fix: upgrade reqwest from 0.12 to 0.13 and rename the rustls-tls feature to rustls#1068
fix: upgrade reqwest from 0.12 to 0.13 and rename the rustls-tls feature to rustls#1068fengmk2 merged 11 commits intovoidzero-dev:mainfrom
Conversation
✅ Deploy Preview for viteplus-preview canceled.
|
Giorno-Giovana
changed the title
|
@Giorno-Giovana why close? |
|
But I think this could be merged anyway😁 |
|
@codex review |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
fengmk2
changed the title
fengmk2
left a comment
fengmk2
left a comment
There was a problem hiding this comment.
thanks, I will release a test version to verify before I merge.
|
macOS build fails |
|
The macOS build fails because reqwest 0.13 with the rustls feature pulls in aws-lc-rs as the default crypto Fix: Switch from aws-lc-rs to ring as the crypto provider:
This completely removes aws-lc-sys from the dependency tree while keeping the same TLS behavior (platform |
fengmk2
left a comment
fengmk2
left a comment
There was a problem hiding this comment.
@Giorno-Giovana Thanks a lot! I will merge after manual verification passes.
There was a problem hiding this comment.
Pull request overview
This PR upgrades the workspace to reqwest 0.13 and adjusts TLS configuration on non-Windows platforms so HTTPS requests use OS-native certificate verification (via rustls-platform-verifier), addressing TLS failures behind MITM proxies / certain macOS trust-chain scenarios.
Changes:
- Bump workspace
reqwestfrom0.12to0.13and update per-crate TLS feature flags (rustls-tls→rustls-no-provideron non-Windows). - Add a shared
vite_shared::ensure_tls_provider()helper and call it beforereqwestusage on non-Windows. - Add workspace
rustlsdependency (ring provider) and refreshCargo.lockaccordingly.
Reviewed changes
Copilot reviewed 9 out of 10 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| crates/vite_shared/src/tls.rs | New helper to install a rustls crypto provider on non-Windows. |
| crates/vite_shared/src/lib.rs | Exposes ensure_tls_provider from vite_shared. |
| crates/vite_shared/Cargo.toml | Adds non-Windows dependency on rustls. |
| crates/vite_js_runtime/src/download.rs | Ensures TLS provider is installed before making reqwest requests. |
| crates/vite_js_runtime/Cargo.toml | Switches non-Windows reqwest feature to rustls-no-provider. |
| crates/vite_install/src/request.rs | Ensures TLS provider is installed before making reqwest requests. |
| crates/vite_install/Cargo.toml | Switches non-Windows reqwest feature to rustls-no-provider. |
| crates/vite_error/Cargo.toml | Switches non-Windows reqwest feature to rustls-no-provider. |
| Cargo.toml | Upgrades workspace reqwest to 0.13 and adds workspace rustls dependency. |
| Cargo.lock | Lockfile updates for reqwest 0.13 + new TLS dependency graph. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@Giorno-Giovana I'll take over and make some improvements |
- Document ca-certificates as required on Alpine for TLS verification - Add CI negative test proving install.sh fails without ca-certificates - Add comment explaining silent error ignore in TLS provider init - Ignore flaky SHA224 test on musl (same race condition as SHA1 test)
The negative test now removes /etc/ssl/certs/ca-certificates.crt after vp is installed, then verifies that vp HTTPS calls fail. This proves rustls-platform-verifier requires OS root CAs. The previous approach (skipping ca-certificates in apk add) didn't work because curl transitively pulls in ca-certificates-bundle.
Move the TLS negative test from test-standalone-install.yml to the "Run E2E in Alpine container" step in ci.yml, which is the proper place to test vp runtime behavior on Alpine.
The fallback to bundled root certs will make this test unnecessary.
ca-certificates is not a user requirement since the TLS stack will fall back to bundled Mozilla root certificates when the system cert store is empty.
closes #1014
Motivation
vp install fails on macOS with a TLS error when trying to download the Node.js runtime from nodejs.org:
error: Failed to download Node.js runtime: Failed to download from
https://nodejs.org/dist/v22.18.0/SHASUMS256.txt: error sending request for url
The root cause is how reqwest 0.12 handles TLS certificate verification on non-Windows platforms. With the
rustls-tls feature, it uses webpki-roots — a hardcoded bundle of Mozilla root certificates compiled into the
binary. If the server's certificate chain involves a CA not present in that bundle (or the bundle is
outdated), TLS verification fails, even though the system's certificate store (macOS Keychain) trusts the
certificate.
reqwest 0.13 replaces the rustls-tls feature with rustls, which uses rustls-platform-verifier instead of
webpki-roots. This verifier delegates certificate validation to the OS-native certificate store
(Security.framework on macOS, SChannel on Windows), matching the behavior of curl and other system tools.