Deprecated APIs.

Deprecated browser APIs may be removed — breaking functionality without warning

What does this check test?

This check detects the use of deprecated or removed browser APIs in your client-side JavaScript code. Deprecated APIs include `document.write()`, `navigator.appName`, `navigator.appVersion`, synchronous `XMLHttpRequest` on the main thread, `window.showModalDialog()`, `KeyboardEvent.keyCode`, `Event.returnValue`, `NodeIterator.expandEntityReferences`, and the Web SQL Database API. These APIs are flagged by browsers in the console and may be removed in future versions without backward compatibility.

Why does it matter?

Deprecated APIs are removed from browsers on a rolling basis, and their removal can break critical functionality without warning. For example, when Chrome removed support for `document.domain` setter changes, many sites using cross-subdomain authentication broke. Beyond breakage risk, some deprecated APIs have security implications — `document.write()` can be exploited for XSS, synchronous XHR blocks the main thread and degrades user experience, and `KeyboardEvent.keyCode` has been replaced by `KeyboardEvent.key` for better internationalization and security. Using deprecated APIs may also indicate that the codebase relies on outdated libraries.

Who is affected?

Any web application running client-side JavaScript should be checked for deprecated API usage. Legacy applications that have been maintained for years are most likely to use deprecated APIs. Sites using older versions of jQuery, Prototype.js, or MooTools often rely heavily on deprecated APIs internally. Developers building for compliance or enterprise environments where browser updates are controlled should still migrate away from deprecated APIs to avoid future issues.

Where does this apply?

Open the browser DevTools Console and look for deprecation warnings (they appear as yellow warning messages). Chrome's Lighthouse audit includes a 'Deprecations' section under Best Practices. Search your codebase for known deprecated API names. Use ESLint with the `eslint-plugin-compat` plugin to catch deprecated API usage at build time. Check both your own code and third-party scripts loaded on the page.

How to fix it

// Bad: document.write blocks parsing and is an XSS risk
document.write('<script src="analytics.js"><\/script>');

// Good: Use DOM methods
const script = document.createElement('script');
script.src = 'analytics.js';
document.head.appendChild(script);

// Bad: Synchronous XHR blocks the main thread
const xhr = new XMLHttpRequest();
xhr.open('GET', '/api/data', false); // false = synchronous

// Good: Use fetch or async XHR
const response = await fetch('/api/data');
const data = await response.json();

// Bad: KeyboardEvent.keyCode is deprecated
element.addEventListener('keydown', (e) => {
  if (e.keyCode === 13) { /* Enter */ }
});

// Good: Use KeyboardEvent.key
element.addEventListener('keydown', (e) => {
  if (e.key === 'Enter') { /* Enter */ }
});

npm install --save-dev eslint-plugin-compat

References

• MDN: Deprecated and Obsolete Features
• Chrome Platform Status: Deprecated Features
• web.dev: Lighthouse Best Practices Audit