">(</span><span class="s2">`Status: </span><span class="p">${</span><span class="nx">response</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span><span class="s2">`</span><span class="p">));</span> <span class="k">return</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="p">}</span> <span class="c1">// If you need it at module load time, use a top-level IIFE</span> <span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">default</span><span class="p">:</span> <span class="nx">chalk</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">chalk</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">chalk</span><span class="p">.</span><span class="nf">blue</span><span class="p">(</span><span class="dl">'</span><span class="s1">Starting...</span><span class="dl">'</span><span class="p">));</span> <span class="p">})();</span> </code></pre> </div> <p>Cache the import result if you're calling it in hot paths — dynamic <code>import()</code> is cached after the first call, but the async overhead of the call itself still adds up.</p> <h2> GitHub Repository </h2> <p>The full repo for this article has six working examples: a broken CJS project hitting all five errors, ESM migration steps with diffs, a dual-package setup showing the hazard, and a TypeScript <code>NodeNext</code> config that compiles cleanly:</p> <p>👉 <a href="https://github.com/Sandeep007-Stack/esm-vs-cjs.git" rel="noopener noreferrer">https://github.com/Sandeep007-Stack/esm-vs-cjs.git</a></p> <p>Each example has a <code>broken/</code> and <code>fixed/</code> folder. Clone it, run <code>node broken/index.js</code>, see the real error, then run <code>node fixed/index.js</code> and see it work.</p> <h2> The Takeaway </h2> <p>The ESM/CJS split isn't a bug you can patch with a Stack Overflow answer. It's a fundamental architectural difference in how the two systems load code. Once you understand the rules — CJS can't <code>require()</code> ESM, extensions are mandatory in ESM, <code>__dirname</code> doesn't exist — the errors stop being mysterious.</p> <p>In 2026, the path forward is clear: pure ESM. Every major package is dropping CJS. Node 20+ backported ESM-from-CJS interop. The tooling has caught up. If you have a new project, start with <code>"type": "module"</code>. If you have an existing one, use the checklist above and migrate file by file.</p> <p>The broken <code>import</code> era is ending. It just requires knowing which side of the wall you're on.</p> <p>If you found this useful, I write about TypeScript, Node.js, Security and DevOps at stackdevlife.com — drop a follow if you'd like more!</p> <p><em>Originally published at <a href="https://www.stackdevlife.com/blog/esm-vs-cjs-import-breaks-fix-2026" rel="noopener noreferrer">stackdevlife.com</a></em></p> webdev security devops typescript Sandeep Bansod Tue, 07 Apr 2026 11:01:24 +0000 https://dev.to/sandeepbansod/how-i-fixed-a-nodejs-api-that-was-taking-15-minutes-to-return-8000-records-16ca https://dev.to/sandeepbansod/how-i-fixed-a-nodejs-api-that-was-taking-15-minutes-to-return-8000-records-16ca <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foocs8veto4epuzrodrgt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foocs8veto4epuzrodrgt.png" alt=" " width="800" height="419"></a></p> <p>The ticket came in with one line: <em>"The API is too slow."</em></p> <p>No stack trace. No logs. Just a frustrated client and an endpoint that took around 15 minutes to return 8,000 records. Fun.</p> <p>The worst part? The code wasn't even mine. Someone else had written it, shipped it, and moved on. Now I was the one staring at a Mongoose query wondering where 15 minutes were disappearing to.</p> <p>Here's exactly what I investigated, what I found, and how I brought it down to around 15 seconds — without rewriting everything from scratch.</p> <h2> The Setup </h2> <p>The API was a Node.js service using Express and Mongoose, backed by MongoDB Atlas. It had a <code>/reports</code> endpoint that fetched records and ran some calculations for a dashboard.</p> <p>Simple enough on paper. Here's what the original route looked like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Original route — the culprit</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/reports</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">Report</span><span class="p">.</span><span class="nf">find</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">status</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="p">{</span> <span class="na">$gte</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="k">from</span><span class="p">),</span> <span class="na">$lte</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">to</span><span class="p">)</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>Nothing about this looks obviously broken, which is what made it tricky. The problem wasn't the code logic — it was everything happening underneath it.</p> <h2> Step 1: Find Out What MongoDB Is Actually Doing </h2> <p>Before changing a single line, I ran <code>.explain("executionStats")</code> on the query. If you've never used this, make it a habit — it's the fastest way to see exactly how MongoDB is executing your query.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">Report</span><span class="p">.</span><span class="nf">find</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pending</span><span class="dl">'</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="p">{</span> <span class="na">$gte</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="dl">'</span><span class="s1">2024-01-01</span><span class="dl">'</span><span class="p">),</span> <span class="na">$lte</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="dl">'</span><span class="s1">2024-12-31</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="p">}).</span><span class="nf">explain</span><span class="p">(</span><span class="dl">'</span><span class="s1">executionStats</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">executionStats</span><span class="p">,</span> <span class="kc">null</span><span class="p">,</span> <span class="mi">2</span><span class="p">));</span> </code></pre> </div> <p>This was the output that told me everything:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"executionSuccess"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"nReturned"</span><span class="p">:</span><span class="w"> </span><span class="mi">8000</span><span class="p">,</span><span class="w"> </span><span class="nl">"totalDocsExamined"</span><span class="p">:</span><span class="w"> </span><span class="mi">240000</span><span class="p">,</span><span class="w"> </span><span class="nl">"totalKeysExamined"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"executionTimeMillis"</span><span class="p">:</span><span class="w"> </span><span class="mi">874000</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>See that? <code>totalKeysExamined: 0</code>. MongoDB wasn't using any index at all. It was scanning all 240,000 documents in the collection just to return 8,000 matching ones. That's a full collection scan on every single request — and 874 seconds to prove it.</p> <h2> Step 2: Add the Right Indexes </h2> <p>This was the single biggest fix, and it took about two minutes to apply.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// In your Mongoose schema</span> <span class="kd">const</span> <span class="nx">reportSchema</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">mongoose</span><span class="p">.</span><span class="nc">Schema</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span> <span class="p">},</span> <span class="na">createdAt</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">Date</span> <span class="p">},</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">mongoose</span><span class="p">.</span><span class="nx">Schema</span><span class="p">.</span><span class="nx">Types</span><span class="p">.</span><span class="nx">ObjectId</span><span class="p">,</span> <span class="na">category</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="nb">Number</span> <span class="p">});</span> <span class="c1">// Add a compound index that matches the query pattern exactly</span> <span class="nx">reportSchema</span><span class="p">.</span><span class="nf">index</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="o">-</span><span class="mi">1</span> <span class="p">});</span> </code></pre> </div> <p>Or if you want to add it directly in the MongoDB shell without touching the codebase:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">db</span><span class="p">.</span><span class="nx">reports</span><span class="p">.</span><span class="nf">createIndex</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="o">-</span><span class="mi">1</span> <span class="p">});</span> </code></pre> </div> <p><strong>Why compound and not two separate indexes?</strong></p> <p>MongoDB can only use one index per query by default. If you add individual indexes on <code>status</code> and <code>createdAt</code> separately, MongoDB will pick one of them and still do extra filtering work for the other. A compound index covers both fields together in a single efficient lookup — and the order matters. Put the equality filter (<code>status</code>) first, range filter (<code>createdAt</code>) second.</p> <p>After adding the index, the explain output changed to this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"totalDocsExamined"</span><span class="p">:</span><span class="w"> </span><span class="mi">8000</span><span class="p">,</span><span class="w"> </span><span class="nl">"totalKeysExamined"</span><span class="p">:</span><span class="w"> </span><span class="mi">8001</span><span class="p">,</span><span class="w"> </span><span class="nl">"executionTimeMillis"</span><span class="p">:</span><span class="w"> </span><span class="mi">1200</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>From 240,000 documents examined down to 8,000. That's the impact of one index.</p> <h2> Step 3: Fix the Aggregation Pipeline </h2> <p>The original code also had a pattern that I see constantly — fetching records from MongoDB and then processing them in Node.js:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Original: pull everything into memory, then process in JS</span> <span class="kd">const</span> <span class="nx">records</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">Report</span><span class="p">.</span><span class="nf">find</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pending</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">summary</span> <span class="o">=</span> <span class="nx">records</span><span class="p">.</span><span class="nf">reduce</span><span class="p">((</span><span class="nx">acc</span><span class="p">,</span> <span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">acc</span><span class="p">[</span><span class="nx">r</span><span class="p">.</span><span class="nx">category</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="nx">acc</span><span class="p">[</span><span class="nx">r</span><span class="p">.</span><span class="nx">category</span><span class="p">]</span> <span class="o">||</span> <span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="nx">r</span><span class="p">.</span><span class="nx">amount</span><span class="p">;</span> <span class="k">return</span> <span class="nx">acc</span><span class="p">;</span> <span class="p">},</span> <span class="p">{});</span> </code></pre> </div> <p>This is backwards. You're transferring thousands of full documents over the network just to run a sum. MongoDB can do this aggregation in the database and send you back a tiny result.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Fixed: push the aggregation into MongoDB</span> <span class="kd">const</span> <span class="nx">summary</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">Report</span><span class="p">.</span><span class="nf">aggregate</span><span class="p">([</span> <span class="p">{</span> <span class="na">$match</span><span class="p">:</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pending</span><span class="dl">'</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="p">{</span> <span class="na">$gte</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="k">from</span><span class="p">),</span> <span class="na">$lte</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">to</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">$group</span><span class="p">:</span> <span class="p">{</span> <span class="na">_id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">$category</span><span class="dl">'</span><span class="p">,</span> <span class="na">totalAmount</span><span class="p">:</span> <span class="p">{</span> <span class="na">$sum</span><span class="p">:</span> <span class="dl">'</span><span class="s1">$amount</span><span class="dl">'</span> <span class="p">},</span> <span class="na">count</span><span class="p">:</span> <span class="p">{</span> <span class="na">$sum</span><span class="p">:</span> <span class="mi">1</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">$sort</span><span class="p">:</span> <span class="p">{</span> <span class="na">totalAmount</span><span class="p">:</span> <span class="o">-</span><span class="mi">1</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]);</span> </code></pre> </div> <p>A few rules worth knowing here:</p> <p><strong>Always put <code>$match</code> at the top of the pipeline.</strong> If you filter after a <code>$group</code> or <code>$lookup</code>, MongoDB has already processed every document before your filter kicks in. Filter early, process as little as possible.</p> <p><strong>Use <code>$project</code> to drop fields you don't need:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">{</span> <span class="nl">$project</span><span class="p">:</span> <span class="p">{</span> <span class="na">category</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">_id</span><span class="p">:</span> <span class="mi">0</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Every extra field is extra bytes — across thousands of documents, it adds up fast.</p> <h2> Step 4: Refactor the API Code </h2> <p>Even after fixing the indexes and aggregation, the Node.js code itself had a few more problems worth addressing.</p> <p><strong>No pagination</strong></p> <p>Returning 8,000 records in a single JSON response is never a good idea, regardless of how fast the query is. Add pagination from the start:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/reports</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">page</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">page</span><span class="p">)</span> <span class="o">||</span> <span class="mi">1</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">limit</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">limit</span><span class="p">)</span> <span class="o">||</span> <span class="mi">100</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">skip</span> <span class="o">=</span> <span class="p">(</span><span class="nx">page</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="o">*</span> <span class="nx">limit</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">filter</span> <span class="o">=</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">status</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="p">{</span> <span class="na">$gte</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="k">from</span><span class="p">),</span> <span class="na">$lte</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">to</span><span class="p">)</span> <span class="p">}</span> <span class="p">};</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">data</span><span class="p">,</span> <span class="nx">total</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">([</span> <span class="nx">Report</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">filter</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">category amount status createdAt userId</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">sort</span><span class="p">({</span> <span class="na">createdAt</span><span class="p">:</span> <span class="o">-</span><span class="mi">1</span> <span class="p">})</span> <span class="p">.</span><span class="nf">skip</span><span class="p">(</span><span class="nx">skip</span><span class="p">)</span> <span class="p">.</span><span class="nf">limit</span><span class="p">(</span><span class="nx">limit</span><span class="p">)</span> <span class="p">.</span><span class="nf">lean</span><span class="p">(),</span> <span class="nx">Report</span><span class="p">.</span><span class="nf">countDocuments</span><span class="p">(</span><span class="nx">filter</span><span class="p">)</span> <span class="p">]);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">data</span><span class="p">,</span> <span class="na">pagination</span><span class="p">:</span> <span class="p">{</span> <span class="nx">page</span><span class="p">,</span> <span class="nx">limit</span><span class="p">,</span> <span class="nx">total</span><span class="p">,</span> <span class="na">pages</span><span class="p">:</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">ceil</span><span class="p">(</span><span class="nx">total</span> <span class="o">/</span> <span class="nx">limit</span><span class="p">)</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p><strong>Use <code>.lean()</code> on read queries</strong></p> <p>Mongoose documents carry a lot of invisible overhead — prototype methods, change tracking, virtual getters. When you're just reading data to send as a JSON response, you don't need any of that.</p> <p><code>.lean()</code> returns plain JavaScript objects and can make a noticeable difference at scale:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Without lean — full Mongoose document with overhead</span> <span class="kd">const</span> <span class="nx">docs</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">Report</span><span class="p">.</span><span class="nf">find</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pending</span><span class="dl">'</span> <span class="p">});</span> <span class="c1">// With lean — plain JS objects, faster and lighter</span> <span class="kd">const</span> <span class="nx">docs</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">Report</span><span class="p">.</span><span class="nf">find</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pending</span><span class="dl">'</span> <span class="p">}).</span><span class="nf">lean</span><span class="p">();</span> </code></pre> </div> <p><strong>Parallelize independent queries</strong></p> <p>The original code was running its queries one after another:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Slow: sequential — second query waits for first to finish</span> <span class="kd">const</span> <span class="nx">reports</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">Report</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">filter</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">summary</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">Report</span><span class="p">.</span><span class="nf">aggregate</span><span class="p">([...]);</span> </code></pre> </div> <p>If two queries don't depend on each other's results, run them at the same time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Fast: parallel — both queries run simultaneously</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">reports</span><span class="p">,</span> <span class="nx">summary</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">([</span> <span class="nx">Report</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">filter</span><span class="p">).</span><span class="nf">lean</span><span class="p">(),</span> <span class="nx">Report</span><span class="p">.</span><span class="nf">aggregate</span><span class="p">([...])</span> <span class="p">]);</span> </code></pre> </div> <h2> The Results </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td>Response time (8k records)</td> <td>~15 minutes</td> <td>~15 seconds</td> </tr> <tr> <td>Documents scanned per query</td> <td>240,000</td> <td>8,000</td> </tr> <tr> <td>Indexes used</td> <td>None</td> <td>Compound index</td> </tr> <tr> <td>Aggregation location</td> <td>Node.js</td> <td>MongoDB</td> </tr> <tr> <td>Pagination</td> <td>None</td> <td>100 records/page</td> </tr> </tbody> </table></div> <p>Is 15 seconds blazing fast? No. But with pagination in place, real users now get their first 100 records in under a second. The full 8,000-record export — which runs as a background job — takes about 15 seconds, which is completely acceptable.</p> <h2> What to Actually Check When You Inherit a Slow API </h2> <p>This is the checklist I now go through any time I land in a slow MongoDB + Node.js codebase:</p> <ol> <li> <strong>Run <code>.explain("executionStats")</code> first</strong> — look at <code>totalDocsExamined</code> vs <code>nReturned</code>. A large gap means missing or wrong indexes.</li> <li> <strong>Add compound indexes</strong> that match your query patterns field-by-field. Order matters — equality fields go first, range fields go last.</li> <li> <strong>Move aggregation logic into MongoDB</strong> — stop pulling data into Node.js just to run a reduce or a sum.</li> <li> <strong>Add <code>.lean()</code></strong> on all read queries where you're just serializing to JSON.</li> <li> <strong>Paginate everything</strong> — no route should return thousands of records in a single response.</li> <li> <strong>Put <code>$project</code> and <code>$match</code> early</strong> in aggregation pipelines to reduce document size as early as possible.</li> <li> <strong>Use <code>Promise.all</code></strong> for independent queries instead of awaiting them one by one.</li> </ol> <p>You won't always get a 60x improvement. But if someone else wrote the code and nothing was thought through, there's almost always something obvious hiding in the query patterns. Start with <code>.explain()</code> and work from there.</p> <p>If you found this useful, I write about TypeScript, Node.js, Security and DevOps at stackdevlife.com — drop a follow if you'd like more!</p> <p><em>Originally published at <a href="https://www.stackdevlife.com/blog/nodejs-mongodb-api-performance-optimization" rel="noopener noreferrer">stackdevlife.com</a></em></p> mongodb node performance optimization Sandeep Bansod Mon, 06 Apr 2026 09:37:49 +0000 https://dev.to/sandeepbansod/i-used-the-wrong-git-email-for-2-weeks-and-no-one-noticed-1b3p https://dev.to/sandeepbansod/i-used-the-wrong-git-email-for-2-weeks-and-no-one-noticed-1b3p <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj64dk6ja7ji563jqoz25.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj64dk6ja7ji563jqoz25.png" alt=" " width="800" height="420"></a></p> <p>I accidentally committed 2 weeks of client work using my personal email.</p> <p>No warnings.<br> No errors.<br> No clue it was happening.</p> <p>I only noticed after pushing everything to GitHub.</p> <p>Here's the thing nobody tells you when you start freelancing alongside a full-time job: Git has no idea you're two different people depending on which folder you're in.</p> <p>I found this out the hard way.</p> <p>I'd been heads-down on a client dashboard project — late nights, quick commits, shipping fast. Then one morning I opened GitHub to review a PR and noticed something. Every single commit. Every one. Author: <code>sandeep@personal.com</code>.</p> <p>Not <code>sandeep@work.com</code>. Not the email the client hired. My personal one.</p> <p>I had three client projects on that machine. Same story across all of them. Two weeks of commits. All from the wrong person, technically.</p> <p>I didn't tell the client. I just fixed it and moved on. But it bothered me for days — not the mistake, the fact that I had no idea it was happening.</p> <h2> Why It Happens (and Why It's Not Obvious) </h2> <p>Git stores your identity in a config file at <code>~/.gitconfig</code>. That's your global config. It applies everywhere on your machine unless something overrides it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># this is probably set to whatever you used when you first installed Git</span> git config <span class="nt">--global</span> user.email <span class="c"># → sandeep@personal.com</span> </code></pre> </div> <p>When you create or clone a repo, that global config is what Git uses — silently, automatically, every commit — until you tell it otherwise for that specific repo.</p> <p>Most developers never do. Why would you? You set it up once years ago and forgot about it.</p> <p>The problem only surfaces when you're juggling multiple contexts on one machine. Personal projects. Client work. A side job. A company laptop you also use for open source. Suddenly one identity doesn't cover it anymore.</p> <h2> The First Thing I Tried (Which Doesn't Really Solve It) </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/clients/acme-dashboard git config <span class="nt">--local</span> user.email <span class="s2">"sandeep@work.com"</span> </code></pre> </div> <p>This works. It sets the email just for that repo by writing to <code>.git/config</code> inside it. Problem solved for this repo.</p> <p>But I had eleven client repos. I went through all of them. Felt productive. Two days later I cloned a new one, started committing immediately, and forgot to run the command. Three commits in before I caught it.</p> <p><code>--local</code> is a fix for the symptom, not the cause. The cause is that you have to remember — and you won't, every time.</p> <h2> The Fix I Actually Use Now </h2> <p>Git has something called <code>includeIf</code>. It lets you load a different config file depending on which directory you're working in.</p> <p>You set it up once. Then it just runs — automatically, in the background, every time you open a terminal in that folder. You never think about it again.</p> <p>Here's how I set it up:</p> <p><strong>First, I organised my projects into folders by who I am when I work on them:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>~/ ├── clients/ ← freelance work ├── work/ ← day job └── personal/ ← my own stuff </code></pre> </div> <p>That folder structure is the trigger. Everything under <code>~/clients/</code> gets one identity. Everything under <code>~/personal/</code> gets another.</p> <p><strong>Then I created a config file for each identity:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="c"># ~/.gitconfig-clients </span><span class="nn">[user]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">Sandeep</span> <span class="py">email</span> <span class="p">=</span> <span class="s">sandeep@work.com</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="c"># ~/.gitconfig-personal </span><span class="nn">[user]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">Sandeep</span> <span class="py">email</span> <span class="p">=</span> <span class="s">sandeep@personal.com</span> </code></pre> </div> <p><strong>Then I added three lines to my global <code>~/.gitconfig</code>:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[user]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">Sandeep</span> <span class="py">email</span> <span class="p">=</span> <span class="s">sandeep@personal.com # the default fallback</span> <span class="nn">[includeIf "gitdir:~/clients/"]</span> <span class="py">path</span> <span class="p">=</span> <span class="s">~/.gitconfig-clients</span> <span class="nn">[includeIf "gitdir:~/work/"]</span> <span class="py">path</span> <span class="p">=</span> <span class="s">~/.gitconfig-work</span> </code></pre> </div> <p>That's the whole thing. When Git runs inside any repo under <code>~/clients/</code>, it loads <code>~/.gitconfig-clients</code>. The work email overrides the global personal one. When you're in <code>~/personal/</code>, the global applies. Everything else gets the fallback.</p> <p><strong>Verify it:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/clients/acme-dashboard git config user.email <span class="c"># sandeep@work.com ✓</span> <span class="nb">cd</span> ~/personal/my-blog git config user.email <span class="c"># sandeep@personal.com ✓</span> </code></pre> </div> <p>No command after cloning. No checklist. No forgetting.</p> <p>And when something looks wrong, this tells you exactly which file is responsible:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--show-origin</span> user.email <span class="c"># file:/Users/sandeep/.gitconfig-clients sandeep@work.com</span> </code></pre> </div> <h2> What About Two Different GitHub Accounts? </h2> <p>This is a separate problem that looks similar but isn't.</p> <p><code>user.email</code> controls what shows up in the commit author line. That's metadata. It has nothing to do with which GitHub account you're authenticated as when you push.</p> <p>If you have a work GitHub account and a personal GitHub account, you need separate SSH keys. Otherwise you'll be authenticated as the same account no matter what email the commit shows.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># one key for each account</span> ssh-keygen <span class="nt">-t</span> ed25519 <span class="nt">-f</span> ~/.ssh/id_work <span class="nt">-C</span> <span class="s2">"work"</span> ssh-keygen <span class="nt">-t</span> ed25519 <span class="nt">-f</span> ~/.ssh/id_personal <span class="nt">-C</span> <span class="s2">"personal"</span> </code></pre> </div> <p>Add each public key to the matching GitHub account. Then set up <code>~/.ssh/config</code> so Git knows which key to use for which host:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ssh"><code><span class="k">Host</span> github-work <span class="k">HostName</span> github.com <span class="k">User</span> git <span class="k">IdentityFile</span> ~/.ssh/id_work <span class="k">Host</span> github-personal <span class="k">HostName</span> github.com <span class="k">User</span> git <span class="k">IdentityFile</span> ~/.ssh/id_personal </code></pre> </div> <p>Now clone using the alias instead of <code>github.com</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone git@github-work:client-org/project.git git clone git@github-personal:sandeep007/blog.git </code></pre> </div> <p>Test that each one works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh <span class="nt">-T</span> git@github-work <span class="c"># Hi work-sandeep! You've successfully authenticated.</span> ssh <span class="nt">-T</span> git@github-personal <span class="c"># Hi sandeep! You've successfully authenticated.</span> </code></pre> </div> <h2> The Things That Will Trip You Up </h2> <p><strong>The trailing slash matters.</strong> <code>gitdir:~/clients</code> and <code>gitdir:~/clients/</code> are different. The version without the slash may not match subdirectories reliably. Always include it.</p> <p><strong>Check config from inside the repo.</strong> Running <code>git config user.email</code> outside a Git repo always returns the global value. If you're trying to verify it's working, <code>cd</code> into the actual project first.</p> <p><strong>The folder is the contract.</strong> Clone a client project into <code>~/personal/</code> by accident and it gets the personal identity. <code>includeIf</code> doesn't know what the project is — it only knows where <code>.git</code> lives. Respect the folder structure.</p> <p><strong>Windows needs full paths.</strong> The <code>~/</code> shorthand doesn't work reliably in <code>gitdir:</code> conditions on Windows. Use the full path instead: <code>gitdir:C:/Users/Sandeep/clients/</code>.</p> <h2> Honest Takeaway </h2> <p>I wasted two weeks of commit history and some amount of professional credibility because I didn't know this existed. The fix took me about ten minutes to set up once I found it.</p> <p><code>includeIf</code> is one of those Git features that feels almost too simple — you put it in one file and then you just never have to think about it again. The folder structure becomes the rule. Git enforces it silently.</p> <p>If you work on more than one type of project on the same machine, set this up today. It costs you nothing and saves you from the specific embarrassment of a client asking who is writing all their code.</p> <p>It takes 10 minutes — and can save your professional reputation.</p> <p>If you found this useful, I write about TypeScript, Node.js, Security and DevOps <br> Follow Stack Dev Life for more real-world dev mistakes &amp; fixes.<br> *Originally published at [<a href="https://www.stackdevlife.com/blog/i-used-the-wrong-git-email-for-2-weeks-and-no-one-noticed" rel="noopener noreferrer">stackdevlife.com</a>]</p> git devtool ssh productivity Sandeep Bansod Mon, 06 Apr 2026 04:36:38 +0000 https://dev.to/sandeepbansod/stop-using-any-heres-how-to-type-your-messy-api-responses-correctly-20de https://dev.to/sandeepbansod/stop-using-any-heres-how-to-type-your-messy-api-responses-correctly-20de <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl52jveyh8dbdl5auqb8g.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl52jveyh8dbdl5auqb8g.png" alt=" " width="800" height="422"></a></p> <p>You cast the API response to <code>any</code> to stop TypeScript complaining. It worked. Now a field changed shape three months later and the bug is in production. Here's how to type messy API responses properly — with real validation, not just type assertions.</p> <p>You've done it. Everyone has. The API returns something, TypeScript starts complaining, and the fastest fix is <code>as any</code>. The error goes away. You move on. Six weeks later, that field is <code>null</code> instead of a string, the bug is in production, and TypeScript said nothing — because you told it not to.</p> <p>The problem is not that API responses are messy. They are, and always will be. The problem is that <code>any</code> doesn't model that mess — it erases it. You lose the one thing TypeScript is there to give you: a guarantee that your code matches your data.</p> <p>This article covers the real techniques — from <code>unknown</code> to type guards to Zod to a fully typed fetch wrapper — that let you handle unpredictable API shapes without lying to the compiler.</p> <h2> The Real Problem with any </h2> <p>When you write <code>const data = response.json() as any</code>, TypeScript stops checking entirely. Every property access, every method call, every nested field — unchecked. You could write <code>data.user.address.city.toUpperCase()</code> and TypeScript would nod along even if <code>address</code> is <code>undefined</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// This compiles. It will blow up at runtime.</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/user/1</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="p">(</span><span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="k">as</span> <span class="kr">any</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">profile</span><span class="p">.</span><span class="nx">avatar</span><span class="p">.</span><span class="nx">url</span><span class="p">.</span><span class="nf">trim</span><span class="p">());</span> <span class="c1">// ^^^^^^ could be null</span> <span class="c1">// ^^^ could be undefined</span> <span class="c1">// ^^^ TypeScript: fine by me</span> </code></pre> </div> <p>The worse version is <code>as unknown as YourType</code> — the double cast. It is exactly as dangerous as <code>any</code>, just more words. You're not adding safety, you're just suppressing a different error with extra ceremony.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Still no actual validation — just a louder lie</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="p">(</span><span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="k">as</span> <span class="nx">unknown</span> <span class="k">as</span> <span class="nx">User</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">());</span> <span class="c1">// runtime error if email is null</span> </code></pre> </div> <p>The real issue is that <code>fetch</code> returns <code>Promise&lt;any&gt;</code>. The TypeScript standard library types <code>Response.json()</code> as returning <code>any</code> because it genuinely cannot know the shape. That's the compiler being honest. When you cast that <code>any</code> to your type, you're being dishonest on its behalf.</p> <h2> Your First Tool: unknown Instead of any </h2> <p><code>unknown</code> is the honest version of <code>any</code>. It tells TypeScript: "I have a value and I don't know its shape yet." The critical difference is that TypeScript forces you to prove the shape before you use it. You cannot access properties on <code>unknown</code> without narrowing it first.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/user/1</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">data</span><span class="p">:</span> <span class="nx">unknown</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// TypeScript blocks this immediately</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">email</span><span class="p">);</span> <span class="c1">// Error: Object is of type 'unknown'</span> <span class="c1">// You must narrow it first</span> <span class="k">if </span><span class="p">(</span> <span class="k">typeof</span> <span class="nx">data</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">data</span> <span class="o">!==</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span> <span class="k">in</span> <span class="nx">data</span> <span class="o">&amp;&amp;</span> <span class="k">typeof </span><span class="p">(</span><span class="nx">data</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">email</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span> <span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">email</span><span class="p">);</span> <span class="c1">// TypeScript: now it's safe</span> <span class="p">}</span> </code></pre> </div> <p>This is the right instinct but the wrong implementation for anything larger than a toy example. Writing inline narrowing for a 20-field API response is unreadable and unmaintainable. That's what type guards and schema validators are for.</p> <h2> Type Guards — Validate at the Boundary </h2> <p>A type guard is a function that takes an <code>unknown</code> value, validates its shape at runtime, and tells TypeScript what it is. The return type <code>value is YourType</code> is the key — it's called a type predicate, and it narrows the type inside any <code>if</code> block that uses it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// types/user.ts</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">User</span> <span class="p">{</span> <span class="nl">id</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">editor</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">viewer</span><span class="dl">'</span><span class="p">;</span> <span class="nl">createdAt</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// guards/isUser.ts</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">isUser</span><span class="p">(</span><span class="nx">value</span><span class="p">:</span> <span class="nx">unknown</span><span class="p">):</span> <span class="nx">value</span> <span class="k">is</span> <span class="nx">User</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="k">typeof</span> <span class="nx">value</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">value</span> <span class="o">!==</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="k">typeof </span><span class="p">(</span><span class="nx">value</span> <span class="k">as</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span><span class="p">).</span><span class="nx">id</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">number</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="k">typeof </span><span class="p">(</span><span class="nx">value</span> <span class="k">as</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span><span class="p">).</span><span class="nx">email</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="k">typeof </span><span class="p">(</span><span class="nx">value</span> <span class="k">as</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span><span class="p">).</span><span class="nx">name</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="p">[</span><span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">editor</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">viewer</span><span class="dl">'</span><span class="p">].</span><span class="nf">includes</span><span class="p">(</span> <span class="p">(</span><span class="nx">value</span> <span class="k">as</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span><span class="p">).</span><span class="nx">role</span> <span class="k">as</span> <span class="kr">string</span> <span class="p">)</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Now use it at the API boundary — the one place in your codebase where external data enters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">isUser</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../guards/isUser</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">fetchUser</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">number</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">User</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/users/</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="na">data</span><span class="p">:</span> <span class="nx">unknown</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">isUser</span><span class="p">(</span><span class="nx">data</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Unexpected response shape from /api/users/</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// TypeScript knows `data` is User from here on</span> <span class="k">return</span> <span class="nx">data</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Everything downstream of <code>fetchUser</code> works with a real <code>User</code> type — fully typed, autocompleted, checked on every property access. The mess is contained to the guard function.</p> <p>The downside: writing guards by hand is verbose and easy to get wrong. If you add a field to the <code>User</code> interface, you have to remember to update the guard. If you don't, the guard silently misses the new field. For large or frequently changing APIs, use Zod.</p> <h2> Zod — Runtime Validation That Generates Types </h2> <p>Zod is a schema declaration library that solves the gap between your TypeScript type and your runtime validation. Instead of maintaining both a type and a guard separately, you define one schema and Zod generates the type from it automatically.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>zod </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">zod</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Define once — Zod generates the type AND validates at runtime</span> <span class="kd">const</span> <span class="nx">UserSchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">number</span><span class="p">(),</span> <span class="na">email</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">email</span><span class="p">(),</span> <span class="na">name</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="na">role</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">editor</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">viewer</span><span class="dl">'</span><span class="p">]),</span> <span class="na">createdAt</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">datetime</span><span class="p">(),</span> <span class="p">});</span> <span class="c1">// Type is inferred automatically — no separate interface needed</span> <span class="k">export</span> <span class="kd">type</span> <span class="nx">User</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nx">infer</span><span class="o">&lt;</span><span class="k">typeof</span> <span class="nx">UserSchema</span><span class="o">&gt;</span><span class="p">;</span> </code></pre> </div> <p>Now the fetch function becomes clean and fully safe:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">fetchUser</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">number</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">User</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/users/</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="na">data</span><span class="p">:</span> <span class="nx">unknown</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// .parse() throws a ZodError with a detailed message if validation fails</span> <span class="c1">// .safeParse() returns { success, data, error } — use this in production</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nx">UserSchema</span><span class="p">.</span><span class="nf">safeParse</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Validation failed:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">result</span><span class="p">.</span><span class="nx">error</span><span class="p">.</span><span class="nf">flatten</span><span class="p">());</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Invalid response from /api/users/</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span><span class="p">;</span> <span class="c1">// Fully typed User</span> <span class="p">}</span> </code></pre> </div> <p><code>result.error.flatten()</code> gives you a structured breakdown of exactly which fields failed and why — far more useful than a generic "invalid response" message when you're debugging at 2AM.</p> <p>The key difference from a type guard: if you add <code>phoneNumber: z.string().optional()</code> to <code>UserSchema</code>, the <code>User</code> type updates automatically. Schema and type are always in sync because they're the same thing.</p> <h2> Typing Partial and Nullable API Fields </h2> <p>Real APIs are messy. Fields are sometimes <code>null</code>, sometimes missing entirely, sometimes a string and sometimes a number depending on context. Zod handles all of these explicitly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">OrderSchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">number</span><span class="p">(),</span> <span class="na">status</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">'</span><span class="s1">pending</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">shipped</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">delivered</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cancelled</span><span class="dl">'</span><span class="p">]),</span> <span class="c1">// nullable — the API returns null when not yet assigned</span> <span class="na">assignedTo</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">nullable</span><span class="p">(),</span> <span class="c1">// optional — the field may not be present at all</span> <span class="na">couponCode</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">optional</span><span class="p">(),</span> <span class="c1">// nullable AND optional — null or missing are both valid</span> <span class="na">notes</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">nullable</span><span class="p">().</span><span class="nf">optional</span><span class="p">(),</span> <span class="c1">// coerce a string date to a Date object automatically</span> <span class="na">shippedAt</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nx">coerce</span><span class="p">.</span><span class="nf">date</span><span class="p">().</span><span class="nf">nullable</span><span class="p">(),</span> <span class="c1">// API returns strings for monetary values — validate and keep as string</span> <span class="na">total</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">regex</span><span class="p">(</span><span class="sr">/^</span><span class="se">\d</span><span class="sr">+</span><span class="se">\.\d{2}</span><span class="sr">$/</span><span class="p">),</span> <span class="c1">// nested object</span> <span class="na">address</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">line1</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">line2</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">optional</span><span class="p">(),</span> <span class="na">city</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">postcode</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">country</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">length</span><span class="p">(</span><span class="mi">2</span><span class="p">),</span> <span class="c1">// ISO 3166-1 alpha-2</span> <span class="p">}),</span> <span class="c1">// array of nested objects</span> <span class="na">items</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">array</span><span class="p">(</span><span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">sku</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">quantity</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">number</span><span class="p">().</span><span class="nf">int</span><span class="p">().</span><span class="nf">positive</span><span class="p">(),</span> <span class="na">price</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="p">})),</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">type</span> <span class="nx">Order</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nx">infer</span><span class="o">&lt;</span><span class="k">typeof</span> <span class="nx">OrderSchema</span><span class="o">&gt;</span><span class="p">;</span> </code></pre> </div> <p>The generated <code>Order</code> type reflects all of this precisely — <code>assignedTo: string | null</code>, <code>couponCode?: string</code>, <code>notes?: string | null | undefined</code>. TypeScript will force you to handle the <code>null</code> and <code>undefined</code> cases. Not because you asked it to — because the schema told it to.</p> <h2> Handling API Errors Correctly </h2> <p>Most typed fetch examples only type the happy path. Real APIs return structured error objects too, and those have shapes worth validating.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// The error shape your API returns on 4xx / 5xx</span> <span class="kd">const</span> <span class="nx">ApiErrorSchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">code</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="c1">// e.g. 'USER_NOT_FOUND'</span> <span class="na">message</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">details</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">record</span><span class="p">(</span><span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">()).</span><span class="nf">optional</span><span class="p">(),</span> <span class="c1">// field-level errors</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">type</span> <span class="nx">ApiError</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nx">infer</span><span class="o">&lt;</span><span class="k">typeof</span> <span class="nx">ApiErrorSchema</span><span class="o">&gt;</span><span class="p">;</span> <span class="c1">// A typed result type — no throwing unless truly unexpected</span> <span class="k">export</span> <span class="kd">type</span> <span class="nx">ApiResult</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span> <span class="o">=</span> <span class="o">|</span> <span class="p">{</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span><span class="p">;</span> <span class="nl">data</span><span class="p">:</span> <span class="nx">T</span> <span class="p">}</span> <span class="o">|</span> <span class="p">{</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">false</span><span class="p">;</span> <span class="nl">error</span><span class="p">:</span> <span class="nx">ApiError</span> <span class="p">};</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">fetchUser</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">number</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">ApiResult</span><span class="o">&lt;</span><span class="nx">User</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/users/</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="na">body</span><span class="p">:</span> <span class="nx">unknown</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">res</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">errResult</span> <span class="o">=</span> <span class="nx">ApiErrorSchema</span><span class="p">.</span><span class="nf">safeParse</span><span class="p">(</span><span class="nx">body</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">errResult</span><span class="p">.</span><span class="nx">success</span> <span class="p">?</span> <span class="nx">errResult</span><span class="p">.</span><span class="nx">data</span> <span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">UNKNOWN</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Unexpected error shape</span><span class="dl">'</span> <span class="p">},</span> <span class="p">};</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nx">UserSchema</span><span class="p">.</span><span class="nf">safeParse</span><span class="p">(</span><span class="nx">body</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">INVALID_SHAPE</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Response schema mismatch</span><span class="dl">'</span> <span class="p">}</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Now at the call site, TypeScript forces you to handle both cases. No unchecked exceptions, no silent failures:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetchUser</span><span class="p">(</span><span class="mi">42</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// result.error is typed as ApiError</span> <span class="nf">showToast</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// result.data is typed as User — fully safe from here</span> <span class="nf">updateProfile</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">data</span><span class="p">);</span> </code></pre> </div> <h2> Generic Fetch Wrapper with Full Type Safety </h2> <p>Once you have schemas, you can write one typed fetch utility and use it everywhere instead of duplicating the validation logic in every service function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">z</span><span class="p">,</span> <span class="nx">ZodSchema</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">zod</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">type</span> <span class="nx">FetchResult</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span> <span class="o">=</span> <span class="o">|</span> <span class="p">{</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span><span class="p">;</span> <span class="nl">data</span><span class="p">:</span> <span class="nx">T</span> <span class="p">}</span> <span class="o">|</span> <span class="p">{</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">false</span><span class="p">;</span> <span class="nl">error</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">status</span><span class="p">:</span> <span class="kr">number</span> <span class="p">};</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">typedFetch</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">(</span> <span class="nx">url</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">schema</span><span class="p">:</span> <span class="nx">ZodSchema</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">,</span> <span class="nx">options</span><span class="p">?:</span> <span class="nx">RequestInit</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">FetchResult</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="na">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="nx">options</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Network error</span><span class="dl">'</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="mi">0</span> <span class="p">};</span> <span class="p">}</span> <span class="kd">const</span> <span class="na">body</span><span class="p">:</span> <span class="nx">unknown</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">().</span><span class="k">catch</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="kc">null</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">res</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">message</span> <span class="o">=</span> <span class="k">typeof</span> <span class="nx">body</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">body</span> <span class="o">!==</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="dl">'</span><span class="s1">message</span><span class="dl">'</span> <span class="k">in</span> <span class="nx">body</span> <span class="p">?</span> <span class="nc">String</span><span class="p">((</span><span class="nx">body</span> <span class="k">as</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span><span class="p">).</span><span class="nx">message</span><span class="p">)</span> <span class="p">:</span> <span class="s2">`HTTP </span><span class="p">${</span><span class="nx">res</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">message</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="nx">res</span><span class="p">.</span><span class="nx">status</span> <span class="p">};</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">parsed</span> <span class="o">=</span> <span class="nx">schema</span><span class="p">.</span><span class="nf">safeParse</span><span class="p">(</span><span class="nx">body</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">parsed</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">[typedFetch] schema mismatch:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">parsed</span><span class="p">.</span><span class="nx">error</span><span class="p">.</span><span class="nf">flatten</span><span class="p">());</span> <span class="k">return</span> <span class="p">{</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid response shape</span><span class="dl">'</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="nx">res</span><span class="p">.</span><span class="nx">status</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">parsed</span><span class="p">.</span><span class="nx">data</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Using it across your app:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Any endpoint — just pass the schema</span> <span class="kd">const</span> <span class="nx">userResult</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">typedFetch</span><span class="p">(</span><span class="s2">`/api/users/</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">UserSchema</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">orderResult</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">typedFetch</span><span class="p">(</span><span class="s2">`/api/orders/</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">OrderSchema</span><span class="p">);</span> <span class="c1">// POST with body</span> <span class="kd">const</span> <span class="nx">createResult</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">typedFetch</span><span class="p">(</span> <span class="dl">'</span><span class="s1">/api/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">UserSchema</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user@example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Riya</span><span class="dl">'</span> <span class="p">}),</span> <span class="p">},</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">createResult</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// createResult.data is User — fully typed</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Created:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">createResult</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">email</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The schema is the only thing that changes between endpoints. All error handling, network error recovery, and logging lives in one place.</p> <h2> When the API Shape Changes Without Warning </h2> <p>Third-party APIs change. Internal APIs change. The backend team renames a field and forgets to tell you. With <code>any</code>, this breaks silently at runtime. With Zod, the <code>safeParse</code> fails immediately with a clear error message pointing to the exact field.</p> <p>Two Zod tools are useful here:</p> <p><code>z.object().passthrough()</code> — validates the fields you defined but allows extra unknown fields through. Useful when the API adds fields you don't need yet, without breaking validation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Extra fields from the API are allowed through — your type stays clean</span> <span class="kd">const</span> <span class="nx">UserSchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">number</span><span class="p">(),</span> <span class="na">email</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">name</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="p">}).</span><span class="nf">passthrough</span><span class="p">();</span> </code></pre> </div> <p><code>z.object().strip()</code> (the default) — strips unknown fields. Safer for security-sensitive contexts where you don't want unexpected data flowing through your app.</p> <p>For APIs that evolve, use <code>.catch()</code> to provide fallback values for non-critical fields instead of failing the whole parse:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">UserSchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">number</span><span class="p">(),</span> <span class="na">email</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">name</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="c1">// If the API stops sending `avatarUrl`, fall back to null</span> <span class="c1">// instead of throwing a validation error</span> <span class="na">avatarUrl</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">nullable</span><span class="p">().</span><span class="k">catch</span><span class="p">(</span><span class="kc">null</span><span class="p">),</span> <span class="c1">// If `theme` is an unexpected value, default to 'light'</span> <span class="na">theme</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">'</span><span class="s1">light</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">dark</span><span class="dl">'</span><span class="p">]).</span><span class="k">catch</span><span class="p">(</span><span class="dl">'</span><span class="s1">light</span><span class="dl">'</span><span class="p">),</span> <span class="p">});</span> </code></pre> </div> <p>This gives you a resilient schema — strict on the fields that matter, graceful on the fields that might drift.</p> <h2> Common Mistakes </h2> <ul> <li>Using as YourType instead of actually validating — a type assertion tells TypeScript what you believe the shape is, not what it actually is. If you're wrong, TypeScript cannot help you</li> <li>Validating in components instead of at the fetch boundary — validation belongs in your service or API layer, not scattered across UI components. Components should receive already-validated, fully-typed data</li> <li>Marking everything optional to avoid validation failures — z.string().optional() on a required field means you'll get undefined where you don't expect it. Be strict on required fields; only use optional where the API contract genuinely allows absence</li> <li>Using .parse() instead of .safeParse() in production code — .parse() throws a ZodError on failure, which means unhandled promise rejections unless you wrap every call in try/catch. Use .safeParse() and handle the error branch explicitly</li> <li>Writing a separate interface and a separate guard — this is the pre-Zod pattern that created the sync problem in the first place. With Zod, z.infer is your type. One source of truth</li> </ul> <h2> The Takeaway </h2> <p><code>any</code> doesn't solve the problem of messy API responses — it hides it until runtime. <code>unknown</code> forces you to be explicit. Type guards add reusable validation. Zod makes schema and type the same thing so they can never go out of sync. A generic <code>typedFetch</code> wrapper brings it all together so validation happens once, consistently, at the boundary where external data enters your app. After that, the rest of your codebase works with real types — and TypeScript can actually protect you.</p> <p>If you found this useful, I write about TypeScript, Node.js, Security and DevOps at stackdevlife.com — drop a follow if you'd like more!</p> <p><em>Originally published at <a href="https://www.stackdevlife.com/blog/stop-using-any-type-api-responses-typescript" rel="noopener noreferrer">stackdevlife.com</a></em></p> typescript api safety frontend Sandeep Bansod Sun, 05 Apr 2026 09:09:00 +0000 https://dev.to/sandeepbansod/environment-variables-youre-leaking-to-the-frontend-without-knowing-it-1hb9 https://dev.to/sandeepbansod/environment-variables-youre-leaking-to-the-frontend-without-knowing-it-1hb9 <p>You added <code>NEXT_PUBLIC_</code> to your API key "just to test something quickly". That was six months ago. It's still there.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Favmo2c6wss9j3qgbcipe.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Favmo2c6wss9j3qgbcipe.png" alt=" " width="800" height="419"></a></p> <p>Most developers know the rule: secret keys go in <code>.env</code>, never in client code. But the actual leaks aren't that obvious. They don't happen because someone is careless — they happen because the tooling is confusing, the error messages are silent, and the mistakes look completely fine until someone opens DevTools or pulls your bundle.</p> <h2> Mistake 1 — The NEXT_PUBLIC_ prefix on secrets </h2> <p>Next.js exposes any variable prefixed with <code>NEXT_PUBLIC_</code> to the browser. That's by design. The problem is developers reach for it the moment they hit a "variable is undefined" error on the client side — without asking <em>why it's undefined</em>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># .env.local # Fine — this is meant to be public NEXT_PUBLIC_API_URL=https://api.example.com # DANGER — now exposed in every JS bundle NEXT_PUBLIC_STRIPE_SECRET_KEY=sk_live_xxxxxxxxx NEXT_PUBLIC_DATABASE_URL=postgres://user:password@host/db </code></pre> </div> <p>Anyone can open your deployed site, go to Network → JS files, search for <code>sk_live_</code> and find it.</p> <p>Stripe secret keys have a very recognizable prefix. So do AWS access keys (<code>AKIA</code>), Supabase service role keys, and SendGrid API keys.</p> <p>The fix: if your key is only used in API routes or server components, it should never have <code>NEXT_PUBLIC_</code>. Call a backend route instead.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Wrong — secret key exposed to client</span> <span class="kd">const</span> <span class="nx">stripe</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Stripe</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_STRIPE_SECRET_KEY</span><span class="o">!</span><span class="p">);</span> <span class="c1">// Right — only used in /api/checkout/route.ts (server-side)</span> <span class="kd">const</span> <span class="nx">stripe</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Stripe</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_SECRET_KEY</span><span class="o">!</span><span class="p">);</span> </code></pre> </div> <h2> Mistake 2 — Vite's import.meta.env and the VITE_ prefix </h2> <p>Vite works exactly the same way. Any variable prefixed with <code>VITE_</code> gets statically inlined into your bundle at build time. It's not fetched at runtime — it's literally copied into your JavaScript.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VITE_API_URL=https://api.example.com # fine VITE_SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1Ni # fine VITE_SUPABASE_SERVICE_KEY=eyJhbGciOiJIUzI1Ni... # never prefix this </code></pre> </div> <p>Run <code>npm run build</code> then open <code>dist/assets/index-xxxx.js</code> and search for your key. You'll find it in plain text, wrapped in production whatever.</p> <h2> Mistake 3 — process.env in bundled client code </h2> <p>With Create React App or older webpack setups, <code>REACT_APP_</code> variables get inlined. But even without that pattern, developers sometimes write shared utility files that get pulled into the client bundle without realizing it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// utils/config.ts — imported by both client and server code</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">apiUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">API_URL</span><span class="p">,</span> <span class="na">stripeKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_SECRET_KEY</span><span class="p">,</span> <span class="p">};</span> </code></pre> </div> <p>The safe pattern: never import server config into code that's shared with the client.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/server-config.ts — only imported in server files</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">serverConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">apiUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">API_URL</span><span class="p">,</span> <span class="na">stripeKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_SECRET_KEY</span><span class="p">,</span> <span class="p">};</span> <span class="c1">// lib/client-config.ts — safe to import anywhere</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">clientConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">apiUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_API_URL</span><span class="p">,</span> <span class="p">};</span> </code></pre> </div> <h2> Mistake 4 — Exposing .env through source maps </h2> <p>You've been careful with your variables. But did you ship source maps to production? Source maps reconstruct your original source code in the browser. If your server-side code ends up in a source map in your production build, the DevTools Sources tab will show the original file — including any hardcoded fallbacks.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// A common but dangerous pattern</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_SECRET_KEY</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">sk_live_fallback_for_dev</span><span class="dl">"</span><span class="p">;</span> </code></pre> </div> <p>In Next.js, make sure source maps stay off in production:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// next.config.js</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="na">productionBrowserSourceMaps</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="c1">// default is false — make sure it stays that way</span> <span class="p">};</span> </code></pre> </div> <p>For Vite:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// vite.config.ts</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineConfig</span><span class="p">({</span> <span class="na">build</span><span class="p">:</span> <span class="p">{</span> <span class="na">sourcemap</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="c1">// or "hidden" if you need them for error tracking only</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h2> Mistake 5 — The API debug route you forgot to remove </h2> <p>This one is embarrassing but common. During local debugging, you add a quick route to dump env state. You commit it. It goes to production.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://yourapp.com/api/debug </code></pre> </div> <p>Now returns every single environment variable on your server.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// pages/api/debug.ts</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">handler</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">env</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span> <span class="p">});</span> <span class="c1">// must never go to production</span> <span class="p">}</span> </code></pre> </div> <h2> How to audit what you're actually shipping </h2> <p>Build your app and grep the bundle for known secret patterns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Next.js</span> npm run build <span class="nb">grep</span> <span class="nt">-r</span> <span class="s2">"sk_live</span><span class="se">\|</span><span class="s2">AKIA</span><span class="se">\|</span><span class="s2">password</span><span class="se">\|</span><span class="s2">secret"</span> .next/static/chunks/ <span class="c"># Vite</span> npm run build <span class="nb">grep</span> <span class="nt">-r</span> <span class="s2">"sk_live</span><span class="se">\|</span><span class="s2">AKIA</span><span class="se">\|</span><span class="s2">password</span><span class="se">\|</span><span class="s2">secret"</span> dist/assets/ </code></pre> </div> <h2> Common mistakes </h2> <ul> <li>Prefixing secrets "temporarily" to fix a client-side undefined error — the root cause is architectural, not a missing prefix</li> <li>Sharing a single config file between server and client code — split them and enforce it with ESLint import rules</li> <li>Using fallbacks with real keys — <code>process.env.KEY || "real-key-here"</code> defeats the entire point</li> <li>Forgetting that third-party SDKs initialized client-side log their config (Sentry, Supabase, Firebase initialized with wrong keys expose them in network requests)</li> </ul> <h2> The takeaway </h2> <p>The leaks that hurt you aren't the obvious ones — they're the subtle ones. Every time you see <code>NEXT_PUBLIC_</code>, you added in a rush, the shared config file that got bundled, the debug route that made it to production. Build a habit: before any deploy, grep your bundle for known secret patterns, keep a hard separation between server and client config, and treat every environment variable as guilty until proven safe to expose.</p> <p>If you found this useful, I write about TypeScript, Node.js, Security and DevOps at stackdevlife.com — drop a follow if you'd like more!</p> <p><em>Originally published at <a href="https://www.stackdevlife.com/blog/environment-variables-leaking-frontend" rel="noopener noreferrer">stackdevlife.com</a></em></p> webdev security devops typescript