Explore framework-specific custom prompts for improving PR review coverage and compliance with your internal standards.
React
## Direct DOM Manipulation
Flag any use of `document.getElementById`, `querySelector`, `innerHTML`, or other direct DOM APIs inside React components (including in `useEffect`), since React’s virtual DOM and refs should be used instead.
## Excessive Inline Styles
Flag JSX elements with large objects in `style={{…}}`—especially when reused—rather than defining CSS classes or styled-components for maintainability and performance.
## Uncontrolled to Controlled Component Switch
Flag components that change from uncontrolled (no `value` prop) to controlled (with `value`) between renders, which can lead to React warnings and inconsistent state.
## Stale Closures in Hooks
Flag cases where callbacks inside `useEffect` or `useCallback` reference state/props without listing them in the dependency array, as this causes outdated values to be used.
Angular
## Direct DOM Access Bypassing Angular Renderer
Flag any `document.querySelector`, `element.nativeElement`, or jQuery usage in components—instead use `Renderer2` or Angular’s template bindings to stay framework-compliant.
## Overuse of `any` in TypeScript
Flag function parameters or variables typed as `any` throughout services or components, which defeats Angular’s compile-time type safety.
## Putting Business Logic in Templates
Flag complex expressions or loops in the HTML template (e.g., `*ngIf="computeSomething(x)"`), which should be moved into the component class for readability and testability.
## Missing Subscription Cleanup
Flag subscriptions to `Observables` in `ngOnInit` that are not unsubscribed in `ngOnDestroy`, leading to memory leaks in long‐running applications.
Vue.js
## Mutating `props` Directly
Flag any assignment to a prop inside a child component (e.g., `this.propValue = ...`), which should instead be emitted back to the parent or copied to local data.
## Using `$forceUpdate` to Bypass Reactivity
Flag instances of `this.$forceUpdate()` or manually triggering watchers instead of fixing the reactive data flow.
## Logic-heavy Templates
Flag templates containing complex JavaScript (e.g., inline methods or filters doing heavy computation)—move that logic into computed properties or methods in the component script.
## Unremoved Watchers and Event Listeners
Flag watchers or `$on` event handlers set up in `mounted()` that aren’t properly torn down in `beforeDestroy()`, which can cause memory leaks.
Django
## Hardcoded Secrets in Settings
Flag any API keys, database passwords, or tokens hardcoded in `settings.py` instead of using environment variables (`os.getenv`) or a secrets manager.
## Raw SQL without Parameterization
Flag any `cursor.execute(f"SELECT … {user_input}")` usage—instead use Django’s ORM or `cursor.execute("… WHERE x = %s", [user_input])` to prevent SQL injection.
## Mass Assignment on Forms or Models
Flag `Model.objects.create(**request.POST)` or `form.save(commit=True)` without specifying `fields` or using `cleaned_data`, which can expose unintended fields.
## Unvalidated File Uploads
Flag file upload handlers (e.g., `request.FILES['file']`) that don’t check file type or size before saving, exposing the app to malicious uploads.
Spring Boot
## Hardcoded Secrets or Credentials
Flag API keys, passwords, or tokens hardcoded in `.java` or `.properties` files.
## SQL Injection via Unparameterized Queries
Flag dynamic SQL built using string concatenation or user inputs without parameter binding.
## Command Injection via Runtime Execution
Flag use of `Runtime.exec()` or `ProcessBuilder` with unsanitized user inputs.
## Insecure Deserialization
Flag uses of `ObjectInputStream.readObject()` on untrusted input sources.
## Unvalidated Input in Controllers
Flag missing validation annotations (`@Valid`, `@NotNull`, etc.) on `@RequestBody`, `@PathVariable`, or `@RequestParam` parameters.
Express.js
## Missing Error Handling in Async Routes
Flag `async` route handlers without `try/catch` or a wrapper to forward errors to `next()`, which can cause unhandled promise rejections.
## Unvalidated `req.body` and `req.params`
Flag any use of user inputs directly (e.g., `User.find(req.params.id)`) without schema validation via Joi, express-validator, or similar.
## Use of `eval()` or `Function()` Constructors
Flag any `eval()` calls or dynamic function creation from user inputs, as they enable arbitrary code execution.
## Insecure Cookie Configuration
Flag cookies set without `HttpOnly`, `Secure`, or proper `SameSite` attributes in `res.cookie()` calls.
Laravel
## Mass Assignment without `$fillable` or `$guarded`
Flag `Model::create($request->all())` when the model doesn’t declare safe `$fillable` fields.
## Raw Queries without Bindings
Flag `DB::select("SELECT … WHERE id = $id")`—use parameter binding (`?` or named bindings) or Eloquent methods to avoid SQL injection.
## Missing CSRF Protection
Flag forms or AJAX routes lacking `@csrf` in Blade templates or `$request->validate()` in controllers.
## Committed `.env` with Secrets
Flag any project commits that include the `.env` file containing database credentials or API keys.
Ruby on Rails
## Mass Assignment via `params` without Strong Parameters
Flag controllers using `Model.create(params[:model])` without whitelisting via `params.require(:model).permit(...)`.
## N+1 Query Patterns
Flag view or controller code like `@users.each { |u| u.posts.count }` instead of eager loading with `includes(:posts)`.
## Skipping Model Validations
Flag calls to `save(validate: false)` or `update_column` that bypass ActiveRecord validations.
## Unhandled Exceptions in Callbacks
Flag `after_save` or `before_destroy` callbacks without error handling, which can break request flows.
ASP .NET Core
## Dynamic SQL via String Interpolation
Flag any `context.Database.ExecuteSqlRaw($"…{userInput}…")` or concatenated SQL strings—instead use parameterized queries.
## Missing Anti-Forgery Token Validation
Flag POST actions without `[ValidateAntiForgeryToken]` when using Razor Pages or MVC forms.
## Exposing Sensitive Data in ViewBag/ViewData
Flag passing secrets or tokens through `ViewBag` or `ViewData` for use in Razor views.
## Improper CORS Configuration
Flag overly permissive CORS policies in `AddCors` (e.g., `AllowAnyOrigin`) that expose APIs unintentionally.
PySpark
## Calling `collect()` on Large RDDs/DataFrames
Flag any `df.collect()` or `rdd.collect()` on datasets >100K records, which can OOM the driver—use `take()` or write to storage instead.
## User-Defined Functions (UDFs) over Built-ins
Flag use of `udf(myFunc)` for simple operations that Spark already optimizes (e.g., string, date functions)—opt for Spark SQL functions.
## Joins without Broadcast for Small Tables
Flag large DataFrame `.join(smallDf, on, "left")` without using `broadcast(smallDf)`, leading to skewed shuffles.
## Caching Too Early or Too Much
Flag `.cache()` on DataFrames before pruning unnecessary columns or filtering, which wastes executor memory.
Meteor
## Overusing `autopublish` Package
Flag projects where `autopublish` is not removed, exposing all collections to the client by default.
## Insecure `allow/deny` Rules
Flag any `Collection.allow({ ... })` or `deny` settings permitting broad inserts/updates without checking `this.userId` or document ownership.
## Publishing Excessive Fields
Flag publications that return whole documents (e.g., `return Collection.find()`) instead of selective fields to minimize data exposure.
## Unchecked Meteor Method Inputs
Flag Meteor methods that access `this.userId` but do not validate or sanitize the `args` object, inviting injection attacks.
Svelte
## Direct DOM API Usage
Flag any `document.querySelector`, `addEventListener`, or manual DOM updates inside components—instead use Svelte’s reactive bindings.
## Mutable Store Updates without `update()`
Flag direct assignments to store values (e.g., `myStore.set = …`) rather than using `myStore.update(...)`, which can break reactivity.
## Heavy Computation in Markup
Flag long-running loops or calculations in the template (e.g., `{#each bigArray.map(...) as item}`)—move logic into a `<script>` reactive statement.
## Uncleaned Subscriptions on Destroy
Flag stores or event subscriptions created in `onMount()` that are not unsubscribed in `onDestroy()`, causing memory leaks.