TypeScript without strict: true is a false sense of safety. With strictNullChecks disabled, the compiler allows null and undefined to be passed anywhere — silently — meaning null pointer exceptions lurk undetected until runtime. With noImplicitAny disabled, entire code paths go untyped. CWE-704 (Incorrect Type Conversion or Cast) applies: the type system fails to catch conversions that will break at runtime. ISO 25010 maintainability.analysability and modifiability both degrade when developers cannot trust the type system to catch refactoring errors.
Critical because disabling strict mode allows null pointer bugs and implicit `any` types to pass compilation silently, making the type system fail at its primary job.
Enable strict mode in tsconfig.json:
{
"compilerOptions": {
"strict": true
}
}
If enabling strict mode surfaces many errors in an existing codebase, add flags incrementally: "noImplicitAny": true first, fix those errors, then "strictNullChecks": true. Each flag catches a distinct class of real bugs — budget time to address them, because they were already there.
ID: code-maintainability.naming-conventions.typescript-strict
Severity: critical
What to look for: Read tsconfig.json. Check for "strict": true in compilerOptions. If strict is not set to true, check for the individual flags it enables: strictNullChecks, strictFunctionTypes, strictBindCallApply, strictPropertyInitialization, noImplicitAny, noImplicitThis, alwaysStrict. A partial strict config is acceptable if at minimum strictNullChecks and noImplicitAny are both true. If the project is JavaScript (no tsconfig), check for ESLint rules that provide equivalent type safety signals (no-undef, no-implicit-globals). If the project uses TypeScript but has "strict": false or no strict flags at all, that is a fail.
Pass criteria: Extract and quote the compilerOptions object from tsconfig.json. Count all strict-mode flags present in the config. tsconfig.json has "strict": true, OR has both "strictNullChecks": true and "noImplicitAny": true set individually. JavaScript projects pass if ESLint is configured with at least 3 type-safety rules. Report the configuration found even on pass.
Fail criteria: TypeScript project with no strict flags enabled — strict is absent or false, and individual strict flags are not set. Do must not pass when strict is missing from compilerOptions even if other unrelated options are present.
Skip (N/A) when: The project is not TypeScript and has no type-checking tooling at all (e.g., plain Python, Ruby, or Go project). Signal: no tsconfig.json and no .ts/.tsx files.
Detail on fail: "tsconfig.json has no strict flags — 'strict' is not set and neither are strictNullChecks or noImplicitAny. TypeScript is running in permissive mode, allowing any-typed values and unchecked nulls throughout." or "tsconfig.json has 'strict: false' — explicit opt-out of type safety."
Remediation: TypeScript without strict mode provides far weaker guarantees than it appears to. strictNullChecks off means TypeScript silently allows null pointer bugs. noImplicitAny off means many type errors go undetected.
Enable strict mode in tsconfig.json:
{
"compilerOptions": {
"strict": true
}
}
If your codebase has many existing errors after enabling strict mode, use the incremental approach: add "noImplicitAny": true first, fix those errors, then add "strictNullChecks": true. Each flag can be enabled independently.
Note: enabling strict mode after the fact typically surfaces real bugs that were silently lurking. Budget time to address them.