No magic numbers or strings without named constants

ab-000670 · code-maintainability.naming-conventions.no-magic-values

Severity: lowactive

Why it matters

Magic numbers and strings scattered across logic files make the codebase unreadable and misconfiguration-prone. When the same timeout value appears as 3000 in five places, changing the business rule requires a grep hunt across the codebase — and missing one copy silently introduces inconsistency. ISO 25010 maintainability.analysability degrades because developers cannot distinguish a meaningful business threshold from an arbitrary implementation detail. Magic values in business rule logic are particularly dangerous because they look identical to arbitrary constants.

Severity rationale

Low because magic values obscure intent and make configuration changes error-prone, but they do not typically cause correctness failures unless multiple copies get out of sync.

Remediation

Consolidate logic-driving constants in a dedicated constants file and replace each inline usage with the named import:

// lib/constants.ts
export const RETRY_DELAY_MS = 3000
export const SESSION_TIMEOUT_MS = 30 * 60 * 1000  // 30 minutes
export const PASSING_SCORE_THRESHOLD = 75
export const STORAGE_KEYS = {
  USER_TOKEN: 'user_token',
  PREFERENCES: 'user_preferences',
} as const

When the business rule changes, update one place. The self-documenting multiplication 30 * 60 * 1000 is better than the magic 1800000.

Detection

ID: no-magic-values
Severity: low
What to look for: Look for numeric literals and string literals used directly in logic (not in UI labels or static content). Common violations:
- Timeout values as raw numbers: setTimeout(fn, 3000) instead of const RETRY_DELAY_MS = 3000
- HTTP status codes checked as numbers: if (status === 404) instead of using named constants
- Business rule thresholds: if (score > 75) instead of const PASSING_SCORE_THRESHOLD = 75
- String keys used across multiple files: localStorage.setItem('user_token', ...) appearing in many places
Exclude: simple array indexes, CSS values in style objects, log messages, test fixtures, and UI label strings. Focus on values that represent business rules, configuration, or limits.
Pass criteria: Count all numeric and string literals used in logic code (excluding UI text, 0, 1, -1). Logic-driving numbers and string constants are defined as named constants when they appear in more than one place or represent a non-obvious business rule. No more than 2 unexplained magic values across all logic files. Report the count: "Found X magic values across Y logic files."
Fail criteria: 3 or more instances of unexplained numeric or string literals found in logic code (not UI text, not obvious values like 0, 1, -1).
Skip (N/A) when: The project contains only UI markup with no business logic. Signal: no JavaScript logic files, only HTML/template files.
Detail on fail: "Magic numbers found: setTimeout callbacks use 3000, 5000, 10000 without named constants. Score thresholds 75 and 90 appear in 3 different files. HTTP status 404, 500 checked by literal value in 4 route handlers."

Remediation: Magic values obscure intent and make configuration changes error-prone. Consolidate them in a constants file:

// lib/constants.ts
export const RETRY_DELAY_MS = 3000
export const SESSION_TIMEOUT_MS = 30 * 60 * 1000  // 30 minutes — self-documenting
export const PASSING_SCORE_THRESHOLD = 75
export const STORAGE_KEYS = {
  USER_TOKEN: 'user_token',
  PREFERENCES: 'user_preferences',
} as const

Then replace magic values with the named import. When the business rule changes, you update one place.

External references

iso-25010:2011 · maintainability.analysability — Analysability
iso-25010:2011 · maintainability.modifiability — Modifiability

Taxons

code-quality

History

2026-04-18·v1.0.0·Initial import from code-maintainability·automated