Article Workflow

25 AI Code Review Comments That Work

"This seems off" tells the author nothing. A good review comment names what you noticed, why it matters, and what to do about it. These 25 are grouped by what they catch, ready to adapt to your diff.

Last reviewed: Jul 5 2026


TL;DR

Vague comments create work without giving direction. Each comment below follows the same shape: what you noticed, why it matters, what to check or change. Copy the closest match, adjust the specifics, and paste it directly into the PR.

How to Use These Comments

These aren't meant to be pasted verbatim into every review — they're a starting shape. Swap in the actual variable, function, or file name, and the comment goes from generic to specific in a few seconds. Specific is what makes a review comment actionable instead of just a delay.

For the framework behind writing comments like these, pair this list with AI Code Review.


Correctness and Logic

1. Missing null/undefined guard

"What happens here if `user` is null? I don't see a guard before this property access, and the caller doesn't guarantee it's set."

2. Off-by-one risk

"Double check the boundary here — should this be `<` or `<=`? The current condition excludes the last item in the list."

3. Silent failure

"This catch block swallows the error without logging or re-throwing. If this fails in production, we'll have no signal it happened."

4. Assumed input shape

"This assumes `items` is always an array. Where is that guaranteed upstream? If it can be undefined, this will throw."

5. Re-implemented existing logic

"This looks like it duplicates what `formatCurrency()` already does in `utils/format.ts`. Worth reusing it instead, so both stay in sync?"


Security

6. Unvalidated user input

"This value comes straight from the request body and goes into the query below. Can we validate/sanitize it before it's used?"

7. Authorization at the wrong layer

"This checks the user's role before rendering the button, but I don't see the same check on the API route itself. Can we confirm the server enforces this too?"

8. Sensitive data in logs

"This log line includes the full request object — does that include the password/token field? Worth redacting before this ships."

9. Secrets in code or config

"Is this key meant to be committed? If it's a real credential, let's move it to environment config and rotate it."

10. Overly broad permissions

"This grants access to the whole resource rather than the specific record the user owns. Can we scope this down?"


Tests and Coverage

11. Bug fix with no failing test

"Can we add a test that fails on the old code and passes on this fix? Without it, this bug can silently come back."

12. Only the happy path is tested

"All the new tests cover the success case. Can we add one for the failure/timeout case too?"

13. Test asserts implementation, not behavior

"This test checks that a specific internal function was called, rather than the outcome a user would see. Would asserting on the visible result make it more resilient to refactors?"

14. Flaky-looking test setup

"This test depends on real time (`Date.now()`), which can make it flaky. Can we inject or mock the clock instead?"

15. Untested edge case mentioned in the PR description

"The description mentions this handles duplicate submissions, but I don't see a test for that case — can we add one?"


Scope and Readability

16. Scope creep

"This PR is titled as a bug fix, but it also refactors the neighboring component. Can we split that into a separate PR?"

17. Abstraction used once

"This helper is only called from one place right now. Would inlining it make the flow easier to follow until there's a second caller?"

18. Unclear naming

"`data2` doesn't tell me what this holds — could we name it after what it represents, like `pendingOrders`?"

19. Magic number without context

"What does `86400` represent here? A named constant (`SECONDS_PER_DAY`) would save the next reader a lookup."

20. PR description doesn't match the diff

"The description summarizes the intent, but I don't see what specifically changed in behavior. Could you add a one-line before/after?"


Observability and Rollback

21. No logging on a critical path

"If this step fails in production, what will tell us? Worth adding a log line with enough context to debug without reproducing locally."

22. No rollback plan for a risky change

"This touches the payment flow — how would we disable or revert this quickly if it misbehaves after merge?"

23. New feature with no flag

"Should this ship behind a feature flag, given it changes default behavior for existing users?"

24. Metric or alert not updated

"This changes what counts as a successful request — does the existing dashboard/alert threshold still make sense?"

25. Migration without a documented rollback

"I see the forward migration, but what's the rollback step if we need to revert after this is already in production?"


Conclusion

None of these comments are complicated. What makes them useful is specificity: they name the exact line or behavior, explain the risk in one clause, and point at a concrete next step. That's the difference between a comment that gets acted on and one that gets a shrug.

Related reading

Pair this list with AI Code Review for the underlying review workflow, The AI Code Ownership Checklist for what to check before merge, and AI PR Review Checklist Template to make the standard stick across a whole team.


Back to Home