Rule
Remove lingering TODO/FIXME comments
Unresolved TODO and FIXME comments indicate
incomplete work that can accumulate over time.
Track issues in your issue tracker instead of leaving them in code.
Supported languages: 45+Introduction
TODO and FIXME comments start as helpful reminders but quickly become permanent fixtures in the codebase. What was meant as a temporary note becomes a warning sign that everyone ignores. These comments indicate unfinished work, deferred decisions, or known issues that nobody tracked properly. When you ship code with TODO comments, you're shipping acknowledgment that something isn't right, without any plan to fix it.
Why it matters
Code maintainability: TODO comments create ambiguity about code readiness and completeness. New team members don't know if these comments represent urgent issues or years-old notes that nobody cares about anymore. The more TODOs accumulate, the less seriously anyone takes them, creating a broken windows effect where quality standards erode.
Technical debt tracking: Issues hidden in comments don't get prioritized, assigned, or tracked. Your project management system shows everything is complete while the codebase contains dozens of "fix this later" notes. Without proper tracking, important issues get forgotten until they cause production problems.
Security implications: TODO comments sometimes mark incomplete security implementations or known vulnerabilities. A comment like "TODO: add authentication check" in production code means you shipped a security hole with full awareness. These markers make it easier for attackers reviewing your code to find weak points.
Code examples
❌ Non-compliant:
async function processPayment(userId, amount) {
// TODO: Add fraud detection before processing
// FIXME: This doesn't handle concurrent payments
const user = await db.users.findById(userId);
if (user.balance < amount) {
throw new Error('Insufficient funds');
}
// TODO: Add transaction logging
user.balance -= amount;
await user.save();
return { success: true };
}
Why it's wrong: Three critical issues (fraud detection, concurrency, logging) are marked but not resolved, indicating this function was shipped incomplete. These comments document known problems without any tracking or timeline to fix them.
✅ Compliant:
async function processPayment(userId, amount) {
await fraudDetection.check(userId, amount);
return await db.transaction(async (trx) => {
const user = await trx.users
.findById(userId)
.forUpdate();
if (user.balance < amount) {
throw new Error('Insufficient funds');
}
user.balance -= amount;
await user.save();
await trx.auditLog.create({
userId,
action: 'payment',
amount,
timestamp: new Date()
});
return { success: true };
});
}
Why this matters: All previously marked issues are resolved. Fraud detection is implemented, database transactions handle concurrency, and audit logging tracks all payments. The code is complete without apologetic comments about what's missing.
Conclusion
Remove TODO and FIXME comments before merging code to production. If work is incomplete, finish it or create tracked issues in your project management system with proper priority and assignment. Comments in code are invisible to project planning and make your codebase look perpetually unfinished.
.avif)
