[READ] Step 1: Are you in the right place?
Yes — this is a bug report for code in firebase-admin-node itself. The issue is a deprecation warning emitted by internal utilities (api-request.js, validator.js) and inherited from transitive dependencies (http-proxy-agent, teeny-request, @firebase/database-compat, faye-websocket). It is not specific to Firestore.
[REQUIRED] Step 2: Describe your environment
- Operating System version: Vercel serverless (Amazon Linux 2023 container) in production; reproducible locally on Windows 11, macOS, and Ubuntu.
- Firebase SDK version:
firebase-admin@^12.1.0 (currently resolving to 12.7.x per lockfile).
- Firebase Product: multiple —
api-request.js is shared across Auth, Firestore, Realtime Database, Storage. The warning fires regardless of which product is invoked.
- Node.js version: 24.x (Vercel Fluid Compute runtime). Also reproducible on 20.x and 22.x.
- NPM version: 10.x (bundled with Node 24).
[REQUIRED] Step 3: Describe the problem
On every cold start and on many subsequent operations, Node emits:
Node.js deprecated url.parse() because it has edge cases around non-standard URL structures (e.g., //evil.com, null-byte injection, embedded credentials in the authority) that can lead to security misinterpretations. The replacement is the WHATWG URL API (new URL(...) / URL.canParse(...)).
A grep of node_modules/firebase-admin/ confirms direct url.parse() callers in:
firebase-admin/lib/utils/api-request.jsfirebase-admin/lib/utils/validator.js@firebase/database-compat/dist/index.standalone.js
Plus transitive callers firebase-admin pulls in:
http-proxy-agent@google-cloud/storage → teeny-request → agent-basefaye-websocket
Why this matters for production users
- Log noise at scale: the warning fires per cold start and on many REST-ish operations. On serverless platforms that aggregate logs (Vercel, Cloud Functions, Lambda) it drowns legitimate warnings and makes real issues (auth failures, quota errors, timeouts) harder to spot.
- Pressure to suppress warnings globally: teams are tempted to use
NODE_OPTIONS=--no-deprecation or process.emit overrides to silence the noise. Both patterns hide unrelated legitimate warnings and normalize an anti-pattern where future deprecations (potentially real security ones) get masked. Our team explicitly refused to do this, but the upstream noise incentivizes the bad pattern across the ecosystem.
- Signal integrity: deprecation warnings are often the first signal of library drift in long-running production systems. Normalizing their suppression is itself a security-relevant concern.
Steps to reproduce:
- Install
firebase-admin@^12.1.0 in a Node 20+ environment.
- Initialize the admin SDK with service-account credentials and perform any single Firestore (or Auth, or Storage) operation.
- Observe the
DEP0169 warning on stderr per cold start and on subsequent REST-backed operations.
Relevant Code:
Minimal repro:
// repro.mjs — run with: node --trace-deprecation repro.mjs
import admin from 'firebase-admin';
admin.initializeApp({
credential: admin.credential.cert({
projectId: process.env.FIREBASE_PROJECT_ID,
clientEmail: process.env.FIREBASE_CLIENT_EMAIL,
privateKey: process.env.FIREBASE_PRIVATE_KEY.replace(/\\n/g, '\n'),
}),
});
const db = admin.firestore();
await db.collection('any').limit(1).get();
// → (node:*) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized...// Before (legacy url.parse — deprecated)
const parsed = url.parse(input);
const hostname = parsed.hostname;
const pathname = parsed.pathname;
// After (WHATWG URL API)
if (!URL.canParse(input)) throw new Error(Invalid URL: ${input});
const parsed = new URL(input);
const hostname = parsed.hostname;
const pathname = parsed.pathname;
URL.canParse() is available in Node 18.17+, well within the supported matrix for firebase-admin@12.
For the transitive chain (http-proxy-agent, teeny-request, agent-base, faye-websocket), the fix likely belongs in those repos, but pinning to versions that have already migrated (where available) would propagate the improvement here.
I'm happy to open a PR migrating the two direct firebase-admin callers (lib/utils/api-request.js, lib/utils/validator.js) if that would be useful — please let me know.
Related:
Node.js DEP0169: https://nodejs.org/api/deprecations.html#DEP0169
WHATWG URL API: https://nodejs.org/api/url.html#the-whatwg-url-api
[READ] Step 1: Are you in the right place?
Yes — this is a bug report for code in
firebase-admin-nodeitself. The issue is a deprecation warning emitted by internal utilities (api-request.js,validator.js) and inherited from transitive dependencies (http-proxy-agent,teeny-request,@firebase/database-compat,faye-websocket). It is not specific to Firestore.[REQUIRED] Step 2: Describe your environment
firebase-admin@^12.1.0(currently resolving to12.7.xper lockfile).api-request.jsis shared across Auth, Firestore, Realtime Database, Storage. The warning fires regardless of which product is invoked.[REQUIRED] Step 3: Describe the problem
On every cold start and on many subsequent operations, Node emits:
Node.js deprecated
url.parse()because it has edge cases around non-standard URL structures (e.g.,//evil.com, null-byte injection, embedded credentials in the authority) that can lead to security misinterpretations. The replacement is the WHATWG URL API (new URL(...)/URL.canParse(...)).A grep of
node_modules/firebase-admin/confirms directurl.parse()callers in:firebase-admin/lib/utils/api-request.jsfirebase-admin/lib/utils/validator.js@firebase/database-compat/dist/index.standalone.jsPlus transitive callers
firebase-adminpulls in:http-proxy-agent@google-cloud/storage→teeny-request→agent-basefaye-websocketWhy this matters for production users
NODE_OPTIONS=--no-deprecationorprocess.emitoverrides to silence the noise. Both patterns hide unrelated legitimate warnings and normalize an anti-pattern where future deprecations (potentially real security ones) get masked. Our team explicitly refused to do this, but the upstream noise incentivizes the bad pattern across the ecosystem.Steps to reproduce:
firebase-admin@^12.1.0in a Node 20+ environment.DEP0169warning on stderr per cold start and on subsequent REST-backed operations.Relevant Code:
Minimal repro:
// Before (legacy url.parse — deprecated)
const parsed = url.parse(input);
const hostname = parsed.hostname;
const pathname = parsed.pathname;
// After (WHATWG URL API)
if (!URL.canParse(input)) throw new Error(
Invalid URL: ${input});const parsed = new URL(input);
const hostname = parsed.hostname;
const pathname = parsed.pathname;
URL.canParse() is available in Node 18.17+, well within the supported matrix for firebase-admin@12.
For the transitive chain (http-proxy-agent, teeny-request, agent-base, faye-websocket), the fix likely belongs in those repos, but pinning to versions that have already migrated (where available) would propagate the improvement here.
I'm happy to open a PR migrating the two direct firebase-admin callers (lib/utils/api-request.js, lib/utils/validator.js) if that would be useful — please let me know.
Related:
Node.js DEP0169: https://nodejs.org/api/deprecations.html#DEP0169
WHATWG URL API: https://nodejs.org/api/url.html#the-whatwg-url-api