UNPKG

dev-checklist-kit

Version:

A CLI tool that generates a developer checklist Markdown file.

188 lines (158 loc) โ€ข 8.89 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
#!/usr/bin/env node import { writeFile } from 'fs/promises'; import path from 'path'; import { fileURLToPath } from 'url'; const checklistContent = `# # โœ… Website Deployment Checklist ## 1. Code & Functionality - [ ] All pages load correctly (no 404s or errors) - add pages 404 or error page - [ ] Forms work, validate properly, and handle invalid input - [ ] No broken links (internal or external) - [ ] Responsive design (mobile/tablet/desktop) - [ ] Cross-browser tested (Chrome, Firefox, Safari, Edge) - [ ] Console is free of JavaScript errors and warnings - [ ] Third-party services (APIs, payments, embeds) are integrated and tested - [ ] Routes and redirects function correctly (including 404 and 500 pages) - [ ] Code is modular, reusable, and follows naming conventions - [ ] Edge cases are handled (empty states, long content, offline mode) - [ ] Loading and error states are implemented properly - [ ] Lazy loading or code splitting is used where applicable - [ ] State management works correctly and doesnโ€™t leak data - [ ] Inputs are sanitized to prevent XSS or injection attacks - [ ] No sensitive data (tokens, secrets) exposed in frontend - [ ] Async functions have error handling (try/catch or .catch) - [ ] Important events (clicks, errors, user actions) are tracked (if analytics is used) - [ ] Animations and transitions donโ€™t block or break functionality - [ ] Lighthouse performance score is above 80 - [ ] No framework warnings (e.g., React keys, hydration mismatches) - [ ] Forms have protection against double submissions (e.g., disable button after click) - [ ] Frontend enforces business rules (e.g., can't delete what wasn't created) - [ ] Basic authentication/authorization works (if applicable) ## 2. Performance Optimization - [ ] Images are optimized (compressed without quality loss) - [ ] CSS/JS is minified - [ ] Lazy loading is enabled for large assets - [ ] Code splitting and tree shaking (if using frameworks like React/Vue) - [ ] CDN is configured for static assets (if needed) - [ ] Lighthouse or PageSpeed scores are acceptable ๐Ÿง  Extended Checklist (Advanced / Often Missed) - [ ] Critical CSS is inlined - [ ] Fonts are optimized and loaded efficiently (e.g., font-display: swap) - [ ] HTTP/2 or HTTP/3 is enabled - [ ] Third-party scripts are audited - [ ] Preconnect / DNS-prefetch / Preload hints are used wisely - [ ] JavaScript is deferred or loaded async when possible - [ ] Avoid excessive DOM nodes - [ ] Server response times (TTFB) are optimized - [ ] Set caching policies (Cache-Control / ETag) - [ ] Use efficient data formats (e.g., JSON over XML, Brotli compression) ## 3. SEO & Metadata - [ ] Title tags and meta descriptions for all pages - [ ] Open Graph and Twitter meta tags for social sharing - [ ] Sitemap.xml is generated and linked in robots.txt - [ ] Robots.txt is present and configured correctly - [ ] Canonical tags are set to avoid duplicate content - [ ] H1-H6 hierarchy is logical ## 4. Security ๐Ÿ” Authentication & Authorization - [ ] Admin/dashboard is protected with proper authentication ๐Ÿง  - [ ] Sessions are secure (HTTPOnly, Secure, SameSite cookies or secure tokens) - [ ] Rate limiting is applied to login and sensitive endpoints (e.g., express-rate-limit) - [ ] Passwords are hashed securely using bcrypt, Argon2, etc. - [ ] Roles and permissions are enforced server-side ๐ŸŒ Network & Transport - [ ] HTTPS is enforced (SSL/TLS installed, 301 redirects from HTTP) - [ ] HSTS headers are set (Strict-Transport-Security) - [ ] CORS is properly configured and restrictive ๐Ÿงผ Input & Output Handling - [ ] Input validation & sanitization in place (use libraries like valibot, zod, express-validator) - [ ] Outputs are encoded to prevent XSS (especially user-generated content) - [ ] File uploads are validated for type and size - [ ] No eval / Function() or insecure dynamic code ๐Ÿง  ๐Ÿงฐ Dependencies & Infrastructure - [ ] Dependencies are up-to-date and scanned for vulnerabilities (npm audit, snyk, dependabot) - [ ] Environment variables are not exposed to client - [ ] Error messages donโ€™t expose stack traces or sensitive data - [ ] Backend is not exposing internal logic or debug routes ๐Ÿง  - [ ] Database access is protected (no open ports, use firewalls) ๐Ÿง  ๐Ÿ›ก๏ธ Headers & Browser Protections - [ ] Security headers are set (helmet, Content-Security-Policy, X-Frame-Options, etc.) - [ ] CSP (Content Security Policy) blocks inline scripts and limits resources - [ ] CSRF protection is in place for state-changing operations ๐Ÿ Attack Surfaces & Testing - [ ] Common OWASP vulnerabilities are tested against (XSS, CSRF, SSRF, etc.) ๐Ÿง  - [ ] Vulnerability scanning is performed (e.g., OWASP ZAP, nmap, nikto) - [ ] Logs are monitored for unusual activity ๐Ÿง  - [ ] 2FA is enforced for admin accounts (if applicable) ๐Ÿง  ## 5. Analytics & Monitoring ๐Ÿ“ˆ Basic Analytics - [ ] Google Analytics (or alternative) is installed Plausible (lightweight, GDPR-friendly), Matomo (self-hosted option), Fathom ๐Ÿงฉ Event & Custom Tracking - [ ] Custom events and goals are defined. Track specific interactions like clicks, signups, purchases โ€” not just pageviews. Tool: Google Analytics 4 (GA4), or gtag("event", ...) for custom tracking. - [ ] Consent-based tracking is respected ๐Ÿšจ Error Logging - [ ] Frontend error logging is enabled (e.g., Sentry, LogRocket, Bugsnag) - [ ] Backend error logging is in place Tools: Winston, Logtail, Sentry, Datadog - [ ] Alerts are configured for critical issues ๐Ÿš€ Performance Monitoring - [ ] Core Web Vitals are tracked over time Tools: Google Analytics 4 (enable Web Vitals), Calibre, SpeedCurve - [ ] Real User Monitoring (RUM) is active Tools: Datadog, Pingdom, New Relic, LogRocket โฑ๏ธ Uptime & Availability - [ ] Uptime monitoring is configured Tools: UptimeRobot (Free for 5 monitors), Updown.io, Better Uptime - [ ] Downtime alerts go to the right person/channel - [ ] SSL and domain expiration alerts Tool: Updown.io or use whois tools with notification services. ## 6. Accessibility (a11y) - [ ] Images have alt text - [ ] All images have descriptive alt text, or empty alt="" if decorative - [ ]Form fields have associated <label> elements, or appropriate aria-label - [ ] The interface is fully navigable with keyboard (Tab, Enter, Esc, etc.) - [ ] ARIA attributes (role, aria-label, aria-describedby, etc.) are used where needed - [ ] Color contrast meets WCAG AA standards (4.5:1 for normal text, 3:1 for large text) - [ ] Interactive elements (like buttons and links) are clearly focusable and accessible - [ ] No essential information is conveyed by color alone (use icons/text too) - [ ] Semantic HTML is used (headings, lists, nav, main, etc.) - [ ] Live content updates (like form errors or alerts) use aria-live or role="alert" - [ ] The <html> element includes the correct lang attribute (e.g. <html lang="en">) ## 7. Backend & Database - [ ] Database is secured and not publicly accessible - [ ] Backups are configured - [ ] API routes are protected and rate-limited - [ ] Server logs and error handling in place - [ ] Environment variables set correctly ## 8. Deployment Readiness ๐Ÿ”ง Core Deployment Checks - [ ] Domain name is pointed to the correct server - [ ] Hosting configuration is correct (e.g., Nginx, Apache, Vercel, Netlify) - [ ] Build tools (e.g., Webpack, Vite, Next.js) are in production mode - [ ] CI/CD pipeline is tested and stable - [ ] Fallback 404 page and custom error pages are configured ๐Ÿ”’ Security & Access - [ ] HTTPS is enforced (SSL/TLS active) - [ ] Environment variables are correctly set and not exposed - [ ] Admin/dashboard routes are protected or hidden ๐ŸŒ Real-World Readiness - [ ] Test performance on slow/mobile networks - [ ] Content is localized or adaptable (i18n if needed) - [ ] Timezone-sensitive features tested ๐Ÿง  Bonus Deployment Good Practices - [ ] 404 redirect for SPAs or Next.js dynamic routes is working - [ ] Sitemap and robots.txt are deployed - [ ] Favicons and meta tags are in place - [ ] Database migrations (if needed) have run - [ ] Clean and trackable versioning (via git tag or env var) - [ ] Log monitoring and error tracking enabled ## 9. Legal and Compliance - [ ] Cookie consent banner (if needed) - [ ] Privacy policy & terms of service pages - [ ] GDPR compliance (for EU audiences) - [ ] License compliance for third-party code/assets `; const __dirname = path.dirname(fileURLToPath(import.meta.url)); const outputPath = path.join(process.cwd(), 'checklist.md'); await writeFile(outputPath, checklistContent); console.log('โœ… Checklist created at:', outputPath);