Gabriel GiliniSamuel Prado10 min

Top Node.js Tools For 2020

EngineeringDec 10, 2019

Our Backend Team has gotten to work with many tools in 2019, so we figured it could be interesting to summarize our knowledge and experience into one (pretty extensive, hopefully interesting) article.

We divided all tools into Compilers and Loaders, Documentation, Security, Data Validation, Testing, Debugging, Logging, Authentication and Provisioning. That’s a lot to cover!

What you may notice is a lack of Frameworks and ORM. Our team uses mostly Express.js and Koa as frameworks, and Sequelize and Objection as ORMs. But because we feel like these subjects deserve their own article, we decided to leave them for another time.

If you’d like to check more JavaScript trends after reading our summary, be sure to head to The State of JavaScript 2019, a community-bred survey that paints a picture of the landscape of the language since 2016.



"Tomorrow's ECMAScript modules today!" This is the tagline John-David Dalton (of lodash fame) aptly chose for his project.

ES Modules have been a contentious topic among Node.js core devs for a few years already. As they struggled to find a solution that would please everyone without breaking the main transpilers and compilers that already made use of ES Modules, JDD cooked up his own solution—one that could be easily plugged into any Node workflow. And he succeeded in esm.

If you're looking to use import/export and other ES Modules goodies without introducing something like TypeScript or Babel into your project, esm is the way to go.


TypeScript is a superset of JavaScript, a new language that expands on JS with features like (optional) static typing, modules and decorators.

Created by Microsoft in 2012 and released under the Open Source Apache 2.0 license, TypeScript has been growing steadily ever since, and has been considered as popular as Swift since early 2019, according to RedMonk.

Bringing a rich ecosystem of tools and support from existing tools to the language, it’s worth the extra step in your build process. And there are plenty of examples on the web that can help you add it to your current workflow.

Although a new syntax can be a bit daunting for developers not used to strongly typed languages, trust the massive adoption and robustness it brings to projects—especially the larger ones. We definitely recommend making the jump sooner rather than later.



Documenting your API using Swagger's own OpenAPI Specification is as close to painless as you can get. Using either JSON or YAML, you can describe your endpoints, group them by using tags, set example responses, authentication schemas and more. Swagger UI handles the rendering, and you're left with a beautiful and interactive API documentation that will leave your markdown-writing friends feeling jealous.

Did I say interactive? That’s right. Swagger UI enables your QA team to test the API straight from the documentation page. And if you use VS Code, there's an amazing plugin called "OpenAPI (Swagger) Editor" that will make your life even easier while editing and previewing the docs.


Maybe you don’t like the OpenAPI Specification. Not a problem! Using Aglio, you can render your documentation using the API Blueprint specification - a Markdown-based document format that lets you write API descriptions and documentation in a straightforward way.
Aglio supports not just multiple pre-defined templates and themes (you can check some examples here), but even custom colors, templates and theme engines. This lets you make your documentation look like your website, which is important when your API and documentation are public.



At STRV, we love Open Source. But freedom comes with a cost, and in the OS world that means vulnerabilities in commonly used packages—like we see happening every now and then. Sure, you can check Hacker News every day, do your own security analysis, but is that a foolproof system? Enter Snyk.

Snyk is a one-stop-shop for finding and fixing vulnerabilities in your project's dependencies. It's as simple as signing up, installing an npm package and running `snyk monitor` on your project root. That's it! You get a link to a nice report with every issue it uncovered, organized by severity. Also offered is a plethora of integrations that you can use, from code development to production.

The free plan is enough for freelancers and small teams, so go ahead and check it out!


If you're looking for a quick solution for scanning your application's dependencies for security issues, npm packs the `audit` command ever since v6. Just go to your Node application root directory and run `npm audit`. The output can be a bit wordy with repetitive warnings, but it includes reports from many different sources (even Snyk), collected by npm's Security Team. To learn more about options and how to fix found vulnerabilities, head to npm official docs on Auditing package dependencies for security vulnerabilities.

GitHub Security Alerts

Much like Snyk, GitHub also packs its own automated dependency vulnerability scan. And since your code is probably already in GitHub, setting it up is a breeze. For public repositories, it comes on by default; but if you have a private repo, you need to opt in to “Data services” before starting to receive reports and before being able to set up automated security updates.



Validating user input isn't really an option. You know you have to do it. But everyone disagrees on how. This is why last year (2018), the first draft of the JSON Schema specification got published—with the intent of creating a JSON-based format used to validate and annotate JSON documents.

Ajv, yet another JSON Validator claiming to be the fastest JSON Schema validator for Node.js. But with the impressive number of 21,505,468 weekly downloads on npm in early December 2019, and as it’s being used by staples on the JavaScript world like webpack, ajv might be the all-around best JSON Schema validator out there. The only downside lies in the JSON Schema standard format itself; it’s not the friendliest standard to learn and read. Still, arguably a small price to pay for the speed and reliability it provides.


If dealing with JSON Schema is too much for you, Joi might be your best bet. They pack their own schema format based on function calls instead of a descriptor object, which makes it easier to understand for new users.

The project has been around for a while—v1.0 came out in 2013—and not being constrained by a third-party standard also allows it to provide a more diverse set of features, and to be the self-proclaimed "most powerful data validation library for JS". Take a look at their API Reference; you'll probably be inclined to agree.



Simple, flexible, fun. That's how mocha likes to present itself. If you’ve ever worked with a Node.js team that wrote tests (and they should), chances are you already know Mocha. The test framework focuses on test running and reporting, leaving the decisions regarding assertion, mocking, spying and others up to you. The documentation is extensive and includes a bunch of useful examples, so if you're looking to learn the framework or even to sharpen your test skills, dive straight ahead!


With mocha, you can use any assertion library you like—even Node.js' own assert API. But if you want more flexibility and readability, that’s Chai. It offers three different interfaces—assert, expect and should—to satisfy your BDD or TDD needs. But chances are that if you want to stick with `assert`, Node's own API is good enough.

On the BDD side of things, even if you're not used to it at the beginning, you'll end up wondering how you wrote `expect(foo)` before you found Chai. The library provides a large collection of language chains that translate into tests that are easy to read and maintain. And if you need more, it offers a plugin interface with a rich collection of available plugins maintained by the community.


So you set up Mocha and Chai, and you’ve written your tests. But how do you know if you're testing everything? You need a code coverage tool.

In Node-land, pretty much everyone uses Istanbul. It's a great library, constantly maintained and sitting at 3.7k stars on GitHub (in Dec 2019). It's also mind-blowingly simple to get started using it with Mocha. And if you're not one to deal with text outputs or you need to integrate it with other tools, it provides a few alternative reporters built-in.


So you got nice coverage, right? Your code is well-tested, but you didn’t get 100% coverage in that file yet because of that condition that is really hard to simulate. Well, Proxyquire’s here to help you.

Proxyquire proxies Node.js `require` in order to make overriding dependencies during testing easy while remaining totally unobtrusive. If you want a better understanding of how Proxyquire works and how it can help you get your beloved 100% coverage, check the example section on its NPM page.


In terms of tests, we also have Sinon as the most complete and famous option for creating test spies, stubs and mocks for JavaScript. Like Proxyquire, Sinon works with any unit testing framework. With Sinon, creating fake objects, fake method calls or even ensuring how many times a method was called turns into an easy task.

A good thing to know is that the design philosophy for Sinon came from the Test-Driven JavaScript Development book—so its API is pretty straightforward if you’re familiarized with TDD concepts.



So, your user found a bug and you need to shoot some requests to your API with determined parameters to reproduce the error. But, you have no tool to make requests to your REST/GraphQL API. Consider using Insomnia, a free and open source HTTP and GraphQL tool belt with lots of nice features to help you on querying your (or any other 3rd party) API. Used by companies like Netflix and KAYAK, you know you’re going to be in good hands here.


Like Insomnia, Postman also acts as an API Client, allowing you to request your API and parse the result. With Postman, you get additional features that differentiate it from Insomnia—like being able to query your SOAP APIs, to use it with automated tests, to simulate endpoints and more.

On its website, you can find various use cases—even separated by different roles—and also be inspired by how companies use it.

VS Code Debugger

Sometimes, you can only get so far by tweaking request data and inspecting the response to debug an issue. And while using console.log after every statement to check your variables and constants technically works, let's agree it's not very efficient. Thankfully, Node.js comes with a debugging interface builtin, which you can plug into various clients that allow you to place breakpoints, pause execution, inspect variables and all that good stuff that you can usually find in other languages' debuggers.

One such client is the great Open Source editor Visual Studio Code. In order to get it up and running, you need to edit a JSON file that contains the debugger configuration. The good news is that the editor has a bunch of boilerplates that can be accessed by clicking a big "Add Configuration" button. The documentation is pretty detailed and easy to read as well. Once you try it out, you’ll wonder how you could’ve lived without it before. If you're not interactively debugging your Node.js apps yet, definitely check it out.

WebStorm Debugger

VS Code might be what everyone’s talking about, but there are a few very solid IDEs out there that you can consider using. Here at STRV, a lot of people prefer the great JetBrains WebStorm and its awesome debugging capabilities. Head on to their docs if you’re also on the WebStorm train to learn how to set up and explore all the debugging functionalities.



Any application that stores user data requires authentication, and that's a huge part of today's web. Although authentication is not a one-size-fits-all kind of problem, you shouldn't be doing it from scratch every single time. Wouldn’t it be great if we had a generic middleware that you could use to plug different authentication strategies and just focus on writing the stuff that matters? Well, we do have exactly that in Passport. It supports a plethora of authentication strategies—as I write this, the number’s at 50—which you can easily configure, plug and play. Stuff like Facebook, Google oAuth, Twitter, JWT and even the good old username and password combo. All open source and well-supported by the community.


If you like to take matters into your own hands and dive deep into the workings of authentication, you can always rely on JWT. JWT (a.k.a. JSON Web Token) is an open and secure industry standard method for authentication and information exchange. And thanks to its format, it can be signed and trusted. This format is easy to generate by your Node API and easy to use when integrating with your front-end client or your mobile application.



When searching for a good, fast and easy PaaS (Platform as a Service) where you can deploy your Node.js code, Heroku is definitely one of your top options. It provides you with some basic services for free (like databases, caching, emails and other services that you can use with your application), all of which can be experimented in and/or used for your personal projects. And, in case your application needs more power, various paid versions of every service are also offered.

Combining the simplicity and good documentation, Heroku is definitely one of the best platforms to start with. And as you grow, it’s easy to upgrade your services without having to deal with the “bare metal” of every server or service.


While Firebase is much more than a place to host code and data—and was conceived mainly to provide a full back-end environment for client-side applications—it does encompass a few great solutions for the Node.js server-side developer. Through the powerful firebase-admin package, you can interact with many Firebase services, like Authentication, Realtime Database, Cloud Storage and many more. Be sure to check out the official documentation to see all the ways you can interact with Firebase through the Admin API.

When we say you can even host code in Firebase, we’re talking about Cloud Functions. You can have a whole application with real code running on Firebase’s infrastructure, and you won’t have to deal with web server setup! The functions you upload can be triggered either by an HTTP request, or via events triggered by the many internal integrations Firebase provides. Need to execute some code every time a user uploads a file to Cloud Firestore? Easy! Head on to the Cloud Functions documentation to check all the possible integrations you can work with.

AWS, GCP & Azure

Whenever we need to manage infrastructure for our applications and we’re looking for control and power, choosing any of the major cloud providers—such as Amazon (AWS) Google (GCP) and Microsoft (Azure)—is never a wrong decision. All of them offer a wide portfolio of services, like simple deployment, container management, computation, storage, load balancing, machine learning, routing and much more.

That’s it from us. Hope it was a good read.


Like our content? Get it in your mailbox!


Share this article

Sign up to our newsletter

Monthly updates, real stuff, our views. No BS.