Skip to content

All Edge Functions pin deno.land/std@0.168.0 (~2.5 years old) — missing 50+ versions of security and HTTP fixes #11

Description

@tg12

Summary

All Edge Functions import from https://deno.land/std@0.168.0/http/server.ts. Deno Standard Library 0.168.0 was released in late 2022 — approximately 2.5 years before this project was created. The current stable release is 0.224.x. Using a pinned, years-old version of the standard library means the project does not receive any bug fixes, security patches, or HTTP handling improvements released since then.

Evidence

All 8 Edge Function files begin with:

import { serve } from "https://deno.land/std@0.168.0/http/server.ts";

Deno std 0.168.0 release date: approximately November 2022.
Current Deno std release at time of writing: 0.224.x (May 2024+).

Notable changes between 0.168.0 and current that are relevant to this project:

  • HTTP server improvements and security fixes across 56+ minor versions
  • serve() API stabilization and breaking changes that were addressed in later versions
  • Various security-related fixes in HTTP header parsing

Why this matters

  1. Unpatched bugs: Any security vulnerability fixed in Deno std between 0.168.0 and current is present in this codebase.
  2. serve() API drift: The serve() function signature and error handling changed significantly in later versions. Code written for 0.168.0 may silently suppress errors on a future runtime if the API changes again.
  3. Supply chain: Deno's module CDN (deno.land/std) can theoretically serve different content for a given version over time (though this is rare). Pinning to a well-audited current version is safer than pinning to an old one that fewer eyes are checking.

Root cause

Lovable's scaffold generated these import URLs at project creation time and they were not updated. The version number is hardcoded in each file rather than managed centrally.

Recommended fix

Update the import to the latest stable Deno std version and test the Edge Functions:

// Before
import { serve } from "https://deno.land/std@0.168.0/http/server.ts";

// After — use the latest stable version
import { serve } from "https://deno.land/std@0.224.0/http/server.ts";

Alternatively, use the unversioned import and pin in a deno.json import map:

// supabase/functions/deno.json
{
  "imports": {
    "std/": "https://deno.land/std@0.224.0/"
  }
}

Then in each function:

import { serve } from "std/http/server.ts";

This centralizes the version pin so future updates require only one change.

Acceptance criteria

  • All Edge Functions use a Deno std version no older than the current stable release minus 1 minor version
  • The std version is managed in a single deno.json import map rather than hardcoded in each file
  • All Edge Functions are tested after the update (Supabase local dev: supabase functions serve)

Suggested labels

bug

Priority

P2

Severity

Medium — no confirmed CVE in std@0.168.0 at this time, but running 50+ versions behind a security-maintained library is an unacceptable maintenance posture.

Confidence

Confirmed — all 8 functions pin std@0.168.0 which is ~2.5 years old.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions