fix(deps): update reqwest to 0.13

[jdx]

Summary

• Updates reqwest from 0.12 to 0.13
• Fixes feature flag rename: rustls-tls-native-roots-no-provider → rustls-native-certs + rustls-no-provider
• All 400 tests pass

Closes #333

Test plan

• cargo build succeeds
• cargo nextest run — 400 passed, 0 failed
• Verified hyper-rustls ring override still applies

🤖 Generated with Claude Code

---

Note

Medium Risk
Dependency upgrade changes TLS/certificate verification feature flags and pulls in new platform-specific cert verifier crates, which could affect HTTPS behavior across OSes.

Overview
Updates reqwest from 0.12 to 0.13 and adjusts its TLS feature flags from rustls-tls-native-roots-no-provider to rustls-native-certs + rustls-no-provider.

Refreshes Cargo.lock accordingly, adding new transitive dependencies (notably rustls-platform-verifier and related Android/JNI and Windows target crates) and updating hyper-rustls’s dependency set.

^{Reviewed by Cursor Bugbot for commit 756ac71. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: cargo webpki-root-certs under CDLA-Permissive-2.0 License: CDLA-Permissive-2.0 - The applicable license policy does not permit this license (5) (webpki-root-certs-1.0.6/Cargo.toml) License: CDLA-Permissive-2.0 - The applicable license policy does not permit this license (5) (webpki-root-certs-1.0.6/LICENSE) From: ? → cargo/webpki-root-certs@1.0.6 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/webpki-root-certs@1.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[gemini-code-assist]

Code Review

This pull request upgrades the reqwest dependency from version 0.12 to 0.13 and updates the Cargo.lock file accordingly, introducing several new dependencies including rustls-platform-verifier and jni. Feedback suggests that for reqwest 0.13, it is more idiomatic to use the rustls-tls-native-roots feature instead of rustls-native-certs to leverage the more robust system trust store integration provided by the rustls-platform-verifier crate.

[gemini-code-assist]

In reqwest 0.13, the rustls-tls-native-roots feature is the direct successor to the native roots functionality from 0.12. It now leverages the rustls-platform-verifier crate, which provides more robust integration with system trust stores (especially on Windows and macOS) compared to the older rustls-native-certs crate.

Since your Cargo.lock shows that rustls-platform-verifier is already being included (as it is now a default dependency of the rustls-tls backend in 0.13), switching to rustls-tls-native-roots is more idiomatic for this version and avoids explicitly opting into the legacy crate-based root loading.

Suggested change

	"rustls-native-certs",
	"rustls-tls-native-roots",

[greptile-apps]

Greptile Summary

Upgrades reqwest from 0.12 to 0.13, replacing the removed rustls-tls-native-roots-no-provider feature with the two equivalent 0.13 features rustls-native-certs (native OS cert store) and rustls-no-provider (caller installs the crypto provider). The ring provider is already explicitly installed in src/main.rs via rustls::crypto::ring::default_provider().install_default(), and the hyper-rustls ring override in Cargo.toml remains in place, keeping aws-lc-rs out of the dependency tree entirely — the Cargo.lock confirms no aws-lc-rs entries.

Confidence Score: 5/5

Safe to merge — clean dependency upgrade with correct feature flag mapping and no regressions.

The feature flag rename is accurate for reqwest 0.13, ring remains the sole crypto provider (aws-lc-rs is absent from the lock), the explicit provider installation in src/main.rs satisfies rustls-no-provider, and the hyper-rustls ring override is intact. All 400 tests pass. No logic changes outside dependency declarations.

No files require special attention.

Important Files Changed

Filename	Overview
Cargo.toml	Updates reqwest from 0.12 to 0.13 and renames the TLS feature flags from the removed rustls-tls-native-roots-no-provider to the two replacement features rustls-native-certs and rustls-no-provider; hyper-rustls ring override is preserved.
Cargo.lock	Lockfile updated to reqwest 0.13.1; rustls uses ring (no aws-lc-rs in tree); hyper-rustls 0.27.7 resolves without ring as a direct dep (ring comes via rustls), consistent with the Cargo.toml override.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[reqwest 0.13] -->|rustls-native-certs| B[Native OS cert store]
    A -->|rustls-no-provider| C[App installs crypto provider]
    C --> D["ring::default_provider().install_default()\nsrc/main.rs"]
    A --> E[hyper-rustls 0.27]
    E -->|features: ring,http1,http2,tls12| F[rustls 0.23 + ring]
    F --> G[No aws-lc-rs in dep tree]
    B --> H[TLS connections verified\nagainst OS trust store]

Loading

_{Reviews (1): Last reviewed commit: "fix(deps): update reqwest to 0.13" | Re-trigger Greptile}