TypeScript PR Safety Review

Description

--- ⚠️ AI-Generated Skill Generated by MFKVault on 2026-05-13. Review before use. Not professional advice. Modify as needed for your use case. --- --- name: TypeScript PR Safety Review description: Automatically review TypeScript pull requests to identify and flag unsafe `any` usage with severity levels, posting structured review comments with actionable guidance. --- # TypeScript PR Safety Review ## When to use this skill Use this skill when reviewing TypeScript pull requests that contain type definitions, function implementations, or type assertions. Activate when you need to enforce type safety standards and prevent `any` from eroding the codebase's type integrity. This is especially critical for shared libraries, API contracts, and sensitive domains like authentication or data handling. ## Key behaviors - Parse the entire PR diff to identify all instances of `any` type usage, including explicit `any`, implicit `any` from untyped parameters, and `any` in type assertions (`as any`) - Categorize each `any` occurrence by severity: CRITICAL (security/data integrity), HIGH (API contracts/public interfaces), MEDIUM (internal utilities/type erosion), LOW (test files/temporary code) - Generate line-by-line feedback with specific context, showing the problematic code snippet and explaining why the type is unsafe - Suggest concrete type alternatives using union types, generics, `unknown`, type guards, or more specific types based on context - Check for patterns that indicate intentional `any` suppression (e.g., comments like `// TODO: fix types`) and flag them separately as technical debt - Structure the review comment with clear sections: Summary, Issues by Severity, Detailed Findings, and Recommendations - Preserve code locations and line numbers accurately to enable direct navigation in the PR review interface ## Examples ### Example 1: API function with untyped parameter **Request:** Review a TypeScript PR with this change: ```typescript export function processUserData(data: any): Promise<void> { const user = data.user; const email = user.email; return saveToDatabase(email); } ``` **Response:** ``` ## 🔍 TypeScript Safety Review ### Summary Found 1 critical issue that impacts the public API contract. The `any` type in the exported function parameter defeats type checking and allows invalid data to propagate. ### Critical Issues (1) **Line 1: Unsafe `any` in public API parameter** - Location: `processUserData` function parameter - Problem: `data: any` removes all type safety. Callers can pass invalid data, objects without required properties, or primitives - Recommendation: Define an interface for the expected data structure: ```typescript interface UserDataInput { user: { email: string; }; } export function processUserData(data: UserDataInput): Promise<void> ``` - Impact: This is a public API contract issue affecting type safety across the codebase ### Technical Debt None detected. ### Verification - Type coverage would be improved from ~95% to 100% with this change - Consider adding `strict: true` to tsconfig.json ``` ### Example 2: Type assertion in internal utility **Request:** Review PR with this change: ```typescript function parseConfig(raw: unknown): Config { const config = JSON.parse(raw as string) as any; return config; } ``` **Response:** ``` ## 🔍 TypeScript Safety Review ### Summary Found 1 high-severity issue involving unsafe type assertions in configuration parsing. This bypasses runtime validation and can cause silent failures. ### High Issues (1) **Line 2: Unsafe type assertion with `as any`** - Location: `parseConfig` function, JSON.parse result - Problem: `as any` assertion erases all type information after JSON.parse. If the parsed object doesn't match expected Config shape, errors appear at runtime, not compile time - Recommendation: Use a type guard instead: ```typescript function isConfig(obj: unknown): obj is Config { return ( typeof obj === 'object' && obj !== null && 'apiUrl' in obj && typeof obj.apiUrl === 'string' ); } function parseConfig(raw: unknown): Config { const parsed = JSON.parse(raw as string); if (!isConfig(parsed)) { throw new Error('Invalid config'); } return parsed; } ``` - Impact: Prevents silent data shape mismatches that could cause production issues ### Verification - Type guard approach enables compile-time checking - Runtime validation provides safety net for untrusted input ``` ### Example 3: Test file with deliberate type bypasses **Request:** Review PR with test changes: ```typescript describe('UserService', () => { it('should handle edge cases', () => { const mockUser: any = { id: 1 }; const result = service.validateUser(mockUser as any); expect(result).toBe(false); }); }); ``` **Response:** ``` ## 🔍 TypeScript Safety Review ### Summary Found 2 low-severity `any` usages in test files. While test files are lower priority, these patterns suggest test setup could be more maintainable. ### Low Issues (2) **Line 2: Untyped mock in test setup** - Location: `mockUser` variable - Problem: Using `any` for test fixtures makes tests brittle and less documentation of the actual shape needed - Recommendation: Use a proper test factory or partial type: ```typescript const mockUser: Partial<User> = { id: 1 }; // Or use a test factory: const mockUser = createMockUser({ id: 1 }); ``` - Severity: Low (test file, but impacts test maintainability) **Line 3: Defensive `as any` type assertion** - Location: `mockUser as any` in function call - Problem: This assertion suggests the test understands the real function signature but forces an incompatible type anyway. Either the mock is wrong or the test is incorrect - Recommendation: Remove the assertion; ensure `mockUser` has the correct shape, or update `validateUser` signature ### Technical Debt Consider creating a test utilities file with proper mocking helpers. ### Verification - Use `@types/jest` and enable strict type checking in tests ``` ## What NOT to do - Do not flag `any` in type definitions from external libraries (e.g., `@types` packages) as review issues—these are not part of the PR author's responsibility - Do not suggest vague recommendations like "use better types"; always provide concrete type signatures or code examples - Do not treat all `any` as equally critical; distinguish between public API surface (critical), internal utilities (medium), and test files (low) - Do not ignore context; a function accepting `any` because it intentionally handles dynamic objects differs from sloppy typing - Do not miss implicit `any` from untyped parameters when `noImplicitAny` might be disabled; flag these as strongly as explicit `any` - Do not forget to check for `any[]` which is particularly dangerous for data processing pipelines - Do not create overly long reviews; prioritize by severity and group similar issues ## Edge cases **Handling intentional `any` with TODO comments:** Flag as technical debt rather than blocking issue. Suggest adding a concrete timeline for remediation. Example: ``` // TODO: fix types - currently blocked by #456 const data: any = await legacyAPI(); ``` Response: "This has a tracking comment. Verify issue #456 is actively being addressed; if not, bump priority." **Generic functions with constrained any:** Distinguish between `any` that's truly unconstrained vs. `any` in a generic context: ```typescript function process<T extends any>(item: T

Security Status