F-005: chore(deps): pin reqwest to rustls-tls#12
Conversation
Explicitly pin reqwest's TLS backend to rustls instead of relying on the crate's `default-tls` feature, which can vary across platforms. This aligns with CLAUDE.md's secure-defaults ethos by: - Keeping the TLS stack pure Rust (hyper-rustls + tokio-rustls + rustls-platform-verifier) on every platform instead of SecureTransport on macOS / schannel on Windows. - Dropping the platform-specific `system-configuration` (macOS) and `windows-registry` (Windows) transitive dependencies, shrinking the dep graph and making builds more reproducible across CI runners. - Preserving existing functionality by explicitly enabling the `charset` and `http2` features that were previously pulled in via `default-tls`, alongside the already-used `json` and `stream`. reqwest 0.13 renamed its old `rustls-tls` feature to `rustls`, so the feature is spelled `rustls` in the Cargo.toml entry. Closes audit entry F-005 from #3.
There was a problem hiding this comment.
Pull request overview
Pins reqwest away from default TLS settings toward a rustls-based configuration to address audit finding F-005 (#3) and reduce reliance on platform TLS stacks.
Changes:
- Update
reqwestdependency to disable default features and explicitly enable rustls + selected HTTP features. - Refresh
Cargo.lockto reflect the new dependency graph (droppingsystem-configuration/windows-registry).
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| Cargo.toml | Disables reqwest default features and opts into rustls-related feature set. |
| Cargo.lock | Removes native-tls-related transitive crates and records the updated TLS/cert verification dependency set. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| # HTTP client | ||
| reqwest = { version = "0.13", features = ["json", "stream"] } | ||
| reqwest = { version = "0.13", default-features = false, features = ["rustls", "charset", "http2", "json", "stream"] } |
There was a problem hiding this comment.
The PR title/summary says “pin reqwest to rustls-tls”, but the dependency is configured with the rustls feature. With the current feature set, Cargo.lock shows reqwest pulling in rustls-platform-verifier which in turn depends on platform-specific crates like security-framework/schannel and openssl-probe. If the goal is to avoid native/platform TLS/cert-store dependencies, consider switching to the more explicit reqwest rustls TLS feature that uses bundled roots (e.g., the rustls-tls-webpki-roots-style feature in reqwest), or update the PR description/title to match the chosen approach.
Summary
chore(deps): pin reqwest to rustls-tls.
Audit context
Closes audit entry F-005 from #3.
Verification
cargo fmt --checkcargo clippy --all-targets --all-features -- -D warningscargo test --all-targets