Skip to content

fix(nextjs): ignore response header mutations in GET handlers#209

Open
aqilaziz wants to merge 1 commit into
millionco:mainfrom
aqilaziz:fix-nextjs-get-header-false-positive
Open

fix(nextjs): ignore response header mutations in GET handlers#209
aqilaziz wants to merge 1 commit into
millionco:mainfrom
aqilaziz:fix-nextjs-get-header-false-positive

Conversation

@aqilaziz
Copy link
Copy Markdown

@aqilaziz aqilaziz commented May 12, 2026
edited
Loading

Summary

Fixes #206.

Testing

  • pnpm exec vp test run tests/regressions/nextjs-side-effects.test.ts
  • pnpm exec tsc --noEmit from packages/react-doctor
  • pnpm exec vp lint
  • git diff --check

@reactreview
Copy link
Copy Markdown

reactreview Bot commented May 12, 2026
edited
Loading

Note

No issues found

@vercel
Copy link
Copy Markdown

vercel Bot commented May 12, 2026

@aqilaziz is attempting to deploy a commit to the Million Team on Vercel.

A member of the Team first needs to authorize it.

reactreview[bot]
reactreview Bot reviewed May 12, 2026
View reviewed changes
Comment thread packages/react-doctor/tests/fixtures/nextjs-app/src/app/headers/route.tsx Outdated
@aqilaziz aqilaziz force-pushed the fix-nextjs-get-header-false-positive branch from 9598ea1 to 1ed2336 Compare May 12, 2026 00:51
cursor[bot]
cursor Bot reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 1ed2336. Configure here.

Comment thread packages/react-doctor/src/plugin/helpers.ts
}
if (object?.type !== "CallExpression" || object.callee?.type !== "Identifier") return false;
return object.callee.name === "headers";
};
Copy link
Copy Markdown

@cursor cursor Bot May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shared findSideEffect suppresses headers() detection across frameworks

Medium Severity

isHeadersFunctionMutationCall matches headers().set/append/delete(...) and silently suppresses it before the existing isCookiesOrHeadersCall(child, "headers") check can flag it. Since findSideEffect is shared with the TanStack Start rule (tanstack-start.ts line 562), this suppression also applies there — where headers() is not the Next.js read-only accessor and could be a user-defined function returning a mutable object. The headers() branch of isCookiesOrHeadersCall is now effectively dead code for all real Headers API methods. The function also has zero test coverage — the test fixture only exercises isHeadersApiMutationCall and isRequestScopedMutationCall.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 1ed2336. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@reactreview reactreview[bot] reactreview[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

False positive: nextjs-no-side-effect-in-get-handler flags Response.headers.set() and similar Headers API calls

1 participant

@aqilaziz