1. Ensure Node.js 22+ is installed in your workspace (I recommend using nvm)
2. From GitHub repo, click "Use this template" to create a new project from this template.
3. Add your application code to the src directory

I created this in January 2025 because I was tired of scaffolding new projects from scratch and wanted a modern baseline I could use for new projects.

This is an opinionated template using my current default tech stack: TypeScript 6, Node.js 22 / 24, Express 5, Eslint 9 (flat config), Prettier, Vitest, GitHub Actions.

• Remove support for Node.js 18 and below due to End-of-Life (completed June 2025)
• Remove support for Node.js 23 due to End-of-Life (completed June 2025)
• Add support for Node.js 24 (Current) (completed June 2025)
• Remove Node.js 20 due to end of maintenance phase. (in progress April 2026)
• Add support for Node.js 26 (coming soon)

I recommend using the latest LTS version of Node.js in production; however this repo runs matrix builds ensuring compatibility with the following Node.js versions (as of April 2026):

• Node.js 22 (Maintenance)
• Node.js 24 (Active)

Since 2025, there has been a surge in npm supply chain vulnerabilities. GitHub Actions workflows are commonly compromised to steal maintainer credentials and push malicious updates, even to otherwise trustworthy dependencies. As a result, I prefer a zero trust posture towards all dependencies.

If possible, I strongly recommend using fully isolated cloud VMs for development to avoid accidentally installing malicious npm dependencies on your main computer. If you must install npm packages locally, I recommend using a VM, sandbox, or at least a containized docker environment.

While I strongly recommend against local development, this repo provides hardened security defaults to reduce the risk if you do so:

• Uses pnpm with hardened defaults (see .npmrc), including disabling install scripts, requiring dependencies (and transitive dependencies) to be 3+ days old.
• Uses pinned hashes for all GitHub Actions (see .github/workflows)
• Pinned hashes enforced by GitHub (Security -> Actions -> General -> enable "Require full-length SHA")
• Add OSSF Scorecard action and configure GitHub repo. See: #84

• Require Node 22+
• Express 5
• TypeScript 5
• Support TypeScript ESM
• Use eslint for consistency
• Use Prettier for formatting
• Provide a VSCode .devcontainer
• Vitest for unit tests
• (Supertest?) for API tests
• Pino for logging
• Adopt Conventional Commits and automatically generate the changelog
• Provide a GitHub Actions workflow for testing

• Production: This is intended to be usable in a variety of prod environments (lambda, containers, etc). As a result, Docker and/or PM2 are out of scope for now, but I would be happy to link to reference repos for how to productionize this for a variety of production environments.
• Backwards compatibility: This may work work with older versions, but I will not be investing any effort to support those.

• tsx does not perform type checking. VS Code can do that for you locally, and your CI/CD pipeline can do that for you during builds.
• Note that tsx uses esbuild under the hood
• Express 5 was finally released in October 2024, so it may have limited community support.
• esbuild does not support emitDecoratorMetadata in tsconfig.json

• https://expressjs.com/2024/10/15/v5-release.html
• https://www.trevorlasn.com/blog/whats-new-in-express-5
• The VS Code launch.json file is from https://github.com/withKonvSuu/learn-tsx
• https://esbuild.github.io/content-types/#javascript-caveats
• https://esbuild.github.io/content-types/#typescript-caveats