You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Findings addressed:
- VP_INSECURE_TLS=0 / false / empty used to enable insecure TLS
because the check was `var_os().is_some()`. Now requires a truthy
value (1/true/yes/on, case-insensitive). Matches user mental model
and avoids a security footgun.
- extract_pem_cert_blocks was greedy: an orphan BEGIN followed by a
valid cert produced one bogus merged block and lost the valid one.
Now detects an intervening BEGIN before the next END and skips past
the orphan, recovering the legitimate cert.
- vite_error::Error::Reqwest and vite_js_runtime::Error::Reqwest were
#[error(transparent)] — Display fell through to reqwest, which only
shows the top-level message. The full source chain (TLS handshake →
UnknownIssuer, hyper IO) was lost for every error propagated via
`?` from `HttpClient::get` (vite_install path) and from the body-
streaming loop in `download_file`. Both now use
vite_shared::format_error_chain via #[error("{}", ...)] — From and
source() semantics intact, so 404 detection via e.status() still
works.
- build_client used std::process::exit(1) inside OnceLock::get_or_init
from a tokio worker — skipped Drop, leaked lockfiles/tempfiles, and
killed an embedding NAPI Node host from native code. Now caches
Result<Client, String> in the OnceLock and panics with the chain
message; subsequent callers see the same cached failure rather than
re-running build_client. The error message uses format_error_chain
rather than reqwest's top-level Display.
- Shared client had no timeout or connect_timeout — one stuck stream
could block every concurrent download through the shared HTTP/2
connection. Added 30s connect / 2 min request timeouts.
- format_error_chain now caps recursion depth at 16 (guards against
cyclic source chains) and skips a source whose Display is already
contained in the accumulated message (de-dupes when a parent
thiserror variant inlines its `#[from]` source via `{0}`).
- CI sfw step: ${{ matrix.vp_bin }} quoted in shell context.
vite_error gains a vite_shared dep (no cycle — vite_shared does not
depend on vite_error). Tests added for is_env_truthy, the orphan-
BEGIN recovery path, and the format_error_chain depth/dedup behavior.
0 commit comments