code-review-checklist

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Code Review Checklist

代码审查清单

Structured approach to reviewing code changes.

用于审查代码变更的结构化方法。

Review Priority Order

审查优先级顺序

Security (Critical) - Vulnerabilities, secrets, injection
Correctness (High) - Logic errors, breaking changes
Performance (Medium) - Inefficiencies, resource leaks
Quality (Medium) - Maintainability, readability
Style (Low) - Formatting, naming (should be automated)

安全性（最高优先级）- 漏洞、密钥、注入风险
正确性（高优先级）- 逻辑错误、破坏性变更
性能（中优先级）- 低效问题、资源泄漏
质量（中优先级）- 可维护性、可读性
风格（低优先级）- 格式、命名（应该自动化处理）

Security Checklist

安全性检查清单

Secrets & Credentials

密钥与凭证

No hardcoded API keys, passwords, tokens
No credentials in logs or error messages
Secrets loaded from environment/vault

没有硬编码的API密钥、密码、令牌
日志或错误消息中不含凭证
密钥从环境变量/保密管理工具中加载

Injection Vulnerabilities

注入漏洞

SQL queries use parameterized statements
User input is sanitized before HTML output (XSS)
Shell commands don't include user input (command injection)
File paths are validated (path traversal)

SQL查询使用参数化语句
用户输入在HTML输出前经过 sanitize 处理（XSS防护）
Shell命令不包含用户输入（防止命令注入）
文件路径经过校验（防止路径遍历）

Authentication & Authorization

身份认证与授权

Auth checks on all protected endpoints
Proper session handling
Secure password handling (hashing, not plaintext)

所有受保护的接口都有身份校验
会话处理符合安全规范
密码处理安全（哈希存储，不存明文）

Data Exposure

数据泄露

Sensitive data not logged
API responses don't leak internal details
Error messages don't expose system info

敏感数据不会被记录到日志
API响应不会泄露内部细节
错误消息不会暴露系统信息

Correctness Checklist

正确性检查清单

Logic

逻辑

Edge cases handled (null, empty, boundary values)
Error conditions handled appropriately
Async operations properly awaited
Race conditions considered

处理了边界情况（空值、空内容、边界值）
错误情况得到恰当处理
异步操作正确使用await
考虑了竞态条件问题

Breaking Changes

破坏性变更

API contracts maintained
Database migrations are reversible
Feature flags for risky changes

API契约保持不变
数据库迁移是可回滚的
高风险变更使用了功能开关

Testing

测试

New code has tests
Tests cover error paths, not just happy path
Existing tests still pass

新代码有对应的测试用例
测试覆盖了错误路径，而不仅仅是正常路径
现有测试全部通过

Performance Checklist

性能检查清单

Efficiency

效率

No N+1 queries
Appropriate data structures used
No unnecessary loops or iterations
Caching considered for expensive operations

不存在N+1查询问题
使用了合适的数据结构
没有不必要的循环或迭代
高开销操作考虑了缓存方案

Resources

资源

Database connections closed/pooled
File handles closed
No memory leaks (event listeners removed, etc.)

数据库连接已关闭/使用连接池
文件句柄已关闭
无内存泄漏（如事件监听器已移除等）

Scale

扩展性

Works with realistic data volumes
Pagination for large result sets
Timeouts on external calls

在真实数据量下可正常运行
大结果集使用分页
外部调用设置了超时时间

Quality Checklist

质量检查清单

Readability

可读性

Clear, descriptive names
Functions do one thing
No overly complex conditionals
Comments explain "why", not "what"

命名清晰、具有描述性
函数职责单一
没有过于复杂的条件判断
注释解释“为什么这么做”，而非“做了什么”

Maintainability

可维护性

Consistency

一致性

Follows project patterns
Matches existing code style
Uses established utilities/helpers

遵循项目约定的开发模式
符合现有代码风格
使用已有的工具函数/辅助方法

Review Output Format

审查输出格式

markdown

undefined

markdown

undefined

Review: [PR Title]

Risk Level: LOW | MEDIUM | HIGH | CRITICAL

Critical Issues

[Category] Description (file:line)
- Impact: What could go wrong
- Fix: Specific recommendation

[Category] Description (file:line)
- Impact: What could go wrong
- Fix: Specific recommendation

Suggestions

[Category] Description (file:line)
- Why: Reasoning
- Consider: Alternative approach

[Category] Description (file:line)
- Why: Reasoning
- Consider: Alternative approach

Positive Notes

[Recognition of good patterns]

undefined

[Recognition of good patterns]

undefined

Quick Checks

快速检查项

For fast reviews, at minimum check:

Any secrets or credentials?
Any SQL/command injection?
Are error cases handled?
Do tests exist for new code?

如果需要快速审查，至少要检查：

是否存在密钥或凭证硬编码？
是否存在SQL/命令注入风险？
错误情况是否处理？
新代码是否有对应的测试？