Most regex bugs are preventable during review. Instead of asking “does it work on my sample?”, reviewers should verify correctness, readability, and worst-case behavior.

1) Is the Intent Documented?

Every pattern should have at least 2–3 accepted examples and 2–3 rejected examples in comments or tests.

2) Is the Pattern Anchored Correctly?

If the goal is full validation, require ^...$. Unanchored patterns often create accidental partial matches.

3) Can It Backtrack Excessively?

Look for nested quantifiers and broad tokens like .* near alternations. Ask for a worst-case benchmark when input can be attacker-controlled.

4) Is the Flavor Explicit?

Pattern features differ across JavaScript, Python, PCRE, Java, and .NET. Call out the target engine in code review.

5) Is There a Non-Regex Alternative?

For structured formats (HTML, URLs, dates), parsers can be safer and easier to maintain than one giant expression.