• July 14, 2025
  • 35 min read
React Code Review Checklist: Boost Security & Performance

For complex React applications, a third-party code audit & quality review is much more than a nice-to-have—it’s a critical investment. Skipping this step, or conducting only superficial reviews, can lead to a cascade of problems down the line: inability to scale, security vulnerabilities, and technical debt that chokes innovation and spirals development costs.

That’s why we’ve put together this comprehensive React code review checklist. At Redwerk, we’ve been developing custom software and conducting code reviews since 2005. This guide is grounded in years of hands-on experience across several industries, such as e-government, e-commerce, e-learning, media & entertainment, and more.

So, whether you’re getting ready to launch a React-based app, tackling performance issues, or or aiming to proactively prepare for due diligence initiated by an investor, this React JS code review checklist will help you identify problems and find solutions.

Table of Contents

Pre-Review Preparation

Pre-review preparation ensures that the environment is ready, dependencies are updated, and the codebase is in optimal condition for an efficient and thorough React code review. This step focuses on organizing the project, setting clear objectives, and ensuring that all tools, configurations, and documentation are in place to facilitate a smooth review process.

Define the Scope and Objectives:

  • Clearly outline the goals and focus areas for the review, such as code quality, performance, security, or specific functionality (such as a particular feature or module)
  • Determine whether the review will cover the entire app, specific components, or key features
  • Set measurable criteria for success, such as improving code readability, reducing potential bugs, or optimizing for performance

Verify Project Setup and Dependencies:

  • Ensure that all dependencies are up to date by running npm install or yarn install. Also, confirm that no deprecated or vulnerable packages are in use
  • Review the package.json file for accuracy and avoid unnecessary or outdated packages
  • Check that the project uses the latest stable version of React and all related libraries (e.g., React Router, Redux, etc.), to ensure compatibility with modern best practices
  • Verify that any third-party libraries are properly configured and that their use is necessary

Confirm Environment Configuration:

  • Ensure that the development environment is properly set up with all required tools, such as ESLint for code linting, Prettier for formatting, and any other React-specific extensions or linters
  • Verify that the project runs successfully in both development and production environments—this includes running the app locally (npm start, yarn start) and building it for production (npm run build, yarn build) without any errors or warnings
  • Ensure that any environment-specific settings (e.g., API endpoints, environment variables) are handled correctly using .env files or configuration tools, to avoid hardcoding values directly in the codebase

Review and Optimize Test Coverage:

  • Ensure that unit tests are in place for all critical components and functions, using testing libraries such as Jest and React Testing Library
  • Ensure the test coverage is comprehensive, covering key user interactions, state management, and edge cases
  • Review the structure of the test suite to ensure that tests are organized logically and do not overlap —unit tests should focus on isolated functionality, while integration tests can verify component interaction
  • Verify that the test suite runs without errors or failures (npm test, yarn test) and that meaningful assertions are made
  • Make sure that all tests are descriptive, using names that clearly explain the functionality being tested

Run Static Code Analysis Tools:

  • Ensure that static code analysis tools such as ESLint and Prettier are set up and configured properly to enforce consistent code style and identify potential issues like unused variables, syntax errors, or code smells
  • Run the code analysis tools and review the results before starting the review to address any issues related to styling or linting
  • Ensure that rules for best practices are applied consistently across the project
  • Verify that the results of code linting and formatting are integrated into the CI/CD pipeline to enforce code quality standards on every pull request or code merge

Check and Organize Documentation:

  • Ensure that relevant project documentation is up to date, including a clear README that outlines how to set up, build, and run the project, as well as any specific setup instructions for reviewers
  • Verify that inline comments and code documentation (e.g., JSDoc) are used where necessary to explain complex logic, function arguments, or expected behavior, making it easier for reviewers to understand the code
  • Review any API documentation or third-party service integrations to ensure they are properly documented and accessible for reviewers who may need additional context during the review

Review Git Workflow and Code Branches:

  • Ensure that the project follows a well-defined Git workflow (e.g., Gitflow, feature branching) to keep code changes organized and manageable during the review
  • Review feature branches to ensure they are merged correctly
  • Verify that any open pull requests or feature branches are rebased or merged with the latest changes from the main branch, avoiding conflicts or outdated code during the review process
  • Ensure that meaningful commit messages are used, clearly describing the purpose of each change

Validate External Dependencies and APIs:

  • Ensure that all external dependencies (e.g., APIs, third-party services) are properly mocked for testing and review purposes
  • Ensure there are no hard dependencies on external services that could break or fail during the review
  • Review the configuration of API calls, ensuring that error handling is in place for failed requests and that sensitive data such as API keys or tokens are stored securely using environment variables
  • Verify that third-party libraries and APIs are used efficiently, and consider alternatives if the dependency can be replaced with built-in React features or more lightweight options

Set Up and Test Build and Deployment Pipeline:

  • Ensure that the CI/CD pipeline is properly configured to automatically build, test, and deploy the application; this includes automated testing, linting, and static analysis to catch issues early
  • Review the build configuration (e.g., Webpack, Vite) to ensure that the production build is optimized for performance, with features such as tree shaking and code splitting enabled
  • Verify that the deployment pipeline is functioning correctly, automatically deploying changes to staging or production environments without errors

Prepare Test Data and Scenarios:

  • Ensure that test data and test scenarios are prepared for review—sample data sets or mock data for testing different parts of the application, such as forms, APIs, and user interactions
  • Review and set up realistic test cases for key components, ensuring that they cover various input scenarios (e.g., valid, invalid, edge cases) and are well-documented for the reviewer to follow
  • Ensure that user flows and functional behavior can be easily replicated during the review, to help reviewers understand how the code interacts with the rest of the application

Code Readability and Consistency

Ensuring code readability and consistency is critical to maintaining a clean, maintainable React codebase. Readable and consistent code allows for smoother collaboration, easier debugging, and faster onboarding of new developers. Here’s how to ensure your React JS developers have done a truly good job.

Follow Consistent Naming Conventions:

  • Ensure that components, functions, variables, and files follow consistent and meaningful naming conventions (use PascalCase for React component names and camelCase for functions, variables, and hooks)
  • Review that file names align with the component or function they export; avoid abbreviations or overly generic names that obscure the purpose of the code
  • Ensure naming consistency for props and state variables, making sure they clearly describe the data they represent (e.g., isLoading, userList)

Maintain Clear Component and Function Signatures:

  • Ensure that function and component signatures are simple and self-explanatory, with descriptive parameter names
  • Ensure there are no overly complex function signatures with excessive arguments, whereas related parameters are grouped into objects if necessary
  • Verify that props passed to components are concise, avoiding unnecessary or redundant props that clutter the component signature
// Correct: uses clear and descriptive names
type UserCardProps = {
  username: string;
  age: number;
};

const UserCard: React.FC = ({ username, age }) => {
  return (
    

      
{username}

      
Age: {age}

    

  );
};

// Wrong: component name Card is too generic, prop names are unclear
const Card = ({ u, a }) => {
  return (
    

      
{u}

      
Age: {a}

    

  );
}

Use Clear and Descriptive Comments:

  • Ensure that comments are used to explain non-obvious logic, especially around business rules or complex state transitions
  • Review that comments are clear and concise, providing valuable context without being overly verbose
  • Ensure they explain the “why” behind decisions rather than simply stating what the code does
  • Verify that inline comments are up to date and relevant to the code they describe
// Correct: explains  the purpose of the component
// Displays a user's profile information
const UserProfile = ({ name, age }: { name: string; age: number }) => (
  

    
{name}

    
Age: {age}

  

);

// Wrong: the comment repeats what the code already shows
// This is a UserProfile component
const UserProfile = ({ name, age }) => (
  

    
{name}

    
Age: {age}

  

);

Consistent Use of JSX Syntax and Formatting:

  • Ensure that JSX syntax is consistent, including indentation, spacing, and the placement of attributes—use single-line JSX for short elements and multi-line JSX for elements with multiple props or children
  • Review that JSX is properly formatted with consistent use of self-closing tags for elements without children (e.g., instead of )
  • Ensure that props are aligned and indented in a consistent way, improving the readability of long JSX attributes
// Correct: uses consistent indentation and proper spacing
const UserProfile = ({ name, age }: { name: string; age: number }) => (
  

    
{name}

    
Age: {age}

  

);
// Wrong: uses inconsistent indentation, making it harder to read
const UserProfile = ({name,age}) => 

{name}
Age: {age}
;

Ensure Consistent Code Formatting and Style:

  • Ensure that the code follows a consistent style guide across the project, using formatting tools like Prettier to enforce indentation, spacing, and line breaks consistently
  • Review that line length is kept to a reasonable limit (e.g., 80-100 characters), ensuring code remains easy to read on various devices or IDEs
  • Verify that the project’s linting rules (e.g., ESLint) are followed consistently to avoid unnecessary diffs or formatting discrepancies across the codebase

Use Prop Types or TypeScript for Type Safety:

  • Ensure that PropTypes or TypeScript types are consistently used to define the types of props expected by components, preventing runtime errors and improving code readability
  • Review that type definitions are clear and concise, with complex data structures or nested objects being properly defined
  • Verify that default values for optional props are set, either through defaultProps (for JavaScript projects) or TypeScript’s optional chaining and default values
// Correct: adding prop types if no TypeScript support 
import PropTypes from "prop-types";

const Button = ({ label, onClick }) => {
  return ;
};

Button.propTypes = {
  label: PropTypes.string.isRequired,
  onClick: PropTypes.func.isRequired,
};

// Correct: adding TypeScript interface for props (correct)
import PropTypes from "prop-types";

const Button = ({ label, onClick }) => {
  return ;
};
Button.propTypes = {
  label: PropTypes.string.isRequired,
  onClick: PropTypes.func.isRequired,
};

// Wrong: no prop types or TypeScript interface 
const Button = (props: any) => {
  return ;
};

Avoid Overly Complex Expressions in JSX:

  • Ensure that JSX expressions are simple and easy to follow
  • Ensure there is no embedding of complex logic directly in JSX, as this can reduce readability
  • Verify if calculations or conditional logic are moved into helper functions or state variables when necessary
  • Review the use of conditional rendering (&&, ? :) to ensure that it is not overly nested or difficult to read
  • Check if complex conditions are broken into multiple, smaller expressions or helper functions
  • Verify that repeated elements (e.g., list rendering with map) are concise and clearly structured
  • Verify if key props are used appropriately to ensure that React can track list items efficiently
// Correct: moves complex logic out of JSX into a function
const getDiscountMessage = (price: number) => {
  return price > 100 ? "You get a discount!" : "No discount available.";
};

const Product = ({ price }: { price: number }) => (
  
{getDiscountMessage(price)}

);
// Correct: stores ternary logic in a variable to improve readability
const Product = ({ price }: { price: number }) => (
  const discountMessage = price > 100 ? "You get a discount!" : "No discount available.";
  
{discountMessage}

);

// Wrong: hard to read because of nested expressions inside JSX
const Product = ({ price }) => (
  
{price > 100 ? "You get a discount!" : "No discount available."}

);

Avoid Redundant or Dead Code:

  • Ensure that any commented-out or unused code is removed from the codebase
  • Review conditional logic or feature flags that may leave unnecessary code in production builds
  • Verify that duplicated code is refactored into reusable components or helper functions, promoting code reuse and reducing maintenance overhead

Consistently Handle Destructuring of Props and State:

  • Ensure that destructuring is used consistently when handling props and state, improving readability by reducing the need for repeated references (e.g., props.user becomes { user })
  • Review that destructuring is applied at the top of the component or function body to maintain a clean, organized structure
  • Ensure there is no destructuring directly inside JSX, which can reduce readability
// Correct: destructure in function parameters
const UserProfile = ({ name, age, location }) => {
  return (
    

      
{name}

      
Age: {age}

      
Location: {location}

    

  );
};

// Wrong: access props without destructuring
const UserProfile = (props) => {
  return (
    

      
{props.name}

      
Age: {props.age}

      
Location: {props.location}

    

  );
};

Component Structure and Reusability

A crucial part of a code quality audit is ensuring that components are modular, reusable, and well-organized. This is important because a well-structured and reusable component architecture is key to building scalable and maintainable React applications. During a React code review, focusing on component structure and reusability helps ensure your app remains easy to extend.

Ensure Components Follow the Single Responsibility Principle:

  • Verify that each component has a clear, single responsibility and is focused on one piece of functionality
  • Ensure that components are not responsible for too many tasks (e.g., rendering UI, managing complex business logic, and handling data fetching in one place)
  • Review large components and refactor them into smaller subcomponents if they handle multiple responsibilities
  • Ensure that business logic is separated from UI rendering
  • Make sure complex logic is handled by container or stateful components, while presentational components focus solely on displaying the UI
// Correct: keeps single responsibility and reusability
type UserCardProps = {
  name: string;
  age: number;
};

const UserCard: React.FC = ({ name, age }) => (
  

    
{name}

    
Age: {age}

  

);

// Wrong: handles fetching data, loading state and complex rendering logic
const UserCard = () => {
  const [user, setUser] = React.useState(null);

  React.useEffect(() => {
    fetch("/api/user")
      .then((res) => res.json())
      .then((data) => setUser(data));
  }, []);

  if (!user) return 
Loading...
;

  return (
    

      
{user.name}

      
Age: {user.age}

    

  );
};

Promote Reusability with Generic Components:

  • Ensure that common UI patterns (e.g., buttons, modals, form fields) are encapsulated in reusable, generic components that can be used across different parts of the application
  • Review components for duplication and refactor similar pieces of code into shared components or utility functions
  • Verify that there’s no recreation of similar logic in multiple places
  • Verify that components are designed with flexibility in mind by using props to customize behavior or appearance
// Correct: reusable for different cases
const Button = ({ label, onClick, variant = "primary", disabled = false }) => {
  return (
    
  );
};

// Usage
;
};

Use Proper Component Hierarchy and Nesting:

  • Ensure that components are structured in a clear hierarchy that reflects the logical structure of the application
  • Ensure there’s no deep nesting of components, as it can make the code harder to follow and maintain
  • Review parent-child component relationships to ensure that data flows naturally from parent components to children through props
  • Ensure there’s no excessive prop drilling (passing props through multiple layers) by using context or state management libraries when necessary
  • Verify that reusable components are placed in appropriate directories (e.g., /components/shared for common components) to improve organization and accessibility across the codebase

Ensure Clear Separation of Container and Presentational Components:

  • Ensure that the application separates container components (which handle state, logic, and data fetching) from presentational components (which focus on rendering the UI)
  • Review presentational components to ensure they are stateless and receive all necessary data and actions via props, making them easy to reuse and test
  • Verify that container components are responsible for managing state and fetching data, while delegating rendering tasks to presentational components

Utilize Composition Over Inheritance:

  • Ensure that components are built using composition rather than inheritance since React promotes a component composition model, where smaller components are composed together to build more complex UIs
  • Review how components are composed to ensure that reusable building blocks (e.g., layout wrappers, UI elements) are effectively combined
  • Verify that React’s children prop is used where appropriate to pass JSX as content into components, allowing flexible composition without hardcoding structure inside components
// Correct: composition with 'children' is more clear and easy to extend
const Card = ({ title, children }) => {
  return (
    

      
{title}

      
{children}

    

  );
};

// Usage

  
Name: Alice

  
Email: alice@example.com

;

// Wrong: using inheritance instead of composition
class Card extends React.Component {
  render() {
    return (
      

        
{this.props.title}

        
{this.renderContent()}

      

    );
  }

  renderContent() {
    return null; // To be overridden by subclasses
  }
}

class UserProfileCard extends Card {
  renderContent() {
    return (
      <>
        
Name: Alice

        
Email: alice@example.com

      
    );
  }
}

// Usage
;

Avoid Hardcoding Styles, Use Styled Components or CSS Modules:

  • Ensure that styling is applied consistently using CSS-in-JS libraries like Styled Components or Emotion, or using CSS Modules to keep styles scoped and maintainable
  • Review the use of inline styles and hardcoded values in JSX to ensure that they are kept to a minimum
  • Verify that reusable UI elements (e.g., buttons, inputs) have consistent styles across the application, improving both maintainability and user experience
// Correct: using styled components
import styled from "styled-components";

// Styled button with dynamic props
const Button = styled.button`
  background-color: ${(props) => (props.primary ? "blue" : "gray")};
  color: white;
  padding: 10px 20px;
  border: none;
  border-radius: 5px;
  cursor: pointer;
  
  &:hover {
    background-color: ${(props) => (props.primary ? "darkblue" : "darkgray")};
  }
`;

// Usage
const App = () => (
  <>
    
    
  
);

// Wrong: hardcoded inline styles
const Button = ({ primary, children }) => (
  
);

const App = () => (
  <>
    
    
  
);

Ensure Accessibility in Reusable Components:

  • Ensure that reusable components are accessible by default, following best practices such as providing appropriate aria attributes, labels, and keyboard navigation support
  • Review that buttons, form elements, and other interactive components include the necessary attributes to make them accessible for all users (e.g., aria-label, role, tabIndex)
  • Verify that any reusable component library or design system follows accessibility standards, ensuring that the application is inclusive and meets accessibility requirements
// Correct: using aria labels & semantic elements
const IconButton = ({ icon, label, onClick }) => {
  return (
    
  );
};

// Wrong: missing aria and wrong elements
const IconButton = ({ icon, onClick }) => {
  return {icon};
};

// Correct: using label and id in forms
const TextInput = ({ label, id, ...props }) => {
  return (
    

      
      
    

  );
};

// Wrong: missing label association
const TextInput = ({ placeholder }) => {
  return ;
};

Proper Use of React Hooks and State Management

Effective use of React Hooks and state management ensures that React applications remain predictable, maintainable, and easy to scale. Hooks are a core part of modern React development, and understanding how to manage state properly ensures better performance and cleaner code.

Use useState for Local Component State:

  • Ensure that useState is used properly for managing the local component state
  • Verify if state variables represent the minimal required data, avoiding unnecessary or redundant state
  • Review the names of state variables and their setters to ensure they clearly describe the data and actions they represent (e.g., isModalOpen, setIsModalOpen)
  • Verify that complex state logic is abstracted into helper functions or state-updating callbacks (e.g., setState(prevState => newState)), avoiding excessive re-renders or direct manipulation of state
// Correct: using functional update for safety
const Counter = () => {
  const [count, setCount] = useState(0);

  const increment = () => {
    setCount(prevCount => prevCount + 1);
  };

  return ;
};

// Wrong: directly modifying state
const Counter = () => {
  const [count, setCount] = useState(0);

  const increment = () => {
    setCount(count + 1); // Might cause stale state issues
  };

  return ;
};

// Correct: using immutable updates for objects
const UserProfile = () => {
  const [user, setUser] = useState({ name: "Alice", age: 25 });

  const updateAge = () => {
    setUser(prevUser => ({ ...prevUser, age: prevUser.age + 1 }));
  };

  return ;
};

// Wrong: mutating state directly
const UserProfile = () => {
  const [user, setUser] = useState({ name: "Alice", age: 25 });

  const updateAge = () => {
    user.age += 1; // Direct mutation!
    setUser(user); // React may not detect this change
  };

  return ;
};

Use useEffect for Side Effects:

  • Ensure that useEffect is used appropriately for side effects such as data fetching, subscriptions, or interacting with external services
  • Ensure there’s no placing of side effects directly inside render logic
  • Review the dependency array of useEffect to ensure it accurately reflects the variables that the effect depends on (improper or missing dependencies can lead to infinite loops or stale state)
  • Verify that cleanup functions are used inside useEffect when necessary, especially for subscriptions, event listeners, or timers, to prevent memory leaks and unintended behavior

Avoid Overusing useEffect for Derived State:

  • Ensure that useEffect is not overused to derive state that can be calculated directly in the component body; for example, derived data from props or state should be computed within the render method or using memoization (useMemo), not within useEffect
  • Review components where state is being set inside useEffect and refactor it to calculate derived data outside of useEffect unless the logic depends on external async data
// Correct: using useMemo for expensive computations
const ExpensiveComponent = ({ items }) => {
  const computedValue = useMemo(() => {
    console.log("Running expensive computation...");
    return items.reduce((sum, item) => sum + item.value, 0);
  }, [items]); // Only recalculates when `items` change

  return 
Computed Value: {computedValue}
;
};

// Wrong: using useEffect to set state
const ExpensiveComponent = ({ items }) => {
  const [computedValue, setComputedValue] = useState(0);

  useEffect(() => {
    console.log("Running expensive computation...");
    setComputedValue(items.reduce((sum, item) => sum + item.value, 0));
  }, [items]); // Unnecessary effect

  return 
Computed Value: {computedValue}
;
};

Use useContext for Global State Sharing:

  • Ensure that useContext is used to share global or application-wide state, reducing the need for prop drilling through multiple components
  • Review the context provider and ensure that it is used at an appropriate level in the component tree to avoid unnecessary re-renders of child components
  • Verify that context is used sparingly for truly global data (e.g., authentication, theme), and local state is managed within components using useState or other hooks

Leverage useReducer for Complex State Logic:

  • Ensure that useReducer is used for managing complex state logic, particularly when state transitions involve multiple actions or require structured updates
  • Review the reducer function to ensure it is pure, meaning it only depends on its input and does not cause side effects or mutate state directly
  • Verify that action types and payloads are clearly defined and descriptive, ensuring that the reducer logic remains clear and understandable

Use useRef for Mutable Values and DOM Manipulation:

  • Ensure that useRef is used for values that need to persist across renders without triggering re-renders (e.g., DOM elements, timers, or mutable variables)
  • Review the use of useRef for DOM manipulation or interacting with third-party libraries
  • Ensure that direct DOM manipulation is kept to a minimum, and that React’s rendering model is respected
  • Verify that useRef is not misused for state management—it should only be used for cases where changes to the reference do not need to trigger re-renders

Manage Asynchronous State with Proper Error Handling:

  • Ensure that asynchronous operations (e.g., API calls, data fetching) inside useEffect or other hooks are managed with proper error handling; use try-catch blocks or .catch() for promises to prevent uncaught errors
  • Review that state variables for loading, success, or error states (e.g., isLoading, isError) are consistently used when managing asynchronous state, improving the user experience during asynchronous operations
  • Verify that asynchronous operations are canceled when the component unmounts to prevent setting state on unmounted components, which can lead to memory leaks or errors

Organize Global State with Context or State Management Libraries:

  • Ensure that global state (e.g., authentication, user preferences, or theme settings) is managed using either the React Context API or state management libraries like Redux, Zustand, or Recoil
  • Review the use of external state management libraries to ensure they are necessary (for simpler applications, React Context and useReducer might be sufficient without introducing unnecessary complexity)
  • Verify that the global state management solution is set up with clear actions, reducers, or selectors to minimize boilerplate and ensure the state logic is maintainable

Avoid Common Pitfalls with React Hooks:

  • Ensure that hooks are called in the correct order and only inside functional components or custom hooks
  • Ensure React hooks are not called inside loops, conditionals, or nested functions
  • Review custom hooks to ensure they follow best practices and encapsulate reusable logic effectively
  • Verify that custom hooks return values and functions that promote consistent behavior across the application
  • Verify that hooks are not overused for managing simple local state or logic that can be handled within the component body
  • Verify if the usage of hooks is simple and necessary

Error Handling and Boundary Cases

A React checklist would be incomplete without a thorough review of error handling and the management of boundary cases. These are essential for building robust React applications that can gracefully handle unexpected failures and edge cases.

Implement Error Boundaries for Graceful Error Handling:

  • Ensure that error boundaries are implemented at appropriate points in the component tree to catch JavaScript errors in the UI and prevent the entire application from crashing; use componentDidCatch or create error boundary components with React.ErrorBoundary
  • Review the placement of error boundaries to ensure they cover critical sections of the UI (e.g., around large or complex components) but are not overused, as this can mask deeper issues in the codebase
  • Verify that error boundaries display meaningful fallback UI (e.g., error messages, retry options) to inform the user of the issue without revealing technical details

Handle API and Data Fetching Errors Gracefully:

  • Ensure that errors from API calls or data fetching operations are handled properly using try-catch blocks or .catch() for promises
  • Ensure there’s no unresolved or unhandled promise rejections left over, as this can lead to runtime errors
  • Review how error states (e.g., network failures, API errors) are communicated to users
  • Ensure that user-friendly error messages are displayed rather than technical error details
  • Verify that error states are managed using appropriate state variables (e.g., isError, errorMessage) and ensure that the UI provides fallback or retry options in case of failed data fetching

Anticipate and Handle Edge Cases:

  • Ensure that the application anticipates and handles common edge cases, such as empty data sets, null or undefined values, or user input exceeding expected limits
  • Review list-rendering components to ensure they handle scenarios where the data array is empty or contains invalid items; provide fallback UI (e.g., “No items available”) for these cases
  • Verify that form components handle edge cases such as excessively long input values, invalid formats, or unexpected user input; use validation logic to prevent invalid data from being submitted

Ensure Error Handling for Asynchronous Operations:

  • Ensure that asynchronous operations, such as fetching data with fetch, axios, or GraphQL, are wrapped in error handling mechanisms (e.g., try-catch or .catch() for promises) to prevent silent failures
  • Review how loading, success, and error states are handled for asynchronous operations. Ensure that appropriate feedback is given to users (e.g., loading spinners, error messages, success confirmations)
  • Verify that long-running operations or network requests are handled gracefully, with appropriate error handling and retry logic to improve user experience in case of network issues

Validate and Sanitize User Input:

  • Ensure that user input is properly validated both client-side and server-side to prevent invalid or unexpected data from causing issues. Use validation libraries (e.g., Yup, Formik) or custom validation logic for complex forms
  • Review input validation logic to ensure it covers common edge cases such as empty strings, special characters, and excessively long input; provide helpful validation messages to guide users
  • Verify that user input is sanitized to prevent potential security issues, such as injecting harmful scripts or invalid characters into forms

Handle Default and Fallback Values for Missing Data:

  • Ensure that default values are provided when accessing potentially missing or undefined data, especially when dealing with API responses or optional props
  • Review the use of optional chaining (?.) and default parameter values (||) to handle undefined or null values gracefully
  • Verify that components display appropriate fallback content when data is missing or incomplete, avoiding blank screens or UI errors

Display Meaningful and User-Friendly Error Messages:

  • Ensure that error messages shown to users are clear, concise, and helpful
  • Ensure there’s no displaying of raw error messages from API responses or the server, which may contain technical jargon
  • Review error messages across the application for consistency in tone and style, ensuring that they guide users to take corrective action (e.g., “Please try again” or “Contact support for assistance”)
  • Verify that critical errors (e.g., data fetch failures, form submission errors) include actionable options, such as retry buttons or links to support pages

Implement Boundary Cases for Component Props and State

  • Ensure that components handle unexpected or incorrect prop values gracefully
  • Verify if PropTypes or TypeScript are used to enforce the expected types and structure of props passed to components
  • Review components to ensure they handle edge cases like missing or incomplete props
  • Use default props or provide conditional logic to handle these cases without breaking the component
  • Verify that components render correctly when provided with various edge cases in state, such as empty arrays, null values, or default states

Use Defensive Programming Techniques:

  • Ensure that defensive programming techniques are used to prevent runtime errors caused by unexpected inputs, null references, or invalid data (for example, check for null or undefined values before performing operations on them)
  • Review conditional logic to ensure it handles all possible edge cases, preventing the application from entering an unstable state when provided with unexpected data or inputs
  • Verify that components are tested for robustness, handling various edge cases during development and testing phases to avoid unexpected crashes or unhandled exceptions in production

Avoid Silent Failures and Log Errors Effectively:

  • Ensure that errors are logged effectively in both development and production environments
  • Ensure logging tools (e.g., Sentry, LogRocket) are used to capture detailed error information without exposing it to the end user
  • Review code for potential silent failures, where errors occur but are not logged or communicated to the user
  • Ensure that errors are caught and appropriately handled, with fallback logic or error messages
  • Verify that error logs are structured and include relevant information (e.g., component name, stack trace, user action) to make debugging easier in the future

Use Proper Error Boundaries for Third-Party Components:

  • Ensure that error boundaries are applied around third-party components or libraries that may throw unexpected errors, especially when integrating with complex or unfamiliar code
  • Review how third-party libraries handle errors and ensure that any failures are captured within the application
  • When handling errors internally, ensure that external libraries are not the sole reliance

Performance Optimization

React is incredibly popular, with 39.5% of software developers worldwide choosing it as their go-to web framework (second only to Node.js). However, as your application grows in complexity, you might notice a dip in its performance, which can significantly impact user satisfaction. That’s why React performance is crucial for delivering a smooth user experience.

Our React performance optimization efforts can zero in on key areas like reducing unnecessary component re-renders, minimizing JavaScript bundle sizes, and dramatically improving loading times. When we perform a code review, we share actionable React performance optimization techniques, pinpointing the exact bottlenecks and inefficiencies that could be holding back your application’s responsiveness and scalability.

Use React.memo for Component Memoization:

  • Ensure that components that do not need to re-render frequently are wrapped in React.memo to prevent unnecessary re-renders
  • Review components receiving the same props repeatedly to verify if React.memo can be applied, reducing the number of renders and improving performance in large component trees
  • Verify that React.memo is used selectively for components where re-renders are costly
  • Ensure React.memo is not overused on simple or lightweight components where the optimization may not be necessary

Use useMemo and useCallback for Expensive Calculations and Functions:

  • Ensure that useMemo is used to memoize expensive calculations or derived data, preventing unnecessary recalculations on every render
  • Review the use of useCallback to memoize callback functions passed to child components, avoiding unnecessary re-creation of functions that can cause child components to re-render unnecessarily
  • Verify that dependency arrays for useMemo and useCallback are correct and cover all variables that may trigger recalculation

Avoid Unnecessary Re-Renders:

  • Ensure that component re-renders are minimized by checking whether props or state values have changed before updating the component
  • Use proper comparison logic in the shouldComponentUpdate lifecycle method (for class components) or by using hooks like React.memo and useCallback in functional components
  • Review components for unnecessary state or prop updates that can trigger re-renders
  • Ensure that only relevant data is passed as props and there’s no updating of state with the same values
  • Verify that unnecessary props (such as unused or default props) are not being passed to child components, reducing the chance of unintended re-renders

Implement Lazy Loading for Code Splitting:

  • Ensure that code splitting is implemented using React.lazy and Suspense to load components on demand, reducing the initial bundle size and improving loading times for users
  • Review routes and large components to verify that they are lazy-loaded, especially for components that are not needed immediately on page load (e.g., components for routes or modals)
  • Verify that Suspense fallback components are used to display loading states while lazy-loaded components are being fetched; ensure that the fallback UI is clear and user-friendly

Optimize Lists with React.Fragment and key Props:

  • Ensure that lists rendered using .map() include a unique key prop for each item to help React optimize the reconciliation process and avoid unnecessary re-renders
  • Review that React.Fragment is used where necessary to group sibling elements without adding extra nodes to the DOM, especially in lists or conditional renders
  • Verify that list rendering is efficient, avoiding unnecessary computations or re-renders when the list data has not changed

Implement Infinite Scrolling or Pagination for Large Data Sets:

  • Ensure that large data sets are handled efficiently by implementing pagination or infinite scrolling instead of loading all data at once
  • Review that pagination or infinite scrolling is used for lists or tables that display large amounts of data, ensuring that only a limited number of items are rendered at a time
  • Verify that lazy loading or virtual scrolling techniques are applied where appropriate to minimize the number of DOM elements rendered at once

Use CSS-in-JS or Code-Splitting for Styles:

  • Ensure that styles are optimized using CSS-in-JS solutions like Styled Components or Emotion, or by code-splitting CSS files to reduce the size of styles loaded upfront
  • Review that critical CSS is loaded initially, while non-essential styles are deferred until needed
  • Verify that dynamic styling is handled efficiently, avoiding inline styles or re-calculating styles on every render unless necessary

Minimize the Size of the JavaScript Bundle:

  • Ensure that unnecessary or unused libraries are removed from the project to minimize the JavaScript bundle size
  • Use tools like Webpack or Parcel to analyze and tree-shake unused code
  • Review the project for large dependencies that can be replaced with more lightweight alternatives or custom implementations to reduce the overall bundle size
  • Verify that assets (e.g., images, fonts) are optimized and that large libraries are split into smaller chunks using dynamic imports for code-splitting

Use useRef to Avoid Re-renders for Mutable Data:

  • Ensure that useRef is used for mutable data that doesn’t need to trigger re-renders, such as DOM references, timers, or external API interactions
  • Review the use of useRef to store values that persist across renders without causing the component to re-render, such as form elements or animation values
  • Verify that useRef is not used for managing state that should trigger UI updates, as it can cause inconsistencies between the UI and application state

Optimize Performance in Forms and Input Handling:

  • Ensure that form inputs are optimized by using onChange handlers that only update the state when necessary
  • Ensure there’s no re-rendering of the entire form for every keypress or interaction
  • Review form components to ensure that controlled components are not unnecessarily re-rendering or triggering updates; use techniques like debouncing or useCallback to optimize input handling
  • Verify that form validations are optimized by using libraries like Formik or React Hook Form, which handle form state efficiently and avoid re-renders

Implement Suspense for Data Fetching:

  • Ensure that Suspense is used for data fetching in combination with React’s Concurrent Mode to allow for better rendering performance by deferring or suspending component rendering until the data is available
  • Review the usage of data-fetching libraries (e.g., SWR, React Query) that are optimized for React and support caching, revalidation, and background fetching, minimizing the need for redundant data requests
  • Verify that loading states are handled effectively with Suspense or custom logic, ensuring the UI remains responsive while waiting for data

Optimize Images and Media:

  • Ensure that images and media files are optimized for performance using techniques like lazy loading (loading=”lazy” for images), responsive image sizes, and WebP formats to reduce the file size and load time
  • Review that large media files (e.g., videos) are deferred or loaded on-demand, reducing the initial load burden for users on slow connections
  • Verify that tools like image compression or content delivery networks (CDNs) are used to serve optimized assets, improving load times and reducing bandwidth usage

Profile and Benchmark Performance

  • Ensure that performance profiling tools (e.g., React Profiler, Chrome DevTools) are used to identify bottlenecks, measure component render times, and optimize slow areas of the application
  • Review performance benchmarks to identify which components or parts of the application are causing slowdowns, especially during user interactions or complex render cycles
  • Verify that optimization techniques (e.g., memoization, lazy loading) are applied based on actual performance data rather than premature optimization, ensuring meaningful performance gains

Security Best Practices

React security is non-negotiable. Your React applications handle sensitive user data, interact with various APIs, and ultimately operate in the potentially insecure environment of a user’s browser. This makes ensuring the proper implementation of React security best practices absolutely critical. By doing so, you protect both your application and its users from a range of vulnerabilities like cross-site scripting (XSS), insidious data leaks, and numerous other common cyberattacks.

When we conduct a code review, our deep dive into React JS security ensures your application is not only resilient against threats but also handles all sensitive data with the utmost care and security.

Sanitize User Input to Prevent XSS Attacks:

  • Ensure that all user input is sanitized before rendering it in the UI
  • Check if libraries like DOMPurify are used to strip potentially harmful content, particularly when rendering HTML or user-generated content
  • Review components to ensure that dangerous methods like dangerouslySetInnerHTML are avoided, unless absolutely necessary (if used, verify that the content is properly sanitized to prevent XSS attacks)
  • Verify that third-party libraries handling user data (e.g., rich text editors, form libraries) properly sanitize content before rendering

Implement Secure Authentication and Authorization:

  • Ensure that authentication mechanisms are secure, leveraging standards like OAuth2 or JSON Web Tokens (JWT) for handling user authentication
  • Check if tokens are stored securely using HTTP-only cookies to prevent client-side access
  • Review access control mechanisms to verify that components and routes are protected based on the user’s authentication and authorization status
  • Check if PrivateRoute or equivalent techniques are used to guard protected routes
  • Verify that sensitive information like JWT tokens, API keys, or user credentials is never stored in local storage, session storage, or directly within the JavaScript code

Protect Against Cross-Site Request Forgery (CSRF):

  • Ensure that CSRF protection is implemented, especially for state-changing operations (e.g., form submissions, API requests)
  • Check if anti-CSRF tokens that are validated on the server side are used
  • Review any form handling or API interaction components to ensure they are using secure headers and tokens (e.g., X-CSRF-Token) to protect against CSRF attacks
  • Verify that requests modifying sensitive data require valid CSRF tokens, ensuring that unauthorized requests cannot be processed

Use HTTPS and Secure Cookies:

  • Ensure that all communication between the client and server is encrypted using HTTPS Avoid transmitting sensitive information (e.g., authentication tokens, API keys) over unsecured HTTP connections
  • Review cookie settings to ensure that secure, HTTP-only cookies are used for storing authentication tokens and session information, preventing access via JavaScript
  • Verify that the SameSite attribute is set on cookies to prevent cross-origin cookie access and reduce the risk of CSRF attacks

Prevent Sensitive Data Exposure:

  • Ensure that sensitive data (e.g., passwords, credit card numbers) is never logged or exposed in the browser’s developer tools
  • Verify that there’s no logging of sensitive information in the console or sending it in error messages
  • Review API requests and responses to ensure that no sensitive data is returned in responses
  • Verify that data such as user passwords, tokens, or personally identifiable information (PII) are never sent to the client
  • Verify that client-side storage (e.g., local storage, session storage) does not contain sensitive information like JWT tokens or user credentials

Implement Content Security Policy (CSP):

  • Ensure that a Content Security Policy (CSP) is implemented to prevent the execution of unauthorized scripts or resources (helps mitigate XSS and data injection attacks by restricting what content can be loaded on a page)
  • Review the CSP configuration to ensure that only trusted sources (e.g., self, approved CDNs) are allowed for loading scripts, styles, and other assets
  • Ensure there’s no using of unsafe-inline or unsafe-eval directives
  • Verify that any necessary inline scripts or styles are minimized and properly handled by the CSP, ensuring that they do not introduce security vulnerabilities

Prevent Clickjacking Attacks:

  • Ensure that the X-Frame-Options header is set to DENY or SAMEORIGIN to prevent the application from being embedded in iframes on other sites
  • Review any legitimate use of iframes (e.g., embedding third-party content) to ensure that security risks are mitigated, and iframes are used safely
  • Verify that any embedded content, especially from third-party sources, is trusted and properly secured

Validate Data from APIs and External Sources:

  • Ensure that data fetched from APIs or external sources is properly validated before it is processed or rendered in the UI
  • Review API calls and verify that client-side validation is complemented by server-side validation, ensuring that user-provided data is sanitized and validated on the server
  • Verify that incoming data is checked for integrity and structure (e.g., validating JSON schemas), preventing malformed or malicious data from being used in the application

Use Rate Limiting and Throttling for API Requests:

  • Ensure that rate limiting and throttling mechanisms are in place to prevent abuse of APIs, such as brute-force attacks or denial-of-service (DoS) attacks
  • Check if these safeguards are implemented on the server side to limit the number of requests a client can make within a specified time
  • Review the application’s interaction with APIs to ensure that request throttling or rate limits are respected
  • Verify that there are no frequent, unnecessary API calls that could result in overuse of resources
  • Verify that any external APIs being consumed have adequate rate-limiting protections, and that error handling for rate-limited responses is implemented

Use Proper Error Handling Without Exposing Internal Information:

  • Ensure that error messages shown to users are generic and do not reveal internal information such as stack traces, server paths, or database details
  • Review error handling across the application to ensure that internal errors are logged server-side but not exposed to the client
  • Verify that sensitive information is stripped from error responses before they are sent to the client, ensuring that potential attackers cannot gather details about the system

Monitor and Log Security-Related Events

  • Ensure that important security events, such as failed login attempts, unauthorized access attempts, and data breaches, are logged for future analysis and response
  • Check if a logging tool like Sentry or LogRocket is used to capture and report security-related incidents
  • Review logging configurations to ensure that security logs are stored securely and accessible only by authorized personnel
  • Verify that there’s no logging of sensitive data in plain text
  • Verify that logging and monitoring systems are in place to detect and respond to potential security threats in real-time

Improve Your React App Quality with Redwerk

At Redwerk, we’ve successfully delivered over 250 projects to businesses across North America, Europe, Africa, Australia, and New Zealand. We support our clients at each step of the software development lifecycle, helping them get rid of technical debt, adopt healthy coding practices, and implement time-proven workflows that increase the frequency and reliability of software releases. Here are just a few React JS projects that benefitted from our expertise.

Accelerating Feature Delivery for Orderstep

Client: Orderstep, a Danish provider of quote management SaaS.

Constraints: A small in-house team struggling with overdue feature requests from premium users.

Solution: Redwerk stepped in to help deliver long-promised user capabilities on time. Because the webshop backend was already complete, making a traditional framework compatible with the frontend would have required extensive tweaking. To blend the benefits of a Single Page Application (SPA) with their existing setup, we strategically integrated React for the interactive parts of the online store, leaving static pages framework-agnostic.

Result: The timely development of the webshop feature for premium users significantly increased subscription revenue.

Rapid Module Upgrade for Cakemail

Client: Cakemail, a Canadian scale-up specializing in email marketing tools.

Constraints: A tight deadline and an urgent need to upgrade a critical app module.

Solution: We fully prepared the frontend of the Forms section for seamless integration into the new version of the Cakemail app. Our assistance enabled Cakemail to complete the transition from Cakemail v4 to Cakemail v5 without compromising the app’s functionality.

Result: The subscription form module was successfully refactored in less than 90 days, allowing Cakemail to deploy their upgraded app version as planned.

Platform Re-Architecture & Launch for Evolv

Client: Evolv, an AI-led experience optimization platform based in the USA.

Constraints: Pressure to deliver new features for user base growth, combined with extensive re-architecture work needed after a spin-off from Sentient Technologies, overtaxing the in-house team.

Solution: Redwerk was engaged to develop Evolv’s core product: a pioneering optimization platform comprising a Web Editor and Manager. The Web Editor is Evolv’s desktop app that allows coding UX improvements without direct access to the client’s source code, as well as previewing, editing, and testing implemented changes. The Manager is Evolv’s web platform, featuring advanced testing settings for launching experiments. We also continued to maintain the platform.

Result: Transformed the legacy offering, Sentient Ascend, into the #1 AI-driven digital growth solution. Together with the Redwerk delivery team, Evolv successfully released its new product—Evolv 1.0, which is now utilized by numerous Evolv clients.

Whether you’re looking to hire React JS developers to augment your in-house team or need expert assistance for an impartial React code review, we’d love to help you out. Contact us today to share your needs and get a clear understanding of how they can be addressed, including a free project estimate.

See how we helped Evolv rearchitect their AI-driven platform built with React JS

Please enter your business email isn′t a business email
Created by
Dmitry Yerygin
Development Team Lead at Redwerk
linkedin
With degrees in Control Systems and Computer Engineering, Dmitry excels in creating robust software architectures. He brings over 20 years of tech expertise and blends analytical prowess with effective communication. More by Author