An async call without await returns a pending Promise, causing hard-to-reproduce race conditions in production.
Missing `await` on an async function call doesn’t make the function fail silently — it returns a pending Promise that gets used immediately. The code continues with `undefined` or an incomplete value, creating a race condition that’s incredibly hard to reproduce locally (the debugger’s timing changes everything). This typically surfaces in Express route handlers where async middleware returns before the database call completes.
// VULNERABLE — missing await
app.get('/user/:id', async (req, res) => {
const dbQuery = pool.query('SELECT * FROM users WHERE id = $1', [req.params.id]);
// Missing await! dbQuery is a pending Promise, not the result
res.json({ user: dbQuery.rows[0] }); // dbQuery.rows is undefined
});
// FIXED — await the promise
app.get('/user/:id', async (req, res) => {
const result = await pool.query('SELECT * FROM users WHERE id = $1', [req.params.id]);
res.json({ user: result.rows[0] });
});
pool.query(`SELECT * FROM users WHERE id = ${req.params.id}`)