Code Review Best Practices: What Senior Engineers Actually Look For

Good code review is a skill. Here's what distinguishes reviews that improve code quality from reviews that just slow things down.

What Senior Engineers Actually Check

Not just syntax. The real questions:

Correctness

• Does this handle edge cases? Empty arrays, null values, concurrent requests?
• Are there race conditions? (especially in async code)
• Is error handling complete, or do failures silently swallow exceptions?

Security

• Is user input validated before use?
• Are there SQL injection risks? (even with ORMs)
• Does this expose sensitive data in logs or responses?

Performance

• Are there N+1 queries hiding in loops?
• Is this operation O(n²) when it could be O(n)?
• Should this be cached?

The Most Impactful Comment Type

// What a helpful review comment looks like:
// 
// [Bug] This will throw if users is empty — Array.reduce without an initial value
// on an empty array throws 'Reduce of empty array with no initial value'
//
// Fix: add initial value
const total = orders.reduce((sum, order) => sum + order.amount, 0);
//                                                              ^ add this

The Nit vs Blocker Distinction

Label your comments:

• [Bug]: must fix before merge
• [Security]: must fix before merge
• [Nit]: optional style/preference
• [Question]: I don't understand, help me
• [Suggestion]: take it or leave it

Unlabeled comments create ambiguity about whether they're blocking.

Review Your Own PRs First

Before requesting review, do a full self-review:

1. Read every diff line
2. Add comments explaining non-obvious decisions
3. Remove dead code and commented-out blocks
4. Check for TODO comments that should be tickets

PR Size

The single biggest factor in review quality: PR size.

• Under 200 lines: reviewers actually read it
• 200-500 lines: reviewers skim
• Over 500 lines: reviewers rubber-stamp

Break large features into: schema migration, backend logic, API endpoints, frontend — separate PRs.

Automated Review First

Let tools catch the mechanical stuff so humans focus on logic:

# .github/workflows/review.yml
- uses: anthropics/claude-code-review-action@v1  # AI-assisted review
- run: npm run lint
- run: npm run test
- run: npm run typecheck

The Ship Fast Skill Pack includes a /review-pr Claude Code skill that performs automated code review against your team's conventions before human reviewers even open the PR.