I scanned a Node.js API for hidden production risks — these 5 patterns kept showing up
I’ve been digging through Node.js backend code lately and I kept seeing the same kinds of issues repeat across projects.
Not flashy bugs — the kind that sit quietly until traffic goes up or a bad deploy lands.
The patterns I keep seeing most:
- sync filesystem calls inside request handlers
- expensive loops / big JSON work on the hot path
- fire-and-forget async without proper handling
- ORM queries that look harmless but turn into N+1 pain
- architecture shortcuts that make change-risk worse over time
What surprised me is that a lot of this code doesn’t look “bad” at first glance. It often looks clean enough in a PR, but it still creates runtime risk.
So I started turning these patterns into automated checks for myself, mostly because I was tired of manually spotting the same issues again and again.
I’m curious:
For those of you running Node.js in production, which of these causes the most pain in real life?
And if you’ve seen others that are easy to miss in PR review, I’d love examples.
If the thread is useful, I can share the exact checks I’m using and a sample report.