Complete list of what to report in a code review. And why you should ignore this list.

Let’s start by saying that the code review is a tailor-made suit and not a one fits all. What to report and what to ignore depends on the needs of the project and the level of the developer who submitted the code.

An inexperienced developer and an advanced one will have different standards and it would be pointless and frustrating to expect the same quality from both.

So here’s a complete list of things you might (or might not) look at in a code review.

Requirements

1. The intended functionality is implemented
2. All requirements are covered
3. Edge cases are reasonably covered

Software and architecture

1. Framework and libraries are suitable for the project and don’t add unnecessary complexity or loss of performance
2. Framework and libraries are updated to the latest stable version
3. The file and folder structure is clear and consistent. The principle of modularity is met.
4. Each section of the project has a single responsibility and it’s immediately understandable
5. The single source of truth principle is met. The same data is not handled in more than one way (E.g. state management)
6. Logic is separate from presentation

Documentation

1. There is a README containing description, requirements, instructions to build the project, main functionalities and everything is needed to understand the project at high level
2. If there is a UI, there is also at least a style guide
3. The functions are documented (for example with JSDoc or PhpDoc)
4. If needed, there is functional documentation
5. All documentation is clear, short and effective.

Performance

1. The code is efficient, there are no repeated or unnecessary function.
2. Resource-consuming calculations are cached or memoized
3. Resources are loaded only when needed, there is an efficient resource handling or lazy loading.
4. If there is a UI, Lighthouse doesn’t report too many errors and is preferably green
5. Images are optimized if any
6. There are no obvious memory leaks

The reviewer may suggest additional optimizations to further improve performance

Code quality

1. The code is correct based on the technology used (there is no point in choosing a library if you don’t exploit its full potential)
2. The code fits the industry standards and it’s not outdated (Only for new projects).
3. The code has no potential side effects.
4. Null or undefined values are correctly handled (best would be using type checking)
5. There is a proper error handling
6. There is a proper logging system

Security

1. All dependencies are secure, updated and maintained. There are no known vulnerabilities.
2. All inputs are validated and sanitized
3. There are no security issues in the authentication system
4. There are no critical data hardcoded
5. Critical data are correctly encrypted

Code style

1. Indentation is consistent across the application
2. A Linter is used, it’s well configured and there are no ignored rules

Advanced

1. There is a proper type checking, interfaces are clear and consistent
2. There is a proper test coverage, test are passed and updated
3. There is a technical debt list for future refactoring

Metropolis, Fritz Lang 1927