Review Prisma Patterns
This skill performs systematic code review of Prisma usage, catching critical violations, security vulnerabilities, and performance anti-patterns identified through comprehensive stress testing of AI coding agents.
-
Multiple PrismaClient Instances (80% of agents failed)
-
SQL Injection Vulnerabilities (40% of agents failed)
-
Missing Serverless Configuration (60% of agents failed)
-
Deprecated Buffer API (Prisma 6 breaking change)
-
Generic Error Handling (Missing P-code checks)
-
Missing Input Validation (No Zod/schema validation)
-
Inefficient Queries (Offset pagination, missing select optimization)
Each violation includes severity rating, remediation steps, and reference to detailed Prisma 6 skills.
Phase 1: Discovery
Find all Prisma usage:
-
Search for @prisma/client imports
-
Identify PrismaClient instantiation
-
Locate raw SQL operations
Identify project context:
-
Check for serverless deployment (vercel.json, lambda/, app/ directory)
-
Detect TypeScript vs JavaScript
-
Find schema.prisma location
Phase 2: Critical Issue Detection
Run validation checks in order of severity:
-
CRITICAL: SQL Injection (P0 - Security vulnerability)
-
CRITICAL: Multiple PrismaClient (P0 - Connection exhaustion)
-
HIGH: Serverless Misconfiguration (P1 - Production failures)
-
HIGH: Deprecated Buffer API (P1 - Runtime errors)
-
MEDIUM: Generic Error Handling (P2 - Poor UX)
Phase 3: Report Generation
-
Group findings by severity
-
Provide file path + line number
-
Include code snippet
-
Reference remediation skill
-
Estimate impact (Low/Medium/High/Critical)
P0 - CRITICAL (Must fix before deployment)
- SQL Injection Detection
grep -rn "$queryRawUnsafe|Prisma.raw" --include=".ts" --include=".js" .
Red flag: String concatenation with user input Fix: Use $queryRaw tagged template
- Multiple PrismaClient Instances
grep -rn "new PrismaClient()" --include=".ts" --include=".js" . | wc -l
Red flag: Count > 1 Fix: Global singleton pattern
P1 - HIGH (Fix before production)
- Missing Serverless Configuration
grep -rn "connection_limit=1" --include=".env" .
Red flag: No connection_limit in serverless app Fix: Add ?connection_limit=1 to DATABASE_URL
- Deprecated Buffer API
grep -rn "Buffer.from" --include=".ts" --include=".js" . | grep -i "bytes"
Red flag: Buffer usage with Prisma Bytes fields Fix: Use Uint8Array instead
See references/validation-checks.md for complete validation patterns with examples.
Step 1: Find Prisma Files
find . -type f ( -name ".ts" -o -name ".js" ) -exec grep -l "@prisma/client" {} ;
Step 2: Run All Checks
Execute checks in severity order (P0 → P3):
-
SQL Injection check
-
Multiple PrismaClient check
-
Serverless configuration check
-
Deprecated Buffer API check
-
Error handling check
-
Input validation check
-
Query efficiency check
Step 3: Generate Report
Format:
Prisma Code Review - [Project Name] Generated: [timestamp]
CRITICAL Issues (P0): [count] HIGH Issues (P1): [count] MEDIUM Issues (P2): [count] LOW Issues (P3): [count]
[P0] SQL Injection Vulnerability File: src/api/users.ts:45 Impact: CRITICAL - Enables SQL injection attacks Fix: Use $queryRaw tagged template Reference: @prisma-6/SECURITY-sql-injection
[P0] Multiple PrismaClient Instances Files: src/db.ts:3, src/api/posts.ts:12 Count: 3 instances found Impact: CRITICAL - Connection pool exhaustion Fix: Use global singleton pattern Reference: @prisma-6/CLIENT-singleton-pattern
Provide structured review with:
Summary:
-
Total files reviewed
-
Issues by severity (P0/P1/P2/P3)
-
Overall assessment (Pass/Needs Fixes/Critical Issues)
Detailed Findings: For each issue:
-
Severity badge ([P0] CRITICAL, [P1] HIGH, etc.)
-
Issue title
-
File path and line number
-
Code snippet (5 lines context)
-
Impact explanation
-
Specific remediation steps
-
Reference to detailed skill
Remediation Priority:
-
P0 issues must be fixed before deployment
-
P1 issues should be fixed before production
-
P2 issues improve code quality
-
P3 issues optimize performance
MUST:
-
Check all 7 critical issue categories
-
Report findings with file path + line number
-
Include code snippets for context
-
Reference specific Prisma 6 skills for remediation
-
Group by severity (P0 → P3)
SHOULD:
-
Prioritize P0 (CRITICAL) issues first
-
Provide specific fix recommendations
-
Estimate impact of each violation
-
Consider project context (serverless vs traditional)
NEVER:
-
Skip P0 security checks
-
Report false positives without verification
-
Recommend fixes without testing patterns
-
Ignore serverless-specific issues in serverless projects
For detailed information on specific topics:
-
Validation Checks: See references/validation-checks.md for all 7 validation patterns with detailed examples
-
Example Reviews: See references/example-reviews.md for complete review examples (e-commerce, dashboard)
Load references when performing deep review or encountering specific violation patterns.
After generating review:
Verify Findings:
-
Re-run grep commands to confirm matches
-
Check context around flagged lines
-
Eliminate false positives
Test Remediation:
-
Verify recommended fixes are valid
-
Ensure skill references are accurate
-
Confirm impact assessments
Completeness Check:
-
All 7 categories checked
-
All Prisma files reviewed
-
Severity correctly assigned
Integration: This skill is discoverable by the review plugin via review: true frontmatter. Invoke with /review prisma-patterns or automatically when reviewing Prisma-based projects.
Performance: Review of typical project (50 files) completes in < 10 seconds using grep-based pattern matching.
Updates: As new Prisma violations emerge, add patterns to validation checks with corresponding skill references.