Strict null checks active

ab-002141 · code-quality-essentials.type-safety.strict-null-checks

Severity: highactive

Why it matters

With strictNullChecks disabled, null and undefined are subtypes of every type — string implicitly includes null. This means the compiler cannot warn when you call .trim() on a value that could be null, or access .user.name on a possibly-undefined response. ISO 25010:2011 §6.5.4 classifies null-safety gaps as reliability defects. Null pointer exceptions are one of the most common runtime crashes in production JavaScript: nearly always preventable, never fun to debug from a Sentry alert.

Severity rationale

High because disabling strictNullChecks allows null and undefined to flow into any typed value silently, making null-dereference crashes invisible to the compiler until they hit production.

Remediation

Enable strictNullChecks via strict: true in tsconfig.json. During migration, the compiler will surface every place where null or undefined could flow into a non-nullable type — fix each with optional chaining, null guards, or explicit non-null assertions with a comment.

// Errors with strictNullChecks: user might be null
const name = user.name;

// Fixed: optional chaining
const name = user?.name ?? 'Anonymous';

// Fixed: explicit guard
if (user === null) throw new Error('User not authenticated');
const name = user.name;

Detection

ID: strict-null-checks
Severity: high
What to look for: In tsconfig.json, verify strictNullChecks is true. If strict: true is set, strictNullChecks is enabled unless explicitly overridden. Check for "strictNullChecks": false in the compilerOptions. Without this flag, null and undefined are subtypes of every type — meaning string implicitly includes null and undefined, making null pointer exceptions invisible to TypeScript until runtime. Scan a sample of the codebase for patterns that would error under strict null checks: calling methods on values that may be null, accessing properties on possibly-undefined objects without optional chaining.
Detector snippet (shell-capable tools only): If jq is available, read the explicit compilerOptions.strictNullChecks value. Output "true" or "null" means pass IF strict: true is set elsewhere. Output "false" fails regardless. Exit >=2 (file not found) — fall back to prose reasoning.
```
jq -r '.compilerOptions.strictNullChecks // "null"' tsconfig.json
```
Pass criteria: Count all tsconfig files. strictNullChecks is true (directly or via strict: true) and not explicitly overridden with false with at least 1 verified location.
Fail criteria: Explicitly false, or strict is absent/false and strictNullChecks is not individually enabled.
Skip (N/A) when: Project has no TypeScript files.
Detail on fail: "strictNullChecks is disabled; null and undefined are assignable to all types, masking null dereference bugs"

Remediation: Enable strictNullChecks (or use strict: true). When migrating an existing codebase, you'll surface errors where values may be null — address each with optional chaining or explicit null guards:

// Errors with strictNullChecks: user might be null
const name = user.name;

// Fixed: optional chaining
const name = user?.name ?? 'Anonymous';

// Fixed: explicit guard
if (user === null) throw new Error('User not authenticated');
const name = user.name;

External references

iso-25010:2011 · maintainability.modifiability — Maintainability — Modifiability

Taxons

code-quality

History

2026-04-18·v1.0.0·Initial import from code-quality-essentials·automated
2026-04-20·v1.1.0·Add Phase 6.0 detect-jq snippet for deterministic tsconfig.strictNullChecks parse·by cakleinman

Why it matters

Remediation

// Errors with strictNullChecks: user might be null
const name = user.name;

// Fixed: optional chaining
const name = user?.name ?? 'Anonymous';

// Fixed: explicit guard
if (user === null) throw new Error('User not authenticated');
const name = user.name;

Detection

ID: strict-null-checks
Severity: high
What to look for: In tsconfig.json, verify strictNullChecks is true. If strict: true is set, strictNullChecks is enabled unless explicitly overridden. Check for "strictNullChecks": false in the compilerOptions. Without this flag, null and undefined are subtypes of every type — meaning string implicitly includes null and undefined, making null pointer exceptions invisible to TypeScript until runtime. Scan a sample of the codebase for patterns that would error under strict null checks: calling methods on values that may be null, accessing properties on possibly-undefined objects without optional chaining.
Detector snippet (shell-capable tools only): If jq is available, read the explicit compilerOptions.strictNullChecks value. Output "true" or "null" means pass IF strict: true is set elsewhere. Output "false" fails regardless. Exit >=2 (file not found) — fall back to prose reasoning.
```
jq -r '.compilerOptions.strictNullChecks // "null"' tsconfig.json
```
Pass criteria: Count all tsconfig files. strictNullChecks is true (directly or via strict: true) and not explicitly overridden with false with at least 1 verified location.
Fail criteria: Explicitly false, or strict is absent/false and strictNullChecks is not individually enabled.
Skip (N/A) when: Project has no TypeScript files.
Detail on fail: "strictNullChecks is disabled; null and undefined are assignable to all types, masking null dereference bugs"

// Errors with strictNullChecks: user might be null
const name = user.name;

// Fixed: optional chaining
const name = user?.name ?? 'Anonymous';

// Fixed: explicit guard
if (user === null) throw new Error('User not authenticated');
const name = user.name;