Flutter Dart Code Review

1---2name: flutter-dart-code-review3description: Library-agnostic Flutter/Dart code review checklist covering widget best practices, state management patterns (BLoC, Riverpod, Provider, GetX, MobX, Signals), Dart idioms, performance, accessibility, security, and clean architecture.4origin: ECC5---6 7# Flutter/Dart Code Review Best Practices8 9Comprehensive, library-agnostic checklist for reviewing Flutter/Dart applications. These principles apply regardless of which state management solution, routing library, or DI framework is used.10 11---12 13## 1. General Project Health14 15- [ ] Project follows consistent folder structure (feature-first or layer-first)16- [ ] Proper separation of concerns: UI, business logic, data layers17- [ ] No business logic in widgets; widgets are purely presentational18- [ ] `pubspec.yaml` is clean — no unused dependencies, versions pinned appropriately19- [ ] `analysis_options.yaml` includes a strict lint set with strict analyzer settings enabled20- [ ] No `print()` statements in production code — use `dart:developer` `log()` or a logging package21- [ ] Generated files (`.g.dart`, `.freezed.dart`, `.gr.dart`) are up-to-date or in `.gitignore`22- [ ] Platform-specific code isolated behind abstractions23 24---25 26## 2. Dart Language Pitfalls27 28- [ ] **Implicit dynamic**: Missing type annotations leading to `dynamic` — enable `strict-casts`, `strict-inference`, `strict-raw-types`29- [ ] **Null safety misuse**: Excessive `!` (bang operator) instead of proper null checks or Dart 3 pattern matching (`if (value case var v?)`)30- [ ] **Type promotion failures**: Using `this.field` where local variable promotion would work31- [ ] **Catching too broadly**: `catch (e)` without `on` clause; always specify exception types32- [ ] **Catching `Error`**: `Error` subtypes indicate bugs and should not be caught33- [ ] **Unused `async`**: Functions marked `async` that never `await` — unnecessary overhead34- [ ] **`late` overuse**: `late` used where nullable or constructor initialization would be safer; defers errors to runtime35- [ ] **String concatenation in loops**: Use `StringBuffer` instead of `+` for iterative string building36- [ ] **Mutable state in `const` contexts**: Fields in `const` constructor classes should not be mutable37- [ ] **Ignoring `Future` return values**: Use `await` or explicitly call `unawaited()` to signal intent38- [ ] **`var` where `final` works**: Prefer `final` for locals and `const` for compile-time constants39- [ ] **Relative imports**: Use `package:` imports for consistency40- [ ] **Mutable collections exposed**: Public APIs should return unmodifiable views, not raw `List`/`Map`41- [ ] **Missing Dart 3 pattern matching**: Prefer switch expressions and `if-case` over verbose `is` checks and manual casting42- [ ] **Throwaway classes for multiple returns**: Use Dart 3 records `(String, int)` instead of single-use DTOs43- [ ] **`print()` in production code**: Use `dart:developer` `log()` or the project's logging package; `print()` has no log levels and cannot be filtered44 45---46 47## 3. Widget Best Practices48 49### Widget decomposition:50- [ ] No single widget with a `build()` method exceeding ~80-100 lines51- [ ] Widgets split by encapsulation AND by how they change (rebuild boundaries)52- [ ] Private `_build*()` helper methods that return widgets are extracted to separate widget classes (enables element reuse, const propagation, and framework optimizations)53- [ ] Stateless widgets preferred over Stateful where no mutable local state is needed54- [ ] Extracted widgets are in separate files when reusable55 56### Const usage:57- [ ] `const` constructors used wherever possible — prevents unnecessary rebuilds58- [ ] `const` literals for collections that don't change (`const []`, `const {}`)59- [ ] Constructor is declared `const` when all fields are final60 61### Key usage:62- [ ] `ValueKey` used in lists/grids to preserve state across reorders63- [ ] `GlobalKey` used sparingly — only when accessing state across the tree is truly needed64- [ ] `UniqueKey` avoided in `build()` — it forces rebuild every frame65- [ ] `ObjectKey` used when identity is based on a data object rather than a single value66 67### Theming & design system:68- [ ] Colors come from `Theme.of(context).colorScheme` — no hardcoded `Colors.red` or hex values69- [ ] Text styles come from `Theme.of(context).textTheme` — no inline `TextStyle` with raw font sizes70- [ ] Dark mode compatibility verified — no assumptions about light background71- [ ] Spacing and sizing use consistent design tokens or constants, not magic numbers72 73### Build method complexity:74- [ ] No network calls, file I/O, or heavy computation in `build()`75- [ ] No `Future.then()` or `async` work in `build()`76- [ ] No subscription creation (`.listen()`) in `build()`77- [ ] `setState()` localized to smallest possible subtree78 79---80 81## 4. State Management (Library-Agnostic)82 83These principles apply to all Flutter state management solutions (BLoC, Riverpod, Provider, GetX, MobX, Signals, ValueNotifier, etc.).84 85### Architecture:86- [ ] Business logic lives outside the widget layer — in a state management component (BLoC, Notifier, Controller, Store, ViewModel, etc.)87- [ ] State managers receive dependencies via injection, not by constructing them internally88- [ ] A service or repository layer abstracts data sources — widgets and state managers should not call APIs or databases directly89- [ ] State managers have a single responsibility — no "god" managers handling unrelated concerns90- [ ] Cross-component dependencies follow the solution's conventions:91  - In **Riverpod**: providers depending on providers via `ref.watch` is expected — flag only circular or overly tangled chains92  - In **BLoC**: blocs should not directly depend on other blocs — prefer shared repositories or presentation-layer coordination93  - In other solutions: follow the documented conventions for inter-component communication94 95### Immutability & value equality (for immutable-state solutions: BLoC, Riverpod, Redux):96- [ ] State objects are immutable — new instances created via `copyWith()` or constructors, never mutated in-place97- [ ] State classes implement `==` and `hashCode` properly (all fields included in comparison)98- [ ] Mechanism is consistent across the project — manual override, `Equatable`, `freezed`, Dart records, or other99- [ ] Collections inside state objects are not exposed as raw mutable `List`/`Map`100 101### Reactivity discipline (for reactive-mutation solutions: MobX, GetX, Signals):102- [ ] State is only mutated through the solution's reactive API (`@action` in MobX, `.value` on signals, `.obs` in GetX) — direct field mutation bypasses change tracking103- [ ] Derived values use the solution's computed mechanism rather than being stored redundantly104- [ ] Reactions and disposers are properly cleaned up (`ReactionDisposer` in MobX, effect cleanup in Signals)105 106### State shape design:107- [ ] Mutually exclusive states use sealed types, union variants, or the solution's built-in async state type (e.g. Riverpod's `AsyncValue`) — not boolean flags (`isLoading`, `isError`, `hasData`)108- [ ] Every async operation models loading, success, and error as distinct states109- [ ] All state variants are handled exhaustively in UI — no silently ignored cases110- [ ] Error states carry error information for display; loading states don't carry stale data111- [ ] Nullable data is not used as a loading indicator — states are explicit112 113```dart114// BAD — boolean flag soup allows impossible states115class UserState {116  bool isLoading = false;117  bool hasError = false; // isLoading && hasError is representable!118  User? user;119}120 121// GOOD (immutable approach) — sealed types make impossible states unrepresentable122sealed class UserState {}123class UserInitial extends UserState {}124class UserLoading extends UserState {}125class UserLoaded extends UserState {126  final User user;127  const UserLoaded(this.user);128}129class UserError extends UserState {130  final String message;131  const UserError(this.message);132}133 134// GOOD (reactive approach) — observable enum + data, mutations via reactivity API135// enum UserStatus { initial, loading, loaded, error }136// Use your solution's observable/signal to wrap status and data separately137```138 139### Rebuild optimization:140- [ ] State consumer widgets (Builder, Consumer, Observer, Obx, Watch, etc.) scoped as narrow as possible141- [ ] Selectors used to rebuild only when specific fields change — not on every state emission142- [ ] `const` widgets used to stop rebuild propagation through the tree143- [ ] Computed/derived state is calculated reactively, not stored redundantly144 145### Subscriptions & disposal:146- [ ] All manual subscriptions (`.listen()`) are cancelled in `dispose()` / `close()`147- [ ] Stream controllers are closed when no longer needed148- [ ] Timers are cancelled in disposal lifecycle149- [ ] Framework-managed lifecycle is preferred over manual subscription (declarative builders over `.listen()`)150- [ ] `mounted` check before `setState` in async callbacks151- [ ] `BuildContext` not used after `await` without checking `context.mounted` (Flutter 3.7+) — stale context causes crashes152- [ ] No navigation, dialogs, or scaffold messages after async gaps without verifying the widget is still mounted153- [ ] `BuildContext` never stored in singletons, state managers, or static fields154 155### Local vs global state:156- [ ] Ephemeral UI state (checkbox, slider, animation) uses local state (`setState`, `ValueNotifier`)157- [ ] Shared state is lifted only as high as needed — not over-globalized158- [ ] Feature-scoped state is properly disposed when the feature is no longer active159 160---161 162## 5. Performance163 164### Unnecessary rebuilds:165- [ ] `setState()` not called at root widget level — localize state changes166- [ ] `const` widgets used to stop rebuild propagation167- [ ] `RepaintBoundary` used around complex subtrees that repaint independently168- [ ] `AnimatedBuilder` child parameter used for subtrees independent of animation169 170### Expensive operations in build():171- [ ] No sorting, filtering, or mapping large collections in `build()` — compute in state management layer172- [ ] No regex compilation in `build()`173- [ ] `MediaQuery.of(context)` usage is specific (e.g., `MediaQuery.sizeOf(context)`)174 175### Image optimization:176- [ ] Network images use caching (any caching solution appropriate for the project)177- [ ] Appropriate image resolution for target device (no loading 4K images for thumbnails)178- [ ] `Image.asset` with `cacheWidth`/`cacheHeight` to decode at display size179- [ ] Placeholder and error widgets provided for network images180 181### Lazy loading:182- [ ] `ListView.builder` / `GridView.builder` used instead of `ListView(children: [...])` for large or dynamic lists (concrete constructors are fine for small, static lists)183- [ ] Pagination implemented for large data sets184- [ ] Deferred loading (`deferred as`) used for heavy libraries in web builds185 186### Other:187- [ ] `Opacity` widget avoided in animations — use `AnimatedOpacity` or `FadeTransition`188- [ ] Clipping avoided in animations — pre-clip images189- [ ] `operator ==` not overridden on widgets — use `const` constructors instead190- [ ] Intrinsic dimension widgets (`IntrinsicHeight`, `IntrinsicWidth`) used sparingly (extra layout pass)191 192---193 194## 6. Testing195 196### Test types and expectations:197- [ ] **Unit tests**: Cover all business logic (state managers, repositories, utility functions)198- [ ] **Widget tests**: Cover individual widget behavior, interactions, and visual output199- [ ] **Integration tests**: Cover critical user flows end-to-end200- [ ] **Golden tests**: Pixel-perfect comparisons for design-critical UI components201 202### Coverage targets:203- [ ] Aim for 80%+ line coverage on business logic204- [ ] All state transitions have corresponding tests (loading → success, loading → error, retry, etc.)205- [ ] Edge cases tested: empty states, error states, loading states, boundary values206 207### Test isolation:208- [ ] External dependencies (API clients, databases, services) are mocked or faked209- [ ] Each test file tests exactly one class/unit210- [ ] Tests verify behavior, not implementation details211- [ ] Stubs define only the behavior needed for each test (minimal stubbing)212- [ ] No shared mutable state between test cases213 214### Widget test quality:215- [ ] `pumpWidget` and `pump` used correctly for async operations216- [ ] `find.byType`, `find.text`, `find.byKey` used appropriately217- [ ] No flaky tests depending on timing — use `pumpAndSettle` or explicit `pump(Duration)`218- [ ] Tests run in CI and failures block merges219 220---221 222## 7. Accessibility223 224### Semantic widgets:225- [ ] `Semantics` widget used to provide screen reader labels where automatic labels are insufficient226- [ ] `ExcludeSemantics` used for purely decorative elements227- [ ] `MergeSemantics` used to combine related widgets into a single accessible element228- [ ] Images have `semanticLabel` property set229 230### Screen reader support:231- [ ] All interactive elements are focusable and have meaningful descriptions232- [ ] Focus order is logical (follows visual reading order)233 234### Visual accessibility:235- [ ] Contrast ratio >= 4.5:1 for text against background236- [ ] Tappable targets are at least 48x48 pixels237- [ ] Color is not the sole indicator of state (use icons/text alongside)238- [ ] Text scales with system font size settings239 240### Interaction accessibility:241- [ ] No no-op `onPressed` callbacks — every button does something or is disabled242- [ ] Error fields suggest corrections243- [ ] Context does not change unexpectedly while user is inputting data244 245---246 247## 8. Platform-Specific Concerns248 249### iOS/Android differences:250- [ ] Platform-adaptive widgets used where appropriate251- [ ] Back navigation handled correctly (Android back button, iOS swipe-to-go-back)252- [ ] Status bar and safe area handled via `SafeArea` widget253- [ ] Platform-specific permissions declared in `AndroidManifest.xml` and `Info.plist`254 255### Responsive design:256- [ ] `LayoutBuilder` or `MediaQuery` used for responsive layouts257- [ ] Breakpoints defined consistently (phone, tablet, desktop)258- [ ] Text doesn't overflow on small screens — use `Flexible`, `Expanded`, `FittedBox`259- [ ] Landscape orientation tested or explicitly locked260- [ ] Web-specific: mouse/keyboard interactions supported, hover states present261 262---263 264## 9. Security265 266### Secure storage:267- [ ] Sensitive data (tokens, credentials) stored using platform-secure storage (Keychain on iOS, EncryptedSharedPreferences on Android)268- [ ] Never store secrets in plaintext storage269- [ ] Biometric authentication gating considered for sensitive operations270 271### API key handling:272- [ ] API keys NOT hardcoded in Dart source — use `--dart-define`, `.env` files excluded from VCS, or compile-time configuration273- [ ] Secrets not committed to git — check `.gitignore`274- [ ] Backend proxy used for truly secret keys (client should never hold server secrets)275 276### Input validation:277- [ ] All user input validated before sending to API278- [ ] Form validation uses proper validation patterns279- [ ] No raw SQL or string interpolation of user input280- [ ] Deep link URLs validated and sanitized before navigation281 282### Network security:283- [ ] HTTPS enforced for all API calls284- [ ] Certificate pinning considered for high-security apps285- [ ] Authentication tokens refreshed and expired properly286- [ ] No sensitive data logged or printed287 288---289 290## 10. Package/Dependency Review291 292### Evaluating pub.dev packages:293- [ ] Check **pub points score** (aim for 130+/160)294- [ ] Check **likes** and **popularity** as community signals295- [ ] Verify the publisher is **verified** on pub.dev296- [ ] Check last publish date — stale packages (>1 year) are a risk297- [ ] Review open issues and response time from maintainers298- [ ] Check license compatibility with your project299- [ ] Verify platform support covers your targets300 301### Version constraints:302- [ ] Use caret syntax (`^1.2.3`) for dependencies — allows compatible updates303- [ ] Pin exact versions only when absolutely necessary304- [ ] Run `flutter pub outdated` regularly to track stale dependencies305- [ ] No dependency overrides in production `pubspec.yaml` — only for temporary fixes with a comment/issue link306- [ ] Minimize transitive dependency count — each dependency is an attack surface307 308### Monorepo-specific (melos/workspace):309- [ ] Internal packages import only from public API — no `package:other/src/internal.dart` (breaks Dart package encapsulation)310- [ ] Internal package dependencies use workspace resolution, not hardcoded `path: ../../` relative strings311- [ ] All sub-packages share or inherit root `analysis_options.yaml`312 313---314 315## 11. Navigation and Routing316 317### General principles (apply to any routing solution):318- [ ] One routing approach used consistently — no mixing imperative `Navigator.push` with a declarative router319- [ ] Route arguments are typed — no `Map<String, dynamic>` or `Object?` casting320- [ ] Route paths defined as constants, enums, or generated — no magic strings scattered in code321- [ ] Auth guards/redirects centralized — not duplicated across individual screens322- [ ] Deep links configured for both Android and iOS323- [ ] Deep link URLs validated and sanitized before navigation324- [ ] Navigation state is testable — route changes can be verified in tests325- [ ] Back behavior is correct on all platforms326 327---328 329## 12. Error Handling330 331### Framework error handling:332- [ ] `FlutterError.onError` overridden to capture framework errors (build, layout, paint)333- [ ] `PlatformDispatcher.instance.onError` set for async errors not caught by Flutter334- [ ] `ErrorWidget.builder` customized for release mode (user-friendly instead of red screen)335- [ ] Global error capture wrapper around `runApp` (e.g., `runZonedGuarded`, Sentry/Crashlytics wrapper)336 337### Error reporting:338- [ ] Error reporting service integrated (Firebase Crashlytics, Sentry, or equivalent)339- [ ] Non-fatal errors reported with stack traces340- [ ] State management error observer wired to error reporting (e.g., BlocObserver, ProviderObserver, or equivalent for your solution)341- [ ] User-identifiable info (user ID) attached to error reports for debugging342 343### Graceful degradation:344- [ ] API errors result in user-friendly error UI, not crashes345- [ ] Retry mechanisms for transient network failures346- [ ] Offline state handled gracefully347- [ ] Error states in state management carry error info for display348- [ ] Raw exceptions (network, parsing) are mapped to user-friendly, localized messages before reaching the UI — never show raw exception strings to users349 350---351 352## 13. Internationalization (l10n)353 354### Setup:355- [ ] Localization solution configured (Flutter's built-in ARB/l10n, easy_localization, or equivalent)356- [ ] Supported locales declared in app configuration357 358### Content:359- [ ] All user-visible strings use the localization system — no hardcoded strings in widgets360- [ ] Template file includes descriptions/context for translators361- [ ] ICU message syntax used for plurals, genders, selects362- [ ] Placeholders defined with types363- [ ] No missing keys across locales364 365### Code review:366- [ ] Localization accessor used consistently throughout the project367- [ ] Date, time, number, and currency formatting is locale-aware368- [ ] Text directionality (RTL) supported if targeting Arabic, Hebrew, etc.369- [ ] No string concatenation for localized text — use parameterized messages370 371---372 373## 14. Dependency Injection374 375### Principles (apply to any DI approach):376- [ ] Classes depend on abstractions (interfaces), not concrete implementations at layer boundaries377- [ ] Dependencies provided externally via constructor, DI framework, or provider graph — not created internally378- [ ] Registration distinguishes lifetime: singleton vs factory vs lazy singleton379- [ ] Environment-specific bindings (dev/staging/prod) use configuration, not runtime `if` checks380- [ ] No circular dependencies in the DI graph381- [ ] Service locator calls (if used) are not scattered throughout business logic382 383---384 385## 15. Static Analysis386 387### Configuration:388- [ ] `analysis_options.yaml` present with strict settings enabled389- [ ] Strict analyzer settings: `strict-casts: true`, `strict-inference: true`, `strict-raw-types: true`390- [ ] A comprehensive lint rule set is included (very_good_analysis, flutter_lints, or custom strict rules)391- [ ] All sub-packages in monorepos inherit or share the root analysis options392 393### Enforcement:394- [ ] No unresolved analyzer warnings in committed code395- [ ] Lint suppressions (`// ignore:`) are justified with comments explaining why396- [ ] `flutter analyze` runs in CI and failures block merges397 398### Key rules to verify regardless of lint package:399- [ ] `prefer_const_constructors` — performance in widget trees400- [ ] `avoid_print` — use proper logging401- [ ] `unawaited_futures` — prevent fire-and-forget async bugs402- [ ] `prefer_final_locals` — immutability at variable level403- [ ] `always_declare_return_types` — explicit contracts404- [ ] `avoid_catches_without_on_clauses` — specific error handling405- [ ] `always_use_package_imports` — consistent import style406 407---408 409## State Management Quick Reference410 411The table below maps universal principles to their implementation in popular solutions. Use this to adapt review rules to whichever solution the project uses.412 413| Principle | BLoC/Cubit | Riverpod | Provider | GetX | MobX | Signals | Built-in |414|-----------|-----------|----------|----------|------|------|---------|----------|415| State container | `Bloc`/`Cubit` | `Notifier`/`AsyncNotifier` | `ChangeNotifier` | `GetxController` | `Store` | `signal()` | `StatefulWidget` |416| UI consumer | `BlocBuilder` | `ConsumerWidget` | `Consumer` | `Obx`/`GetBuilder` | `Observer` | `Watch` | `setState` |417| Selector | `BlocSelector`/`buildWhen` | `ref.watch(p.select(...))` | `Selector` | N/A | computed | `computed()` | N/A |418| Side effects | `BlocListener` | `ref.listen` | `Consumer` callback | `ever()`/`once()` | `reaction` | `effect()` | callbacks |419| Disposal | auto via `BlocProvider` | `.autoDispose` | auto via `Provider` | `onClose()` | `ReactionDisposer` | manual | `dispose()` |420| Testing | `blocTest()` | `ProviderContainer` | `ChangeNotifier` directly | `Get.put` in test | store directly | signal directly | widget test |421 422---423 424## Sources425 426- [Effective Dart: Style](https://dart.dev/effective-dart/style)427- [Effective Dart: Usage](https://dart.dev/effective-dart/usage)428- [Effective Dart: Design](https://dart.dev/effective-dart/design)429- [Flutter Performance Best Practices](https://docs.flutter.dev/perf/best-practices)430- [Flutter Testing Overview](https://docs.flutter.dev/testing/overview)431- [Flutter Accessibility](https://docs.flutter.dev/ui/accessibility-and-internationalization/accessibility)432- [Flutter Internationalization](https://docs.flutter.dev/ui/accessibility-and-internationalization/internationalization)433- [Flutter Navigation and Routing](https://docs.flutter.dev/ui/navigation)434- [Flutter Error Handling](https://docs.flutter.dev/testing/errors)435- [Flutter State Management Options](https://docs.flutter.dev/data-and-backend/state-mgmt/options)