Analysis

Null/undefined check for middleware override header values

What fails: resolveRoutes() in packages/next/src/server/lib/router-utils/resolve-routes.ts at line 615 calls decodeHeaderValue(encodedValue) without checking if encodedValue is undefined, violating the function's type contract decodeHeaderValue(value: string): string.

How to reproduce: Create a middleware that deletes a header using headers.delete() and includes that header in x-middleware-override-headers, but the middleware response doesn't include a corresponding x-middleware-request-* header.

Example middleware:

export function middleware(request) {
  const headers = new Headers(request.headers)
  headers.delete('x-from-client')  // Delete a header
  return NextResponse.next({
    request: { headers }
  })
}

When the override headers logic processes the deleted header, middlewareHeaders[valueKey] returns undefined (not null), and this undefined value is passed to decodeHeaderValue().

Result: The code passes undefined to a function typed to accept only string, violating the type contract. While decodeHeaderValue() has a try-catch that prevents crashes, it returns undefined instead of the promised string.

Expected: The code should check for both null and undefined using == (or typeof encodedValue === 'string') to properly handle missing header values before calling decodeHeaderValue().

Fix applied: Changed line 615 from:

const newValue = encodedValue === null ? null : decodeHeaderValue(encodedValue)

to:

const newValue = encodedValue == null ? null : decodeHeaderValue(encodedValue as string)

The == operator catches both null and undefined, and the as string type assertion confirms that at that point, the value is known to be a string (not an array or undefined).