Contributing
Thanks for helping improve @nest-native/kafka. The canonical guide is
CONTRIBUTING.md
in the repository; this page summarizes the rules that shape every pull request.
Local Validation
Run the full local gate before opening a PR:
npm run ci
This runs typecheck, coverage (enforced at 100%), cognitive-complexity checks, release checks (README links, sample-version sync, and the package tarball), the supply-chain audit, and the samples. Local green is required before pushing. See Quality and CI.
Sample Work Stays Separate From Library Fixes
Sample PRs may change sample code, docs, CI wiring, and the release checks samples
need. They must not include changes under packages/kafka/**. Before
committing a sample PR, confirm the touched package-file list is empty:
git diff --name-only main...HEAD -- packages/kafka
git diff --cached --name-only -- packages/kafka
If a sample exposes a package bug, split the fix into a dedicated library-fix PR first, then return to the sample.
Security Review (Mandatory)
Every PR includes an explicit security pass:
- Dependency additions/updates are reviewed for legitimacy, and install/lifecycle scripts are inspected.
- The published
packages/kafka/package.jsonkeeps"dependencies": {}. Runtime requirements are peers; build tools are devDependencies. - Auth/authz in handlers, input-validation gaps in deserialization, and SSL/SASL credential handling are reviewed. Secrets never appear in samples, logs, or docs.
Cognitive Complexity
When a change touches packages/kafka/**/*.ts, run npm run complexity:check
and npm run complexity:report. CI enforces the SonarJS threshold of 15 per
source function. Complexity is never reduced by weakening the architecture, API
clarity, rebalance safety, or coverage.
Pull Requests
Use the repository's pull request template. Keep changes focused, write imperative-mood commit messages, and check off the scope, validation, and security sections.