fix(deps): use native OS certificate store for TLS on non-Windows platforms

[Jkker]

description below is written by opus; i've reviewed, verified, and approved the fix myself. the key is migrating to rustls-tls-native-roots to make vp usable in corporate vpn / self-signed CA / complex network conditions beyond simple / personal / home-use scenarios.

Description

The vp binary fails all HTTPS requests (downloads, registry lookups, upgrade checks) when running behind a TLS-intercepting proxy or firewall that re-signs certificates with a private CA.

Root cause: On non-Windows platforms, reqwest is configured with the rustls-tls feature, which bundles Mozilla's root CA store (webpki-roots) at compile time. This hardcoded CA set ignores any additional certificates installed in the operating system's trust store. When a network appliance re-signs TLS certificates with a private CA (common in corporate and enterprise environments), vp cannot verify any HTTPS connection.

Fix: Switch from rustls-tls to rustls-tls-native-roots in the three crates that depend on reqwest (vite_error, vite_install, vite_js_runtime). This replaces webpki-roots with rustls-native-certs, which loads certificates from the platform's native trust store at runtime:

• macOS: Security.framework (System Keychain)
• Linux: OpenSSL-compatible certificate directories (/etc/ssl/certs, etc.)
• Windows: No change — already uses native-tls-vendored (SChannel)

Switching from rustls-tls to rustls-tls-native-roots

	rustls-tls	rustls-tls-native-roots
CA source	Bundled Mozilla root CAs (compile-time)	OS native trust store (runtime)
Custom/private CAs	Not supported	Loaded from OS keychain/cert dirs
TLS-intercepting proxies	Always fails	Works if proxy CA is in OS trust store
TLS library	rustls (unchanged)	rustls (unchanged)
Crypto backend	ring/aws-lc (unchanged)	ring/aws-lc (unchanged)
OS cert store dependency	None	security-framework (macOS), openssl-probe (Linux)

The underlying TLS library (rustls) and cryptographic backend remain identical — only the source of trusted root certificates changes.

Reproduction

1. Run vp on any machine where HTTPS traffic is intercepted by a TLS proxy that re-signs certificates with a non-Mozilla CA
2. Any command that makes HTTPS requests fails:

   $ vp upgrade --check
   error: Upgrade error: Failed to fetch package metadata from
   https://registry.npmjs.org/vite-plus/latest: error sending request for url
   (https://registry.npmjs.org/vite-plus/latest)
   
   $ vp env install lts
   error: Failed to download Node.js runtime: Failed to download from
   https://nodejs.org/dist/index.json: error sending request for url
   (https://nodejs.org/dist/index.json)
   

3. The same URLs work fine with curl, node, git, and other tools that use the OS certificate store or respect SSL_CERT_FILE

Verify the issue in the binary

# Current binary uses bundled webpki-roots:
strings $(which vp) | grep -c 'webpki_roots'  # > 0

# After this fix, uses OS-native certs:
strings $(which vp) | grep -c 'webpki_roots'     # 0
strings $(which vp) | grep -c 'security-framework' # > 0 (macOS)

Changes

• crates/vite_error/Cargo.toml: rustls-tls → rustls-tls-native-roots
• crates/vite_install/Cargo.toml: rustls-tls → rustls-tls-native-roots
• crates/vite_js_runtime/Cargo.toml: rustls-tls → rustls-tls-native-roots
• Cargo.lock: replaces webpki-roots with rustls-native-certs (+ transitive deps security-framework, openssl-probe)

No Rust source code changes required.

[netlify]

✅ Deploy Preview for viteplus-preview canceled.

Name	Link
🔨 Latest commit	28b7dbb
🔍 Latest deploy log	https://app.netlify.com/projects/viteplus-preview/deploys/69c321f663614e0008b342dd

[fengmk2]

This is a duplicate of #1068