Update Reqwest to 0.13.1

[salmonsd]

Summary

This PR improves the TLS experience by upgrading reqwest to 0.13.1 via #17427

It adds support for three TLS backends via a new hidden --tls-backend flag:

• rustls-webpki — bundled Mozilla roots from webpki-root-certs (default)
• rustls — platform/system verifier via rustls-platform-verifier
• native-tls — native system TLS stack

Custom certificates from SSL_CERT_FILE/SSL_CERT_DIR are merged unconditionally into the root store across all backends using reqwest::tls_merge_certs(), ensuring consistent support in corporate or CI setups without backend-specific gating.

The --native-tls flag and UV_NATIVE_TLS env var are retained for compatibility, mapping to the native-tls backend.

Motivation

reqwest 0.13.1 defaults to rustls as its TLS backend w/ platform verification and removes built-in webpki-roots, and moves its default crypto provider to aws-lc instead of ring (increasing the number of cert signature algos supported) to improve TLS experience.

Changes

• Dependency updates

  • reqwest → 0.13.1 (pinned)
  • reqsign → 0.19.0
  • Added direct dependency on webpki-root-certs
  • Update to use Reqwest 0.13.1 reqwest-middleware#11
  • build: update reqwest to 0.13.1 ambient-id#21
    • ambient-id 0.0.11 ambient-id#31
  • build: update Reqwest to 0.13.1 async_http_range_reader#3

• TLS backend selection

  • Hidden --tls-backend flag: rustls-webpki | rustls | native-tls
  • --native-tls preserved (with explicit conflict handling)
  • UV_NATIVE_TLS env var maps to native-tls backend
  • Default: rustls-webpki

• Certificate handling

  • Load base roots via webpki-root-certs
  • Use reqwest::tls_certs_only to initialize the root store with bundled certs
  • Merge custom certs from SSL_CERT_FILE/SSL_CERT_DIR using tls_merge_certs
  • Merging is applied unconditionally (no backend gating)
  • Reuses reqwest's certificate merging machinery → avoids custom root store or TLS config management

• Refactoring & cleanup

  • Centralized logic in uv-client/base_client.rs and uv-client/ssl_certs.rs
  • Removed dead test code
  • Added accept-encoding: identity in registry_client.rs where required

• Documentation

  • Updated certificates.md:
    • Describes new backends + default
    • Recommends usage patterns (e.g. rustls-webpki for consistency, native-tls for proxies)
    • Explains SSL_CERT_* behavior and migration notes

• Testing

  • 7 new/expanded tests in uv-client/tests/ssl_certs.rs (loading, precedence, all backends)
  • Updated nextest.toml with SSL test profile override
  • Refreshed subcommand snapshots

Trade-offs & Future Work

• Using webpki-root-certs + tls_certs_only + tls_merge_certs keeps maintenance low and avoids re-implementing root store logic
• Manual merging adds control and reduces risk of drift from reqwest internals
• --native-tls retained for smooth transition; long-term plan is deprecation
• Planned follow-ups:
  • Promote --tls-backend to visible/stable
  • Introduce --system-certs / --no-system-certs aliases (preview)
  • Switch default to rustls (platform verifier) in a future breaking release
  • Deprecate --native-tls and UV_NATIVE_TLS

[salmonsd]

Will work on failing tests (apologies)

[musicinmybrain]

We can now also update reqsign to 0.19.0, apache/opendal-reqsign@v0.18.1...v0.19.0, which will remove another user of reqwest 0.12 from the dependency tree.

[salmonsd]

We can now also update reqsign to 0.19.0, apache/opendal-reqsign@v0.18.1...v0.19.0, which will remove another user of reqwest 0.12 from the dependency tree.

thanks @musicinmybrain, was waiting for the official release!

Only thing to watch for is axoupdater and the update to axoasset (issue here) to also use reqwest 0.13 to be completely resolved.

[salmonsd]

Hey @zanieb, wanted to check-in and see if y'all have a plan for this or if there's anything I can do to help to get this implemented?

[konstin]

All dependency updates are merged and published.

[salmonsd]

rebased onto uv 0.10.1 and this commit: 976a368

will work to implement these suggestions: #17543 (comment)

[salmonsd]

More info here: astral-sh/async_http_range_reader#3 (comment)

[salmonsd]

This removal is related to axoupdater (and depedent axoasset) on an older version of reqwest.

Related:

• Support reqwest >= 0.13.0, update feature rustls axodotdev/axoasset#384
• Update reqwest to 0.13 axodotdev/axoasset#395

[konstin]

CI is currently failing because we introduced an openssl dependency.

[codspeed-hq]

Merging this PR will not alter performance

❌ 1 regressed benchmark
✅ 4 untouched benchmarks

⚠️ Please fix the performance issues or acknowledge them on CodSpeed.

Performance Changes

	Mode	Benchmark	BASE	HEAD	Efficiency
❌	WallTime	resolve_warm_jupyter_universal	142.3 ms	146.7 ms	-3.05%

---

_{Comparing salmonsd:update-reqwest-tls (fa1fd36) with main (7b3170d)}