You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on May 14, 2026. It is now read-only.
#490 added a for_installs_strict_ssl_false_relaxes_verification unit test that asserts the client builds with strict_ssl: Some(false) but doesn't actually verify the request-time behavior — danger_accept_invalid_certs(true) is a builder toggle, and mockito only speaks HTTP, so there's no live-traffic counterpart that proves a self-signed cert is accepted (or rejected with strict_ssl: Some(true)).
A real integration test would:
Stand up a TLS-capable mock server with a self-signed cert. wiremock-rs with rustls support is a candidate; axum + axum-server with RustlsConfig is another. Either way the test needs to depend on rustls-pemfile or similar to load a fixture cert into the server.
The reqwest client built by ThrottledClient::for_installs would route directly (no proxy), so the integration test exercises apply_tls's danger_accept_invalid_certs branch end-to-end.
What to do
Pick a TLS-mock harness. Candidates: wiremock (rustls feature), axum + tokio-rustls, or a hand-rolled tokio::TcpListener + tokio_native_tls::TlsAcceptor. Prefer one that's already in the workspace dep tree or close to it.
Generate a fixture self-signed cert + key in crates/network/tests/fixtures/ (the existing test-ca.pem is cert-only; would need a matching test-server.{crt,key} pair).
Add a #[tokio::test] that stands the server up on a random port and exercises both strict_ssl branches.
Make the test conditional on the harness being available — if the dep is heavy, gate behind a feature flag or #[ignore] with a doc comment explaining how to run.
Out of scope
Mocking the full pnpm tarball-download surface. This is a TLS-handshake test, not a registry test.
Background
#490 added a
for_installs_strict_ssl_false_relaxes_verificationunit test that asserts the client builds withstrict_ssl: Some(false)but doesn't actually verify the request-time behavior —danger_accept_invalid_certs(true)is a builder toggle, and mockito only speaks HTTP, so there's no live-traffic counterpart that proves a self-signed cert is accepted (or rejected withstrict_ssl: Some(true)).A real integration test would:
wiremock-rswith rustls support is a candidate;axum+axum-serverwithRustlsConfigis another. Either way the test needs to depend onrustls-pemfileor similar to load a fixture cert into the server.strict_ssl: Some(false)→ expect 2xxstrict_ssl: Some(true)(or unset) → expect TLS handshake failureThrottledClient::for_installswould route directly (no proxy), so the integration test exercisesapply_tls'sdanger_accept_invalid_certsbranch end-to-end.What to do
wiremock(rustls feature),axum+tokio-rustls, or a hand-rolledtokio::TcpListener+tokio_native_tls::TlsAcceptor. Prefer one that's already in the workspace dep tree or close to it.crates/network/tests/fixtures/(the existingtest-ca.pemis cert-only; would need a matchingtest-server.{crt,key}pair).#[tokio::test]that stands the server up on a random port and exercises bothstrict_sslbranches.#[ignore]with a doc comment explaining how to run.Out of scope
References
for_installs_strict_ssl_false_relaxes_verificationincrates/network/src/tests.rs)Written by an agent (Claude Code, claude-opus-4-7).