Code Style Guide

We provide a .editorconfig and an .eslintrc, file that will help you to keep some standards in place.

ECMAScript vs TypeScript

We are currently adopting TypeScript as the default language on our projects, the current codebase will be migrated incrementally from JavaScript to TypeScript.
While we still have a couple of JavaScript files you should not create new ones. As much as possible new code contributions should be in TypeScript.

Blaze vs React

We are currently adopting React over Blaze as our UI engine, the current codebase is under migration and will continue. You will still find Blaze templates in our code. Code changes or contributions may need to be made in Blaze while we continue to evolve our components library.
The Fuselage is our component library based on React, check it out when contributing to the Rocket.Chat UI and feel free to contribute new components or fixes.


Most of the coding standards are covered by ESLint configured at .eslintrc, and most of them came from our own ESLint Config Package.
Things not covered by eslint:
  • Prefer longer/descriptive variable names, e.g. error vs err, unless dealing with common record properties already shortened, e.g. rid and uid
  • Use return early pattern. See more
  • Prefer Promise over callbacks
  • Prefer await over then/catch (also valid for unit/e2e test callbacks)
  • Don't create queries outside models, the query description should be inside the model class.
  • Don't hardcode fields inside models. the same method can be used for different purposes, using different fields.
  • Prefer to create REST endpoints over Meteor methods
  • Prefer to call REST endpoints over Meteor methods when both are available
  • v1 REST endpoints should follow the following pattern: /api/v1/dashed-namespace.camelCaseAction
  • Prefer TypeScript over JavaScript. Check ECMAScript vs TypeScript
  • Import the HTML file from its sibling JS/TS file

Best practices

  • Avoid "internal" - server code should not use

Syntax check

Before submitting a PR you should get no errors on eslint.
To check your files run:
meteor npm run lint


There are 2 types of tests we run on Rocket.Chat, Unit tests, and End to End tests. The major difference is that End to End tests require a Rocket.Chat instance running to execute the API and UI checks.

End to End Tests

First, you need to run a Rocket.Chat server on Test Mode and on an Empty Database:
# Running with a local mongodb database
MONGO_URL=mongodb://localhost/empty MONGO_OPLOG_URL=mongodb://localhost/local TEST_MODE=true meteor
# Running with a local mongodb database but cleaning it before
mongo --eval "db.dropDatabase()" empty && MONGO_URL=mongodb://localhost/empty MONGO_OPLOG_URL=mongodb://localhost/local TEST_MODE=true meteor
Now you can run the tests:
meteor npm test

Unit Tests

Unit tests are simpler to set up and run. They do not require a working Rocket.Chat instance.
meteor npm run testunit
It's possible to run on watch mode as well:
meteor npm run testunit-watch

Before Push your code

It's important to run the lint and tests before pushing your code or submitting a Pull Request, otherwise, your contribution may fail quickly on the CI. Reviewers are forced to demand fixes and the review of your contribution will be further delayed.
Rocket.Chat uses husky to run the lint and unit tests before proceeding to the code push process, so you may notice a delay when pushing your code to your repository.

Choosing a good PR title

It is very important to note that we use PR titles when creating our changelog. Keep this in mind when you title your PR. Make sure the title makes sense to a person reading a release's changelog!
Keep your PR's title as short and concise as possible, and use PR's description section, which you can find in the PR's template, to provide more details into the changelog.
Good titles require thinking from a user's point of view. Don't get technical and talk code or architecture. What is the actual user-facing feature or the bug fixed? For example:
[NEW] Allow search permissions and settings by name instead of only ID
Even if it brings something new to the code the users already expect the filter to filter by what they see (translations), a better one would be:
[FIX] Permissions' search doesn't filter based on presented translation, only on internal ids

Choosing the right PR tag

You can use several tags to describe your PR, i.e.: [FIX], [NEW], etc. You can use the descriptions below to better understand the meaning of each one, and decide which one you should use:


  • When adding a new feature that is important to the end-user
Do not start repeating the section (Add ... or New ...) Always describe what's being fixed, improved, or added and not how it was fixed, improved, or added.
Examples of bad PR titles:
[NEW] Add the ability to set tags in the Omnichannel room closing dialog
[NEW] Adds the ability for Rocket.Chat Apps to create discussions
[NEW] Add MMS support to Voxtelesys
[NEW] Add Color variable to the left sidebar
Examples of good PR titles:
[NEW] Ability to set tags in the Omnichannel room closing dialog
[NEW] Ability for Rocket.Chat Apps to create discussions
[NEW] MMS support to Voxtelesys
[NEW] Color variable to the left sidebar


  • When fixing something not working or behaving wrong from the end-user perspective
Always describe what's being fixed and not how it was fixed.
Example of a bad PR title:
[FIX] Add Content-Type for public files with JWT
Example of a good PR title:
[FIX] Missing Content-Type header for public files with JWT


  • When a change enhances a not buggy behavior. When in doubt if it's an Improve or Fix prefer to use Fix.
Always describe what's being improved and not how it was improved.
Example of a good PR title:
[IMPROVE] Displays Nothing found on admin sidebar when a search returns nothing


  • When the changes affect a working feature
  • When the API contract (data structure and endpoints) is limited, expanded as required, or removed
  • When the business logic (permissions and roles) is limited, expanded (without migration), or removed
  • When the change limits (format, size, etc) or removes the ability to read or change the data (when the limitation was not caused by the back-end)


  • When changes are made during any release candidate cycle, in order to add something missing or fix something broken during the last development cycle and not published to a final release yet.
Examples of good PR titles:
Regression: Fix not being able to mark room as read
Regression: Add missing field to `users` endpoint

Second tag e.g. [NEW][ENTERPRISE]

Use a second tag to group entries on the changelog. We currently use it only for Enterprise and Apps items, but we are going to expand its usage soon. If you're not sure about which one to use, you most likely do not need to use a second tag. We're still coming up with a pattern for it.

Minor Changes

For those PRs that aren't important for the end-user, we are working on a better pattern, but for now please use the same tags, use them without the brackets, and in camel case:
Fix: Missing Content-Type header for public files with JWT
All those PRs will be grouped under the Minor changes section which is collapsed, so users can expand it to check for those minor things but they are not visible directly on the changelog.

Security Best Practices

  • Never expose unnecessary data to the APIs' responses
  • Always check for permissions or create new ones when you must expose sensitive data
  • Never provide new APIs without rate limiters
  • Always escape the user's input when rendering data
  • Always limit the user's input size on the server-side
  • Always execute the validations on the server-side even when executing on the client-side as well

Performance Best Practices

  • Prefer to inform the fields you want, and only the necessary ones, when querying data from the database over query the full documents
  • Limit the number of returned records to a reasonable value
  • Check if the query is using indexes, if it's not, create new indexes
  • Prefer queues over long executions
  • Create new metrics to measure things whenever possible
  • Cache data and returns whenever possible

Contributor License Agreement

To have your contribution accepted you must sign our Contributor License Agreement. In case you submit a Pull Request before signing the CLA GitHub will alert you with a new comment asking you to sign and will block the Pull Request from being merged by us.
Please review and sign our CLA at