I built Technical Debt Radar — a tool that blocks PR merges when it finds dangerous patterns in NestJS backends. Not a linter. Actual enforcement.
To validate it, I scanned a real 137-star NestJS + Mongoose ecommerce project.
Results
58 violations — 8 blocking the merge gate:
- Architecture: 9 (circular deps, cross-module violations)
- Reliability: 22 (missing error handling)
- Performance: 7 (unbounded queries, no pagination)
- Runtime Risk: 4 (fetch without timeout, ReDoS)
- Maintainability: 16 (dead code, unused exports)
The Real Bug
The code checked if a user purchased a product before allowing a review:
const hasPurchased = await this.orderModel.findOne({
user: user._id,
'orderItems.productId': id,
status: 'delivered', // ← field doesn't exist in schema
});
The correct field is isDelivered: boolean. This query always returns null — anyone could review any product without purchasing it. Silent, no error thrown.
Auto-Fix
radar fix --auto
- 47 violations fixed automatically
- Debt score: 200 → 15
- Gate result: ✅ PASS
Try It
npx technical-debt-radar scan .
Free plan — 5 scans/month, no credit card required.
Happy to scan any public NestJS repo. What patterns do you wish your linter caught?
Top comments (0)