Summary
All Edge Functions import from https://deno.land/std@0.168.0/http/server.ts. Deno Standard Library 0.168.0 was released in late 2022 — approximately 2.5 years before this project was created. The current stable release is 0.224.x. Using a pinned, years-old version of the standard library means the project does not receive any bug fixes, security patches, or HTTP handling improvements released since then.
Evidence
All 8 Edge Function files begin with:
import { serve } from "https://deno.land/std@0.168.0/http/server.ts";
Deno std 0.168.0 release date: approximately November 2022.
Current Deno std release at time of writing: 0.224.x (May 2024+).
Notable changes between 0.168.0 and current that are relevant to this project:
- HTTP server improvements and security fixes across 56+ minor versions
serve() API stabilization and breaking changes that were addressed in later versions
- Various security-related fixes in HTTP header parsing
Why this matters
- Unpatched bugs: Any security vulnerability fixed in Deno std between 0.168.0 and current is present in this codebase.
serve() API drift: The serve() function signature and error handling changed significantly in later versions. Code written for 0.168.0 may silently suppress errors on a future runtime if the API changes again.
- Supply chain: Deno's module CDN (
deno.land/std) can theoretically serve different content for a given version over time (though this is rare). Pinning to a well-audited current version is safer than pinning to an old one that fewer eyes are checking.
Root cause
Lovable's scaffold generated these import URLs at project creation time and they were not updated. The version number is hardcoded in each file rather than managed centrally.
Recommended fix
Update the import to the latest stable Deno std version and test the Edge Functions:
// Before
import { serve } from "https://deno.land/std@0.168.0/http/server.ts";
// After — use the latest stable version
import { serve } from "https://deno.land/std@0.224.0/http/server.ts";
Alternatively, use the unversioned import and pin in a deno.json import map:
// supabase/functions/deno.json
{
"imports": {
"std/": "https://deno.land/std@0.224.0/"
}
}
Then in each function:
import { serve } from "std/http/server.ts";
This centralizes the version pin so future updates require only one change.
Acceptance criteria
Suggested labels
bug
Priority
P2
Severity
Medium — no confirmed CVE in std@0.168.0 at this time, but running 50+ versions behind a security-maintained library is an unacceptable maintenance posture.
Confidence
Confirmed — all 8 functions pin std@0.168.0 which is ~2.5 years old.
Summary
All Edge Functions import from
https://deno.land/std@0.168.0/http/server.ts. Deno Standard Library 0.168.0 was released in late 2022 — approximately 2.5 years before this project was created. The current stable release is 0.224.x. Using a pinned, years-old version of the standard library means the project does not receive any bug fixes, security patches, or HTTP handling improvements released since then.Evidence
All 8 Edge Function files begin with:
Deno std 0.168.0 release date: approximately November 2022.
Current Deno std release at time of writing: 0.224.x (May 2024+).
Notable changes between 0.168.0 and current that are relevant to this project:
serve()API stabilization and breaking changes that were addressed in later versionsWhy this matters
serve()API drift: Theserve()function signature and error handling changed significantly in later versions. Code written for 0.168.0 may silently suppress errors on a future runtime if the API changes again.deno.land/std) can theoretically serve different content for a given version over time (though this is rare). Pinning to a well-audited current version is safer than pinning to an old one that fewer eyes are checking.Root cause
Lovable's scaffold generated these import URLs at project creation time and they were not updated. The version number is hardcoded in each file rather than managed centrally.
Recommended fix
Update the import to the latest stable Deno std version and test the Edge Functions:
Alternatively, use the unversioned import and pin in a
deno.jsonimport map:Then in each function:
This centralizes the version pin so future updates require only one change.
Acceptance criteria
deno.jsonimport map rather than hardcoded in each filesupabase functions serve)Suggested labels
bug
Priority
P2
Severity
Medium — no confirmed CVE in std@0.168.0 at this time, but running 50+ versions behind a security-maintained library is an unacceptable maintenance posture.
Confidence
Confirmed — all 8 functions pin
std@0.168.0which is ~2.5 years old.