Code review is a skill separate from coding. A great programmer can give terrible reviews — nitpicking style while missing logic bugs, or rubber-stamping everything to avoid conflict.

Good reviews improve code quality and team knowledge. Bad reviews slow everything down. These practices help you do reviews that actually help.

The Reviewer’s Mindset

You’re Not the Gatekeeper

""IDoweosultdhni'stwhoarvkecworrirtetcetnlyitantdhimsaiwnatya"inably?"

Your job isn’t to make the code match your personal style. It’s to catch problems and improve clarity.

Assume Good Intent

The author spent time on this. They made choices for reasons. Before commenting “why didn’t you…”, consider they might have tried that and found it didn’t work.

Ask, Don’t Tell

""""TWUWhhsoiaeustladihsamapawppmreaonipnsngss"itifemapidln"ipfuytliosoknuupllhehreer?e?S"eemslikeO(n)vsO(1)"

Questions invite discussion. Commands create defensiveness.

What to Review

1. Correctness

Does it actually work?

1
2
3
4
5

# Bug: Returns wrong result for empty list
def average(numbers):
    return sum(numbers) / len(numbers)  # ZeroDivisionError!

# Comment: "What happens when numbers is empty?"

2. Edge Cases

1
2
3
4

# What if user_id doesn't exist?
# What if the API times out?
# What if the file is empty?
# What if two requests come in simultaneously?

3. Security

1
2
3
4
5
6
7
8
9

# SQL injection?
query = f"SELECT * FROM users WHERE id = {user_id}"

# Exposed secrets?
API_KEY = "sk_live_abc123"

# Missing authorization?
def delete_user(user_id):  # Who can call this?
    db.delete(user_id)

4. Performance (When It Matters)

1
2
3
4
5
6
7
8

# N+1 query?
for user in users:
    orders = db.query(f"SELECT * FROM orders WHERE user_id = {user.id}")

# Unnecessary work?
def get_user(id):
    all_users = db.query("SELECT * FROM users")  # Fetching everything!
    return find_by_id(all_users, id)

5. Maintainability

1
2
3
4

# Will future developers understand this?
result = [x for x in data if x.a and not x.b or x.c and x.d > 5]

# Comment: "This condition is hard to follow. Could we extract to a named function?"

What NOT to Review

Style Nitpicks (Let Automation Handle It)

1
2
3
4
5
6
7
8

# Don't manually enforce these:
# - Line length
# - Import order  
# - Trailing whitespace
# - Quote style

# Instead, configure formatters and linters
# black, prettier, eslint run automatically

Personal Preferences

1
2
3
4
5
6

# Not worth commenting on:
for item in items:  # vs for i in items:
    
users_list = []  # vs user_list = []

if x is not None:  # vs if x != None:

Unless it’s a team convention, let it go.

Writing Good Comments

Be Specific

""TIhWihosaudlidstoictornehfaeudlspitnhtgio"setxhtrreaecttitmheesvtaoliudnadteirosntalnodgitcheinftloowa.separatefunction?"

Explain Why

""DRoeWnce'u'trvseuisoseneermneicgiuhnrtpsuihtoisntwhsiettrahec"k10lki+miittsemwsitihnlparrogdeucdtaitoans.e"ts.

Offer Alternatives

""TThhwiiissthwqouWneH'rEtiReEssciatdlheeI"Ndatabasetoinreadulcoeopr.ouCnodnstirdieprs.u"singasinglequery

Acknowledge Good Work

""NTihciescraetfcahcthoarndmlaiknegstthheetciomdeeoumtucchascelearIerw.ouTlhdann'kts!h"avethoughtofthat."

Comment Severity

Make it clear what’s blocking vs optional:

#🔴#🟡#🟢#B"S"O"Q"lThTpNuIohohtie'ciuiitsmkslso:tidninnwdatoogifulyntlipp(lxl(o(fmitnauc(caiomsrsakntitattelsrecnifhosioeaintmcrxigtme)nhoeswsernsiputatrgllrhogoeidegaltusiv'yhctceritieasioiiconntippn))eraUvotwsebthe'leerernSsmneh)ironvupilcucdatenbieysoc'unoruneelscxliep"dilevarei'nr"ewuhsyinwge"needthefactoryhere?"

Some teams use prefixes: nit:, blocking:, suggestion:, question:

As an Author

Make Reviews Easy

1
2
3
4
5
6

PR Description:
- What: Add rate limiting to API endpoints
- Why: We're getting hammered by a misbehaving client
- How: Token bucket algorithm with Redis backend
- Testing: Added unit tests, tested manually with wrk
- Concerns: Not sure about the 100 req/min limit — feedback welcome

Keep PRs Small

SBmr22ae00la00lk0--lPlliRainsrnegegePePRtfRewratietotvuuhirceehfwsioencdigunsft5eao0dstifcenihrclarenaesgnmedesnbteatltePrR.s.

Respond Gracefully

""YGoobuoodtdhopnof'iotnrtmuantdseI,rsssthoaonuIdldktehcpeltarrbeioqftuyhi:rpetamhreesnetPrsMs".saSihdouwlednIeeadddtoascuopmpmoerntt?"

Don’t Take It Personally

Reviews are about the code, not about you. A suggestion to improve isn’t an attack on your abilities.

Team Practices

Set Expectations

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Code Review Guidelines

## Required
- At least one approval before merge
- All CI checks passing
- No unresolved blocking comments

## Timeframe  
- Reviews within 24 hours
- If blocked, ping in Slack

## Scope
- PRs should be < 400 lines when possible
- Split large changes into stacked PRs

Review Rotation

Spread reviews across the team:

---PENrvoeevrseyinontngseleklneboaowrtlntesldegtneheecskicloodsebase

Time-Box Reviews

---S3De0ot-n6'a0tsimldieentudtreeedsviicpeaewtrseddpairyleeviuepwtime

Automation

Let machines handle what machines do better:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

# .github/workflows/pr.yml
on: [pull_request]

jobs:
  checks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Lint
        run: npm run lint
        
      - name: Type check
        run: npm run typecheck
        
      - name: Test
        run: npm test
        
      - name: Security scan
        run: npm audit

Humans focus on logic, design, and correctness. Computers handle formatting, syntax, and known vulnerability patterns.

Anti-Patterns

Rubber Stamping

"LGTM👍"#Ona500-linePRafter2minutes

If you don’t have time to review properly, say so. A bad review is worse than no review.

Nitpick Avalanche

----LLLLiiiinnnn(eeee5011122582m::::orUARPesderednecafossmemipermnaegc'fnlexote'rsaEqftaoutocnoehtrsseotscmvyoeelmtremh)aifnogrdleosocpriptive

Configure a formatter. Focus on substance.

Drive-By Criticism

"Thiswholeapproachiswrong"#Withnoalternativesuggested

If you think the approach is wrong, explain why and suggest an alternative.

Code review is collaboration, not judgment. The goal is better code and shared understanding, not proving who’s smarter.

Review like you’d want to be reviewed: thorough but kind, specific but not pedantic, focused on what matters. The team that reviews well ships better code with less friction.