I’m self-hosting a Next.js app based on the Medusa Next.js Storefront Starter. I can’t upgrade Next.js right now due to dependency constraints.

The starter’s middleware uses NextResponse.next() without passing { request }. The code is here:
https://github.com/medusajs/nextjs-starter-medusa/blob/main/src/middleware.ts

Given the Next.js middleware SSRF advisory and the guidance to prefer NextResponse.next({ request }), I wanted a sanity check from the community.

What I’m trying to accomplish:

Keep the Medusa starter middleware as-is for now
Understand whether this pattern is considered safe in a self-hosted setup when no headers are being forwarded or reflected
Decide whether a minimal patch (changing to NextResponse.next({ request })) is advisable until upgrading is possible

What I’ve tried:
I briefly tested a header denylist + explicit { request }, but reverted to stay aligned with upstream.

Questions:
In older Next.js versions, does calling NextResponse.next() without { request } pose meaningful risk if no request headers are forwarded?
Is replacing these calls with NextResponse.next({ request }) the recommended minimal mitigation?
Any known edge-runtime pitfalls with that change?

Context:
https://vercel.com/changelog/cve-2025-57822

No runtime errors, this is purely a security sanity check until upgrading is possible.

Thanks in advance for any insights!