Catch Anti-Patterns
Before They Ship

AI agents write code fast — but they repeat the same anti-patterns everywhere. God components, fat controllers, hardcoded secrets, prop drilling. Left unchecked, these compound into a codebase no one can maintain. You either stay dependent on AI tools to untangle it, or pay a developer to rewrite everything from scratch.

$ npm install --save-dev anti-pattern-sniffer

DOCUMENTATION →GITHUB →NPM →

14Sniffers

3Frameworks

0Dependencies

371Tests

TRY IT

Run it yourself

Type aps to scan, aps -i for interactive mode, or help to see all commands.

INTERACTIVE DEMO

Try "aps" to scan, "aps -i" for interactive mode, or "help" for all commands.

HOW IT WORKS

Three commands. Zero config.

Install

npm i -D anti-pattern-sniffer

One package. Zero dependencies. Works with Node.js 20+.

Scan

npx aps

Auto-detects your framework from package.json. Scans all source files in parallel.

Fix

npx aps -i

Browse issues in the interactive TUI. Copy fixes as AI prompts. Ignore false positives.

FRAMEWORK SUPPORT

14 sniffers. 3 frameworks.

Each sniffer targets a specific architectural anti-pattern with regex-based heuristics. No AST parsing, no dependencies — just fast, accurate detection.

React

3 SNIFFERS

prop-explosion

god-hook

prop-drilling

Express

6 SNIFFERS

god-routes

fat-controllers

missing-error-handling

no-input-validation

callback-hell

hardcoded-secrets

NestJS

5 SNIFFERS

god-service

missing-dtos

business-logic-in-controllers

missing-guards

magic-strings

SEE IT IN ACTION

Before and after

Every detection comes with a concrete suggestion. Here are three sniffers catching real problems.

Components with too many props are doing too much. Group related props into objects and split into sub-components.

✗ FLAGGED — 10 PROPS

function UserProfileCard({
  firstName,
  lastName,
  email,
  phone,
  avatarUrl,
  role,
  department,
  isActive,
  lastLoginDate,
  onEdit,
}) {
  return (
    <div className="card">
      <img src={avatarUrl} />
      <h2>{firstName} {lastName}</h2>
      <p>{email} · {phone}</p>
      <span>{role} - {department}</span>
      <button onClick={onEdit}>Edit</button>
    </div>
  );
}

✓ REFACTORED — 4 PROPS

function UserProfileCard({
  user,
  org,
  isActive,
  onEdit,
}) {
  return (
    <div className="card">
      <UserAvatar user={user} />
      <UserDetails
        user={user}
        org={org}
      />
      {isActive && <ActiveBadge />}
      <button onClick={onEdit}>
        Edit
      </button>
    </div>
  );
}

Secrets in source code end up in version history forever. This sniffer catches passwords, API keys, and AWS credentials at error severity.

✗ FLAGGED — 4 SECRETS

const dbPassword =
  'super_secret_password_123';
const apiKey =
  'sk-live-abc123def456...';
const awsKey =
  'AKIAIOSFODNN7EXAMPLE';

const dbUrl =
  'mongodb://admin:p4ssw0rd' +
  '@db.example.com:27017/myapp';

✓ FIXED — ENV VARIABLES

const dbPassword =
  process.env.DB_PASSWORD;
const apiKey =
  process.env.API_KEY;
const awsKey =
  process.env.AWS_ACCESS_KEY_ID;

const dbUrl =
  process.env.DATABASE_URL;

Services with too many injected dependencies violate single responsibility. Split into focused services that each own one domain concern.

✗ FLAGGED — 9 DEPENDENCIES

@Injectable()
class UserService {
  constructor(
    private userRepo: UserRepository,
    private profileRepo: ProfileRepository,
    private orderRepo: OrderRepository,
    private emailService: EmailService,
    private smsService: SmsService,
    private paymentService: PaymentService,
    private cacheService: CacheService,
    private auditService: AuditService,
    private analytics: AnalyticsService,
  ) {}

  async createUser() { /* ... */ }
  async sendWelcomeEmail() { /* ... */ }
  async processPayment() { /* ... */ }
  async trackActivity() { /* ... */ }
}

✓ SPLIT — 3 DEPENDENCIES

@Injectable()
class UserService {
  constructor(
    private userRepo: UserRepository,
    private profileRepo: ProfileRepository,
    private cacheService: CacheService,
  ) {}

  async createUser() { /* ... */ }
  async updateProfile() { /* ... */ }
}

@Injectable()
class UserNotificationService {
  constructor(
    private emailService: EmailService,
    private smsService: SmsService,
  ) {}

  async sendWelcomeEmail() { /* ... */ }
}

CAPABILITIES

More than a linter

Interactive TUI

Browse issues with keyboard navigation. Expand details, filter by framework, copy fixes as AI prompts for ChatGPT or Claude.

{..}

Plugin System

Write custom sniffers in ~20 lines. 5-stage validation for security. Register in .snifferrc.json and run alongside built-in rules.

CI/CD Ready

Exit codes for pass/fail. JSON output for parsing. Husky pre-commit hooks. GitHub Actions workflow included.

▦

Monorepo Support

Auto-detects npm, pnpm, Nx, Turborepo, and Lerna workspaces. Per-package config inheritance. Just run aps — it figures out the rest.

∅

Zero Dependencies

Built entirely on Node.js built-ins. No AST parsers, no transitive deps, no supply chain risk. Fast installs, small footprint.

⚙

Fully Configurable

Tune every threshold in .snifferrc.json. Disable sniffers, change severity levels, set per-framework rules. Setup wizard included.

FAQ

Common questions

How is this different from ESLint?

ESLint checks code style and syntax. APS checks architecture — are your components too big? Are your services doing too much? Are your route handlers too fat? These are structural problems that ESLint doesn't target.

Why regex instead of AST parsing?

Zero dependencies. Regex-based heuristics are fast, portable, and good enough for architectural pattern detection. APS isn't checking syntax — it's checking structure.

Does it work with TypeScript?

Yes. APS scans .ts, .tsx, .js, and .jsx files. Since it uses regex heuristics rather than a parser, TypeScript syntax is handled naturally.

Can I write my own sniffers?

Yes. The plugin system lets you write custom sniffers in ~20 lines of JavaScript. They go through 5-stage validation for security and run alongside built-in rules.

Will it slow down my CI?

No. APS scans files in parallel and uses only regex matching — no AST parsing overhead. A typical project scans in under 2 seconds.

CHANGELOG

What's new

v0.6.0V5 False Positive Reduction2026-03-28

Skip typeof comparisons in magic-strings (e.g. typeof x === 'string')
Detect specialization wrappers, list containers, and render-slot injection in prop-drilling
Tree/recursive node bonus (+4) and SVG/positioning bonus (+3) for prop-explosion
371 tests passing

v0.5.0V4 False Positive Reduction2026-03-28

Multi-child composition detection for prop-drilling — distinguishes drilling from distribution
Skip method-call return comparisons in magic-strings (e.g. .getIsSorted() === 'asc')
Extended union type extraction for interface properties and function parameters
Reverted prop-explosion threshold from 10 back to 7

v0.4.0V3 False Positive Reduction2026-03-28

Callback-hell sniffer now skips .tsx/.jsx files entirely — React idioms aren't callback hell
Auto-whitelist on[A-Z]* event handlers in prop-drilling
Added ignoredProps config for prop-explosion and ignoredStrings for magic-strings
Case-label exemption for magic-strings

v0.3.0V2 False Positive Reduction2026-03-28

Exempt React hooks, array methods, and state updaters from callback-hell
Exempt TypeScript union literals and switch-only strings from magic-strings
Added minPassThroughProps threshold for prop-drilling
Removed JSX attribute explosion detection from prop-explosion

v0.2.0Monorepo & Multi-Framework Support2026-03-27

Auto-detects npm, pnpm, Yarn, Lerna, Nx, and Turborepo workspaces
5 NestJS sniffers and 6 Express sniffers
Interactive setup wizard (aps init)
Package-grouped output with config inheritance

v0.1.0Initial Release2026-03-26

3 React sniffers: prop-explosion, prop-drilling, god-hook
Plugin system with security validation and sandboxing
Interactive TUI viewer with keyboard navigation
164 unit and integration tests

Stop reviewing anti-patterns manually

14 SNIFFERS · 0 DEPENDENCIES · 371 TESTS PASSING