await response.text() on unbounded data | Memory exhaustion — 128 MB limit |
| Hardcoded secrets in source or config | Credential leak via version control |
Math.random() for tokens/IDs | Predictable, not cryptographically secure |
Bare fetch() without await or waitUntil | Floating promise — dropped result, swallowed error |
| Module-level mutable variables for request state | Cross-request data leaks, stale state, I/O errors |
| Cloudflare REST API from inside a Worker | Unnecessary network hop, auth overhead, added latency |
ctx.passThroughOnException() as error handling | Hides bugs, makes debugging impossible |
Hand-written Env interface | Drifts from actual wrangler config bindings |
| Direct string comparison for secret values | Timing side-channel — use crypto.subtle.timingSafeEqual |
Destructuring ctx (const { waitUntil } = ctx) | Loses this binding — throws "Illegal invocation" at runtime |
any on Env or handler params | Defeats type safety for all binding access |
as unknown as T double-cast | Hides real type incompatibilities — fix the design |
implements on platform base classes (instead of extends) | Legacy — loses this.ctx, this.env. Applies to DurableObject, WorkerEntrypoint, Workflow |
env.X inside platform base class | Should be this.env.X in classes extending DurableObject, WorkerEntrypoint, etc. |