feat(bundler/cli): Add feature flag to use system certificates#24
Conversation
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| .map(|cdn| { | ||
| cdn.to_string() | ||
| }) |
There was a problem hiding this comment.
🔴 GitHub mirror URL no longer includes the original URL path
The generate_github_mirror_url_from_base function no longer uses its github_url parameter, causing GitHub mirror downloads to fail.
Click to expand
Root Cause
The original code appended the GitHub URL to the mirror base URL:
.map(|mut cdn| {
cdn.set_path(github_url);
cdn.to_string()
})The new code just returns the CDN base URL without the path:
.map(|cdn| {
cdn.to_string()
})Impact
When TAURI_BUNDLER_TOOLS_GITHUB_MIRROR is set, all GitHub asset downloads will request the mirror's base URL instead of the correct mirrored asset path. For example, if the mirror is https://mirror.example.com/ and the asset URL is https://github.com/owner/repo/releases/download/v1.0/file.zip, the request will go to https://mirror.example.com/ instead of https://mirror.example.com/https://github.com/owner/repo/releases/download/v1.0/file.zip.
This will cause download failures or incorrect files being downloaded for users relying on GitHub mirrors.
Recommendation: Restore the cdn.set_path(github_url); call to properly construct the mirror URL with the original GitHub URL path.
Was this helpful? React with 👍 or 👎 to provide feedback.
| let response = ureq::get(url).call().map_err(Box::new)?; | ||
| let mut bytes = Vec::new(); | ||
| response.into_body().into_reader().read_to_end(&mut bytes)?; | ||
| std::fs::write(&file_path, bytes)?; |
There was a problem hiding this comment.
🔴 WebView2 offline installer download bypasses platform certificates and proxy settings
The download_webview2_offline_installer function uses ureq::get(url) directly instead of using base_ureq_agent() or the download() helper, bypassing the platform certificate and proxy configuration.
Click to expand
Root Cause
The code was changed from:
std::fs::write(&file_path, download(url)?)?;To:
let response = ureq::get(url).call().map_err(Box::new)?;
let mut bytes = Vec::new();
response.into_body().into_reader().read_to_end(&mut bytes)?;
std::fs::write(&file_path, bytes)?;The new code calls ureq::get(url) directly, which creates a default agent without:
- Platform certificate verification (the main feature this PR adds)
- Proxy settings from environment variables
Impact
Users who need platform certificates for TLS verification (e.g., in corporate environments with custom CA certificates) will experience TLS errors when downloading the WebView2 offline installer, even though the platform-certs feature is enabled. This defeats the purpose of the PR for this specific download.
Recommendation: Replace the direct ureq::get(url) call with the existing download(url)? helper function or use base_ureq_agent() to ensure platform certificates and proxy settings are used.
Was this helpful? React with 👍 or 👎 to provide feedback.
2 participants
Benchmark PR from qodo-benchmark#172