Insights on Nark Profiles, TypeScript code quality, and safe npm package usage.
Looking for notes on building Nark itself? See the Build Log.
GitHub Actions reports green when `continue-on-error: true` swallows a crash AND `actions/upload-artifact@v4` warns instead of failing on a missing file. The combination silently breaks Nark, Semgrep, npm audit, and gitleaks — we hit it 18 times in a row this week before noticing. Three-line fix.
GitHub CodeQL finds security vulnerabilities; Nark finds package-specific error handling gaps. Compare them, see when to use each, review the matching free-for-OSS / paid-for-commercial licensing model, and run both in GitHub Actions for complete TypeScript static analysis coverage.
fetchQuery() throws on error, unlike useQuery which returns errors in an `error` property. Wrap every call in try-catch, or register a QueryCache({ onError }) global handler. Both are valid; mixing them is the strongest pattern.
Three checks before any static analysis finding becomes a PR: quote cited files instead of just listing paths, trace from user-facing entry to patched file rather than file outward, and read every caller of the throwing function for guard patterns. Lessons from a closed PR to OpenStatus.
Some open-source repos wire GitHub Actions to auto-close external PRs touching protected paths (CI, scripts, CHANGELOG, LICENSE) within seconds of opening. A 30-second grep on .github/workflows/ tells you before you waste an hour preparing a fix.
dayjs uses lenient parsing by default — dayjs('2025-13-99') returns a valid Day.js object pointing at 2026-04-09. isValid() catches unparseable text but not semantic overflow. Use strict mode for known formats.
I built a static analyzer that checks whether TypeScript code handles npm package errors correctly. Then I pointed it at my own production app. 11 violations were real. 122 were false positives. Here's what I learned from both.
A single unhandled AxiosError or Prisma P2002 costs more than you think. Late-night pages, lost customers, engineering hours, liability exposure, and the invisible tax on team morale. Here is the actual math.
A guide for tech leads and engineering managers on adopting Nark. Reduce production incidents, improve CI quality gates, and give your team a tool that catches the bugs code review misses.
We ranked the top 10 unhandled error patterns by frequency across 6,283 open source TypeScript repositories. 71,140 violations. Here's what breaks in production.
The six npm packages that belong in every TypeScript CI pipeline: TypeScript itself, ESLint, Prettier, Vitest, a security scanner, and Nark for dependency error handling.
Add Nark to your TypeScript CI pipeline in under 2 minutes. One command, one workflow step, catches unhandled npm package errors on every pull request.
Claude Code, Copilot, Cursor, and CodeRabbit catch logic bugs. They don't deterministically check 165+ npm packages for unhandled errors. Here's how to use AI review and Nark together.
We found 134 bare axios calls without try-catch across 35 bot integrations in botpress/botpress. A network timeout, expired credential, or rate limit crashes the bot handler with a raw stack trace. The fire-and-forget analytics ping was re-throwing too.
We found approximately 100 Next.js API routes in civitai/civitai that call zod .parse() without try-catch. Any malformed request input produces a 500 Internal Server Error instead of a 400 Bad Request. Public endpoints are affected — no auth required.
A practical comparison of ESLint, Semgrep, and Nark for TypeScript static analysis. What each tool catches, what each misses, and when to use all three.
A complete, copy-paste GitHub Actions workflow that runs ESLint, Vitest, and Nark on every TypeScript pull request. Catch style issues, test failures, and unhandled package errors before merge.
Set up Nark in a Turborepo or pnpm workspace monorepo. Scan each package independently, cache results with Turbo, and add it to your CI pipeline.
The OpenAI TypeScript SDK throws RateLimitError, AuthenticationError, APIConnectionError, and more. Here is how to catch and handle each one correctly so your AI features don't silently fail.
Redis clients in Node.js crash your process if you don't register an error handler. Here is how to handle Redis connection errors, reconnection, and timeouts in TypeScript with ioredis and node-redis.
We found jwt.decode() used without jwt.verify() in NangoHQ/nango's OAuth post-connection hooks. The shared utility is named just decode() — no indication the token is unverified. The fix: rename to decodeUnverified() with a JSDoc warning.
CodeRabbit uses AI to review your code logic and intent. Nark deterministically checks whether your code handles the errors your npm dependencies throw. They solve different problems. Use both.
SonarQube measures code quality metrics like complexity and duplication. Nark checks whether your code handles the runtime errors your npm packages throw. Here is how they differ and when to use both.
Socket.dev protects you from malicious npm packages. Nark catches missing error handling in the legitimate packages you already use. Here is how they differ and why TypeScript teams need both.
Socket.dev protects what you install. Semgrep catches what you write wrong. Nark catches what you forgot to write. Here is the three-layer model for TypeScript dependency safety and how to run all three in CI.
A complete checklist for TypeScript CI quality gates in 2026: type checking, linting, formatting, testing, security scanning, and dependency error handling.
We ran Nark across 6,283 open source TypeScript projects and found 71,140 unguarded error paths. Here's what the data says about error handling in the TypeScript ecosystem.
Prisma throws PrismaClientKnownRequestError with code P2002 on unique constraint violations. If you don't catch it, your users see a 500 error instead of 'email already taken'. Here is what happens and how to fix it.
Nark creates a .Nark folder to store local scan history, violation files, and run artifacts. Here's exactly how it decides where that folder goes — and what to do when it ends up in the wrong place.
AI coding assistants write syntactically correct TypeScript but routinely miss package-specific error handling. Here's why, and how to automatically catch the gaps.
ESLint and TypeScript's type system enforce code correctness, but neither knows what your npm dependencies throw at runtime. Here's the gap they leave open.
Learn how to handle all three axios error types in TypeScript: HTTP errors, network failures, and setup errors with axios.isAxiosError() type narrowing.
Handle Prisma error codes P2002 (duplicate), P2025 (not found), P2003 (foreign key), and connection errors with proper TypeScript patterns.
Handle all 5 Stripe error types in Node.js: StripeCardError, rate limits, webhook signature verification, authentication errors, and connection errors.
Compare ESLint, TypeScript strict mode, Semgrep, and Nark for catching missing try-catch around axios, Prisma, and Stripe calls in TypeScript.
Integrate Nark Profile verification into CircleCI. Automatically catch unhandled npm package failures on every commit.
Set up Nark Profile verification in your GitHub Actions pipeline. Catch unhandled npm package failures on every pull request in under 5 minutes.
One command, zero config. Run npx nark to find every unhandled failure mode in your npm package usage — timeouts, rate limits, connection failures, and more.
Learn how Nark Profiles help you catch unsafe npm package usage before it reaches production — errors, timeouts, rate limits, and failure states your tests never touched.