Production-readiness validator that catches deployment mistakes before you ship.
Inspired by tirith - applying the "guard before execution" philosophy to deployments. Tirith protects your terminal from malicious URLs; shipit protects your production from common deployment pitfalls.
You've built your app. Tests pass. CI is green. But are you really ready to ship?
Common deployment mistakes that slip through:
- Forgot to remove
console.logstatements - Hardcoded
localhostURLs still in the codebase - API keys accidentally committed in source files
- Source maps exposing your code in production
- Dev dependencies bloating your production bundle
- Security headers not configured
shipit catches these before your users do.
# Global install
npm install -g shipit-check
# Or run directly with npx
npx shipit-check# Check current directory
shipit
# Check specific directory
shipit ./my-app
# Quiet mode (errors only)
shipit --quiet| Check | Description | Severity |
|---|---|---|
| Debug Statements | console.log, debugger, DEBUG flags |
Warning |
| Dev URLs | Hardcoded localhost, 127.0.0.1 |
Error |
| Exposed Secrets | API keys, tokens, passwords in source | Error |
| Source Maps | .map files in build directories |
Warning |
| Dependencies | Dev packages in production deps | Warning |
| Environment | .env.example exists, .env gitignored |
Mixed |
| Security Headers | Helmet/Next.js headers configured | Warning |
| TODOs | TODO and FIXME comments |
Mixed |
shipit v1.0.0 - Production Readiness Check
Scanning: /home/user/my-app
------------------------------------------------------------
PASSED
✓ [secrets] No exposed secrets detected
✓ [sourcemaps] No source maps in build directories
✓ [env] .env.example file exists
✓ [env] .env is gitignored
WARNINGS
! [debug] console.log statement found
src/api/handler.js:42
! [todos] TODO comment found
src/utils/helpers.ts:18
ERRORS
✗ [urls] Hardcoded localhost URL
src/config/api.js:5
------------------------------------------------------------
Summary: 4 passed | 2 warnings | 1 errors
✗ NOT READY TO SHIP
Fix the errors above before deploying to production.
shipit exits with code 1 if errors are found, making it easy to integrate into CI:
# GitHub Actions
- name: Production readiness check
run: npx shipit-check
# GitLab CI
production-check:
script:
- npx shipit-checkAdd to your deploy script:
{
"scripts": {
"predeploy": "shipit",
"deploy": "your-deploy-command"
}
}shipit works out of the box with sensible defaults. It automatically:
- Skips
node_modules,.git,dist,builddirectories - Ignores
.envfiles when scanning for secrets (they're supposed to have secrets) - Skips config files when checking for localhost URLs
- Handles JS, TS, JSX, TSX, Vue, and Svelte files
| Tool | Focus | shipit Difference |
|---|---|---|
| ESLint | Code quality | shipit focuses on deployment readiness, not code style |
| git-secrets | Pre-commit secrets | shipit checks broader deployment concerns |
| npm audit | Dependency vulns | shipit checks for dev/prod dep misplacement |
shipit is not a replacement for these tools - it complements them by focusing specifically on "is this ready to deploy to production?"
"The best time to catch a deployment mistake is before deployment."
shipit follows the principle that catching problems early saves time, money, and reputation. Run it locally, run it in CI, run it before every deploy.
Issues and PRs welcome. The goal is to catch real-world deployment mistakes without being overly noisy.
MIT