TypeError: Cannot read properties of null (reading 'toUpperCase') in server HTTP instrumentation when outgoing request times out (Next.js 15, Node 22)

[RipperZA]

What happened

After upgrading @sentry/nextjs from 10.38.0 to 10.49.0, any outgoing HTTPS request from the Next.js server that times out crashes the Node process with an unhandled rejection:

TypeError: Cannot read properties of null (reading 'toUpperCase')
    at <unknown> (build/server/instrumentation.js:22:183677)
    at v.<anonymous> (build/server/instrumentation.js:22:184440)
    at v.emit (node:events:536:35)
    at v.emit (.../next/dist/compiled/@mswjs/interceptors/ClientRequest/index.js:1:5660)
    at v.respondWith (.../next/dist/compiled/@mswjs/interceptors/ClientRequest/index.js:1:7547)
    at .../next/dist/compiled/@mswjs/interceptors/ClientRequest/index.js:1:4533
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)

The error originates from the Sentry server instrumentation bundle, triggered by an event emitted from Next's bundled @mswjs/interceptors ClientRequest on request abort/timeout.

Reproduction

1. Next.js 15.5.15 app with @sentry/nextjs@10.49.0, output: 'standalone', Node 22.
2. Configure next-auth Keycloak provider (or any outbound HTTP client) with an unreachable URL, e.g. https://10.255.255.1/....
3. yarn build && node build/standalone/server.js.
4. Trigger the outgoing request (in our case /api/auth/signin/keycloak).
5. Request times out after ~3.5s → process crash with the stack above.

Versions tested

• @sentry/nextjs@10.38.0 — works (next-auth logs timeout, no process crash)
• @sentry/nextjs@10.49.0 — crashes with the TypeError above

Haven't bisected the exact intermediate version yet. Candidates from the changelog:

• 10.39 feat(node-core): Add outgoing fetch trace propagation to light mode #19262 "Add outgoing fetch trace propagation to light mode"
• 10.39 feat(node-core,node): Add tracePropagation option to http and fetch integrations #19712 "Add `tracePropagation` option to http and fetch integrations"
• 10.40 fix(node): Deduplicate sentry-trace and baggage headers on outgoing requests #19960 "Deduplicate `sentry-trace` and `baggage` headers on outgoing requests"

Environment

• @sentry/nextjs: 10.49.0
• next: 15.5.15
• next-auth: 4.24.7
• Node: 22.12.0
• Output mode: standalone

Impact

In production, any transient unreachability of an upstream service (auth provider, API) takes down the Node process instead of just logging the timeout. Currently pinned at 10.38.0.

[linear-code]

JS-2236

[logaretm]

Thanks for reporting this, it seems to be potentially introduced by #17355

I could not reproduce this, but I already noticed that we sometimes treat httpVersion as a nullable value even tho the node spec state it shouldn't be. I will attempt a blind fix since we seem to have a precedent here.