TypeScript strict mode or equivalent linting is enabled
Why it matters
TypeScript without strict: true is a false sense of safety. With strictNullChecks disabled, the compiler allows null and undefined to be passed anywhere — silently — meaning null pointer exceptions lurk undetected until runtime. With noImplicitAny disabled, entire code paths go untyped. CWE-704 (Incorrect Type Conversion or Cast) applies: the type system fails to catch conversions that will break at runtime. ISO 25010 maintainability.analysability and modifiability both degrade when developers cannot trust the type system to catch refactoring errors.
Severity rationale
Critical because disabling strict mode allows null pointer bugs and implicit `any` types to pass compilation silently, making the type system fail at its primary job.
Remediation
Enable strict mode in tsconfig.json:
{
"compilerOptions": {
"strict": true
}
}
If enabling strict mode surfaces many errors in an existing codebase, add flags incrementally: "noImplicitAny": true first, fix those errors, then "strictNullChecks": true. Each flag catches a distinct class of real bugs — budget time to address them, because they were already there.
Detection
-
ID:
typescript-strict -
Severity:
critical -
What to look for: Read
tsconfig.json. Check for"strict": trueincompilerOptions. Ifstrictis not set totrue, check for the individual flags it enables:strictNullChecks,strictFunctionTypes,strictBindCallApply,strictPropertyInitialization,noImplicitAny,noImplicitThis,alwaysStrict. A partial strict config is acceptable if at minimumstrictNullChecksandnoImplicitAnyare bothtrue. If the project is JavaScript (no tsconfig), check for ESLint rules that provide equivalent type safety signals (no-undef,no-implicit-globals). If the project uses TypeScript but has"strict": falseor no strict flags at all, that is a fail. -
Pass criteria: Extract and quote the
compilerOptionsobject fromtsconfig.json. Count all strict-mode flags present in the config.tsconfig.jsonhas"strict": true, OR has both"strictNullChecks": trueand"noImplicitAny": trueset individually. JavaScript projects pass if ESLint is configured with at least 3 type-safety rules. Report the configuration found even on pass. -
Fail criteria: TypeScript project with no strict flags enabled —
strictis absent or false, and individual strict flags are not set. Do must not pass whenstrictis missing fromcompilerOptionseven if other unrelated options are present. -
Skip (N/A) when: The project is not TypeScript and has no type-checking tooling at all (e.g., plain Python, Ruby, or Go project). Signal: no
tsconfig.jsonand no.ts/.tsxfiles. -
Detail on fail:
"tsconfig.json has no strict flags — 'strict' is not set and neither are strictNullChecks or noImplicitAny. TypeScript is running in permissive mode, allowing any-typed values and unchecked nulls throughout."or"tsconfig.json has 'strict: false' — explicit opt-out of type safety." -
Remediation: TypeScript without strict mode provides far weaker guarantees than it appears to.
strictNullChecksoff means TypeScript silently allows null pointer bugs.noImplicitAnyoff means many type errors go undetected.Enable strict mode in
tsconfig.json:{ "compilerOptions": { "strict": true } }If your codebase has many existing errors after enabling strict mode, use the incremental approach: add
"noImplicitAny": truefirst, fix those errors, then add"strictNullChecks": true. Each flag can be enabled independently.Note: enabling strict mode after the fact typically surfaces real bugs that were silently lurking. Budget time to address them.
External references
- iso-25010:2011 · maintainability.analysability — Analysability
- iso-25010:2011 · maintainability.modifiability — Modifiability
- cwe · CWE-704 — Incorrect Type Conversion or Cast
Taxons
History
- 2026-04-18·v1.0.0·Initial import from code-maintainability·automated