From 28b7dbb8defd1ee78323315132ed5ef4e23c2c64 Mon Sep 17 00:00:00 2001 From: Jerry Jia Date: Tue, 24 Mar 2026 16:11:12 -0700 Subject: [PATCH] fix(deps): use native OS certificate store for TLS on non-Windows platforms Switch reqwest feature from `rustls-tls` to `rustls-tls-native-roots` in vite_error, vite_install, and vite_js_runtime crates. `rustls-tls` bundles Mozilla's root CA store (webpki-roots) at compile time. This means the `vp` binary can only verify certificates signed by CAs in Mozilla's root program, ignoring any additional CAs installed in the OS certificate store. `rustls-tls-native-roots` uses `rustls-native-certs` to load certificates from the platform's native trust store at runtime: - macOS: Security.framework (System Keychain) - Linux: OpenSSL certificate directories - Windows: unchanged (already uses native-tls-vendored / SChannel) This fixes TLS verification failures for users behind corporate proxies, firewalls, or TLS inspection appliances that re-sign certificates with a private Switch reqwest feature from `rustls-tls` to `rustls-tls-native-roots` in vite_error, vite_install, and vite_js_runtime crates. `rustls-tls` bundles Mozilla's root CA store (webpki-roots) git reset HEAD 2>&1 git --no-pager log --oneline -3 git --no-pager log --oneline -3 2>&1 | head -5 git --no-pager status --short 2>&1 | tail -10 exit export PATH="/opt/homebrew/opt/rustup/bin:$PATH" && git status --short 2>&1 | head -10 --- Cargo.lock | 25 ++++++++++++++----------- crates/vite_error/Cargo.toml | 2 +- crates/vite_install/Cargo.toml | 2 +- crates/vite_js_runtime/Cargo.toml | 2 +- 4 files changed, 17 insertions(+), 14 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 90942f2819..5d656f388c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2302,11 +2302,11 @@ dependencies = [ "hyper 1.8.1", "hyper-util", "rustls", + "rustls-native-certs", "rustls-pki-types", "tokio", "tokio-rustls", "tower-service", - "webpki-roots", ] [[package]] @@ -4882,6 +4882,7 @@ dependencies = [ "pin-project-lite", "quinn", "rustls", + "rustls-native-certs", "rustls-pki-types", "serde", "serde_json", @@ -4899,7 +4900,6 @@ dependencies = [ "wasm-bindgen-futures", "wasm-streams", "web-sys", - "webpki-roots", ] [[package]] @@ -5856,6 +5856,18 @@ dependencies = [ "zeroize", ] +[[package]] +name = "rustls-native-certs" +version = "0.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "612460d5f7bea540c490b2b6395d8e34a953e52b491accd6c86c8164c5932a63" +dependencies = [ + "openssl-probe", + "rustls-pki-types", + "schannel", + "security-framework", +] + [[package]] name = "rustls-pki-types" version = "1.14.0" @@ -7767,15 +7779,6 @@ dependencies = [ "wasm-bindgen", ] -[[package]] -name = "webpki-roots" -version = "1.0.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22cfaf3c063993ff62e73cb4311efde4db1efb31ab78a3e5c457939ad5cc0bed" -dependencies = [ - "rustls-pki-types", -] - [[package]] name = "which" version = "8.0.2" diff --git a/crates/vite_error/Cargo.toml b/crates/vite_error/Cargo.toml index b24538caf0..775f252821 100644 --- a/crates/vite_error/Cargo.toml +++ b/crates/vite_error/Cargo.toml @@ -29,7 +29,7 @@ wax = { workspace = true } reqwest = { workspace = true, features = ["stream", "native-tls-vendored", "json"] } [target.'cfg(not(target_os = "windows"))'.dependencies] -reqwest = { workspace = true, features = ["stream", "rustls-tls", "json"] } +reqwest = { workspace = true, features = ["stream", "rustls-tls-native-roots", "json"] } [lib] test = false diff --git a/crates/vite_install/Cargo.toml b/crates/vite_install/Cargo.toml index 8267c3396d..8de1b25a28 100644 --- a/crates/vite_install/Cargo.toml +++ b/crates/vite_install/Cargo.toml @@ -37,7 +37,7 @@ vite_workspace = { workspace = true } reqwest = { workspace = true, features = ["stream", "native-tls-vendored", "json"] } [target.'cfg(not(target_os = "windows"))'.dependencies] -reqwest = { workspace = true, features = ["stream", "rustls-tls", "json"] } +reqwest = { workspace = true, features = ["stream", "rustls-tls-native-roots", "json"] } [dev-dependencies] httpmock = { workspace = true } diff --git a/crates/vite_js_runtime/Cargo.toml b/crates/vite_js_runtime/Cargo.toml index b3524d750e..84a2d03b6b 100644 --- a/crates/vite_js_runtime/Cargo.toml +++ b/crates/vite_js_runtime/Cargo.toml @@ -32,7 +32,7 @@ zip = { workspace = true } reqwest = { workspace = true, features = ["stream", "native-tls-vendored"] } [target.'cfg(not(target_os = "windows"))'.dependencies] -reqwest = { workspace = true, features = ["stream", "rustls-tls"] } +reqwest = { workspace = true, features = ["stream", "rustls-tls-native-roots"] } [dev-dependencies] tempfile = { workspace = true }