4 min read

Edge Middleware Limitations

Learn about the limitations and restrictions of using Edge Middleware with Vercel with this reference.
Table of Contents

Edge Middleware is neither a Node.js nor browser application, which means it doesn't have access to all browser and Node.js APIs. Currently, our runtime offers a subset of browser APIs and some Node.js APIs, and we plan to implement more functionality in the future.

There are some restrictions to writing middleware, which is documented in the Edge Middleware API guide.

In summary:

  • Use ES modules
  • Most libraries that use Node.js APIs as dependencies can't be used in Edge Middleware. While we're adding support for more Node.js APIs over time, see the currently available APIs
  • Dynamic code execution (such as eval) is not allowed (see the next section for more details)

Dynamic code execution is not available in Edge Middleware for security reasons. For example, the following APIs cannot be used:

evalEvaluates JavaScript code represented as a string
new Function(evalString)Creates a new function with the code provided as an argument
WebAssembly.instantiateCompiles and instantiates a WebAssembly module from a buffer source

Most importantly, you need to make sure libraries used in your Edge Middleware don't rely on dynamic code execution because it leads to a runtime error.

Edge Middleware must begin sending a response within 25 seconds.

You may continue streaming a response beyond that time and you can continue with asynchronous workloads in the background, after returning the response.

Edge Middleware can only use up to 128MB. If it exceeds this limit, the execution will be aborted and we will return a 502 error.

PlanLimit (after gzip compression)
Hobby1 MB
Pro2 MB
Enterprise4 MB

The maximum size for an Edge Function includes your JavaScript code, imported libraries and files (such as fonts), and all files bundled in the function.

If you reach the limit, make sure the code you are importing in your function is used and is not too heavy. You can use a package size checker tool like bundle to check the size of a package and search for a smaller alternative.

While Vercel allows Environment Variables up to a total of 64 KB in size, Edge Middleware is limited to 5KB per Environment Variable.

Environment Variables can be accessed through the process.env object. Since JavaScript objects have methods to allow some operations on them, there are limitations on the names of Environment Variables to avoid having ambiguous code.

The following names will be ignored as Environment Variables to avoid overriding the process.env object prototype:

  • constructor
  • __defineGetter__
  • __defineSetter__
  • hasOwnProperty
  • __lookupGetter__
  • __lookupSetter__
  • isPrototypeOf
  • propertyIsEnumerable
  • toString
  • valueOf
  • __proto__
  • toLocaleString

Therefore, your code will always be able to use them with their expected behavior:

// returns `true`, if `process.env.MY_VALUE` is used anywhere & defined in the Vercel dashboard
Maximum URL length14 KB
Maximum request body length4 MB
Maximum number of request headers64
Maximum request headers length16 KB
  • You cannot set non-standard port numbers in the fetch URL (e.g., Only 80 and 443 are allowed. If you set a non-standard port number, the port number is ignored, and the request is sent to port 80 for http:// URL, or port 443 for https:// URL.
  • The maximum number of requests from fetch API is 950 per Edge Middleware invocation.
  • The maximum number of open connections is 6.
    • Each function invocation can have up to 6 open connections. For example, if you try to send 10 simultaneous fetch requests, only 6 of them can be processed at a time. The remaining requests are put into a waiting queue and will be processed accordingly as those in-flight requests are completed.
  • If in-flight requests have been waiting for a response for more than 15 seconds with no active reads/writes, the runtime may cancel them based on its LRU (Least Recently Used) logic.
    • If you attempt to use a canceled connection, the Network connection lost. exception will be thrown.
    • You can catch on the fetch promise to handle this exception gracefully (e.g. with retries). Additionally, you can use the AbortController API to set timeouts for fetch requests.

To avoid CPU timing attacks, like Spectre, date and time functionality is not generally available. In particular, the time returned from only advances after I/O operations, like fetch. For example:

export default function middleware(request: Request) {
  for (let i = 0; i < 1000; i++) {
    console.log(; // Prints the same value 1000 times.
  await fetch('');
  console.log(; // Prints another value.

If you're not using a framework, you must either add "type": "module" to your package.json or change your JavaScript Functions' file extensions from .js to .mjs

Last updated on May 25, 2024