Turbopack: Update reqwest, remove experimental system TLS feature

[bgw]

I added this as an option in #81818 as a solution for users with corporate firewalls that MITM TLS traffic.

Reqwest 0.13.x now uses rustls-platform-verifier by default, which doesn't have the tradeoffs that rustls-native-certs had. We should now pick up and work with system certs by default, and we no longer depend on shipping our own blob of trusted PKI roots! (though wasmer still pulls this in...)

This PR was generated with Opus + OpenCode, but there was a ton of manual iteration to get it working on CI.

TLS Provider

reqwest now defaults to aws-lc-rs instead of ring. This causes a few problems:

• On Windows, this requires cmake and NASM. There's a prebuilt NASM blob we can use, but it still appears to need cmake. We could install this in CI, but I don't want to make Windows development any more complicated than it already is.
• On Linux, there are issues with it picking up the wrong glibc version in our CI: Build fails when building with Yocto SDK aws/aws-lc-rs#673

We just use this for fetching Google Fonts, so it's not worth it: Fall back to using ring on these platforms.

CI Testing

Manually triggered a build-and-release job so that it tries to build for the whole platform matrix: https://github.com/vercel/next.js/actions/runs/20936098900

Manual Testing

Followed the test plan in #81818

[nextjs-bot]

Allow CI Workflow Run

• approve CI run for commit: 8746603

Note: this should only be enabled once the PR is ready to go and can only be enabled by a maintainer

[bgw]

• Turbopack: Update reqwest, remove experimental system TLS feature #88290 👈 (View in Graphite)
• canary

This stack of pull requests is managed by Graphite. Learn more about stacking.

[nextjs-bot]

Tests Passed

[nextjs-bot]

Stats from current PR

✅ No significant changes detected

📊 All Metrics

📖 Metrics Glossary

Dev Server Metrics:

• Listen = TCP port starts accepting connections
• First Request = HTTP server returns successful response
• Cold = Fresh build (no cache)
• Warm = With cached build artifacts

Build Metrics:

• Fresh = Clean build (no .next directory)
• Cached = With existing .next directory

Change Thresholds:

• Time: Changes < 50ms AND < 10%, OR < 2% are insignificant
• Size: Changes < 1KB AND < 1% are insignificant
• All other changes are flagged to catch regressions

⚡ Dev Server

Metric	Canary	PR	Change	Trend
Cold (Listen)	456ms	455ms	✓	▁▁█▁▁
Cold (Ready in log)	437ms	437ms	✓	▁▁▃▆▆
Cold (First Request)	1.142s	1.182s	✓	▁▁▁██
Warm (Listen)	457ms	456ms	✓	▁▁█▁▁
Warm (Ready in log)	441ms	440ms	✓	▂▁▆▁▁
Warm (First Request)	337ms	338ms	✓	▄▁▆▁█

📦 Dev Server (Webpack) (Legacy)

📦 Dev Server (Webpack)

Metric	Canary	PR	Change	Trend
Cold (Listen)	455ms	456ms	✓	▁▁▁▁▅
Cold (Ready in log)	448ms	447ms	✓	▆▆▆▆▆
Cold (First Request)	1.853s	1.823s	✓	▄▅▅▄▅
Warm (Listen)	455ms	455ms	✓	███▁█
Warm (Ready in log)	446ms	450ms	✓	███▇▇
Warm (First Request)	1.853s	1.855s	✓	▅▅▆▅▅

⚡ Production Builds

Metric	Canary	PR	Change	Trend
Fresh Build	4.041s	4.045s	✓	▂▂▄▁▁
Cached Build	4.076s	4.046s	✓	▂▂▄▁▂

📦 Production Builds (Webpack) (Legacy)

📦 Production Builds (Webpack)

Metric	Canary	PR	Change	Trend
Fresh Build	14.159s	14.226s	✓	▁▁▂▁▂
Cached Build	14.193s	14.240s	✓	▁▁▃▁▂
node_modules Size	458 MB	458 MB	✓	▁▁▁▁▁

📦 Bundle Sizes

Bundle Sizes

⚡ Turbopack

Client

Main Bundles: **431 kB** → **431 kB** ✅ -16 B

82 files with content-based hashes (individual files not comparable between builds)

Server

Middleware

	Canary	PR	Change
middleware-b..fest.js gzip	787 B	791 B	✓
Total	787 B	791 B	⚠️ +4 B

Build Details

Build Manifests

	Canary	PR	Change
_buildManifest.js gzip	451 B	450 B	✓
Total	451 B	450 B	✅ -1 B

📦 Webpack

Client

Main Bundles

	Canary	PR	Change
2086.HASH.js gzip	169 B	N/A	-
2161-HASH.js gzip	5.41 kB	N/A	-
2747-HASH.js gzip	4.48 kB	N/A	-
4322-HASH.js gzip	52.8 kB	N/A	-
ec793fe8-HASH.js gzip	62.3 kB	N/A	-
framework-HASH.js gzip	59.8 kB	59.8 kB	✓
main-app-HASH.js gzip	252 B	254 B	✓
main-HASH.js gzip	38.6 kB	39 kB	✓
webpack-HASH.js gzip	1.68 kB	1.68 kB	✓
1596.HASH.js gzip	N/A	169 B	-
2658-HASH.js gzip	N/A	52.7 kB	-
6349-HASH.js gzip	N/A	4.46 kB	-
7019-HASH.js gzip	N/A	5.43 kB	-
b17a3386-HASH.js gzip	N/A	62.3 kB	-
Total	225 kB	226 kB	⚠️ +244 B

Polyfills

	Canary	PR	Change
polyfills-HASH.js gzip	39.4 kB	39.4 kB	✓
Total	39.4 kB	39.4 kB	✓

Pages

	Canary	PR	Change
_app-HASH.js gzip	194 B	193 B	✓
_error-HASH.js gzip	182 B	182 B	✓
css-HASH.js gzip	336 B	335 B	✓
dynamic-HASH.js gzip	1.8 kB	1.8 kB	✓
edge-ssr-HASH.js gzip	256 B	256 B	✓
head-HASH.js gzip	352 B	349 B	✓
hooks-HASH.js gzip	385 B	384 B	✓
image-HASH.js gzip	580 B	580 B	✓
index-HASH.js gzip	259 B	258 B	✓
link-HASH.js gzip	2.5 kB	2.51 kB	✓
routerDirect..HASH.js gzip	319 B	317 B	✓
script-HASH.js gzip	385 B	387 B	✓
withRouter-HASH.js gzip	316 B	315 B	✓
1afbb74e6ecf..834.css gzip	106 B	106 B	✓
Total	7.97 kB	7.96 kB	✅ -8 B

Server

Edge SSR

	Canary	PR	Change
edge-ssr.js gzip	125 kB	125 kB	✓
page.js gzip	242 kB	242 kB	✓
Total	367 kB	367 kB	⚠️ +170 B

Middleware

	Canary	PR	Change
middleware-b..fest.js gzip	656 B	654 B	✓
middleware-r..fest.js gzip	155 B	156 B	✓
middleware.js gzip	33.1 kB	33.2 kB	✓
edge-runtime..pack.js gzip	842 B	842 B	✓
Total	34.8 kB	34.9 kB	⚠️ +124 B

Build Details

Build Manifests

	Canary	PR	Change
_buildManifest.js gzip	738 B	738 B	✓
Total	738 B	738 B	✓

Build Cache

	Canary	PR	Change
0.pack gzip	3.67 MB	3.67 MB	🔴 +5.2 kB (+0%)
index.pack gzip	99.3 kB	100 kB	🔴 +1.02 kB (+1%)
index.pack.old gzip	99.8 kB	99 kB	✓
Total	3.87 MB	3.87 MB	⚠️ +5.45 kB

🔄 Shared (bundler-independent)

Runtimes

	Canary	PR	Change
app-page-exp...dev.js gzip	304 kB	304 kB	✓
app-page-exp..prod.js gzip	158 kB	158 kB	✓
app-page-tur...dev.js gzip	304 kB	304 kB	✓
app-page-tur..prod.js gzip	158 kB	158 kB	✓
app-page-tur...dev.js gzip	300 kB	300 kB	✓
app-page-tur..prod.js gzip	156 kB	156 kB	✓
app-page.run...dev.js gzip	301 kB	301 kB	✓
app-page.run..prod.js gzip	156 kB	156 kB	✓
app-route-ex...dev.js gzip	68.9 kB	68.9 kB	✓
app-route-ex..prod.js gzip	47.7 kB	47.7 kB	✓
app-route-tu...dev.js gzip	68.9 kB	68.9 kB	✓
app-route-tu..prod.js gzip	47.7 kB	47.7 kB	✓
app-route-tu...dev.js gzip	68.5 kB	68.5 kB	✓
app-route-tu..prod.js gzip	47.4 kB	47.4 kB	✓
app-route.ru...dev.js gzip	68.5 kB	68.5 kB	✓
app-route.ru..prod.js gzip	47.4 kB	47.4 kB	✓
dist_client_...dev.js gzip	324 B	324 B	✓
dist_client_...dev.js gzip	326 B	326 B	✓
dist_client_...dev.js gzip	318 B	318 B	✓
dist_client_...dev.js gzip	317 B	317 B	✓
pages-api-tu...dev.js gzip	41.2 kB	41.2 kB	✓
pages-api-tu..prod.js gzip	31.3 kB	31.3 kB	✓
pages-api.ru...dev.js gzip	41.2 kB	41.2 kB	✓
pages-api.ru..prod.js gzip	31.3 kB	31.3 kB	✓
pages-turbo....dev.js gzip	51 kB	51 kB	✓
pages-turbo...prod.js gzip	38.3 kB	38.3 kB	✓
pages.runtim...dev.js gzip	50.9 kB	50.9 kB	✓
pages.runtim..prod.js gzip	38.3 kB	38.3 kB	✓
server.runti..prod.js gzip	62.3 kB	62.3 kB	✓
Total	2.69 MB	2.69 MB	⚠️ +1 B

[codspeed-hq]

CodSpeed Performance Report

Merging this PR will not alter performance

_{Comparing bgw/rm-experimental-system-tls (fd71f7e) with canary (0daf2b5)}

Summary

✅ 17 untouched benchmarks
⏩ 3 skipped benchmarks¹

Footnotes

1. 3 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩