upd-cli 0.1.4__tar.gz → 0.1.6__tar.gz

{upd_cli-0.1.4 → upd_cli-0.1.6}/CHANGELOG.md

@@ -14,6 +14,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 
 
+
+
+## [0.1.6](https://github.com/rvben/upd/compare/v0.1.5...v0.1.6) - 2026-04-29
+
+### Added
+
+- **http**: wire TLS init into networked subcommand entry points ([04f7b0d](https://github.com/rvben/upd/commit/04f7b0d6362f32ff2a6212386f310b481bfd7d56))
+- **cli**: add --insecure global flag ([df1943f](https://github.com/rvben/upd/commit/df1943ff53369b0cc0b32401cbbedb1095f07230))
+- **http**: attach TLS hint to send errors via wrap_send_err ([9b1fd2c](https://github.com/rvben/upd/commit/9b1fd2cef7e307a6d3328074a82353a772a5b44c))
+- **http**: apply TLS options to ClientBuilder ([7d8f616](https://github.com/rvben/upd/commit/7d8f6161f5f7be31e829f89ba9aaeb332532229f))
+- **http**: implement init() over pure helpers ([79556c6](https://github.com/rvben/upd/commit/79556c6d5a34cf5eda97e645b4d62c62ad706809))
+- **http**: detect TLS trust failures in error chains ([e63be5d](https://github.com/rvben/upd/commit/e63be5d62cfa82f2a73f3e78e294c65868c53ba7))
+- **http**: parse PEM CA bundle with multi-cert support ([07e3983](https://github.com/rvben/upd/commit/07e3983a9477dad042ea0f5b10ee8efa9382b384))
+- **http**: resolve CA bundle path from env vars ([2bd42ec](https://github.com/rvben/upd/commit/2bd42ec7018094e1daf399af8fb2e7e288e9e206))
+- **http**: scaffold TLS options module ([3f797cc](https://github.com/rvben/upd/commit/3f797cc658298b9b952e566b49d4998a4decfc64))
+
+### Fixed
+
+- **http**: propagate --insecure global flag to self-update ([88b397e](https://github.com/rvben/upd/commit/88b397ee4a169eab94b56247050e8b1814c8ccf3))
+- **http**: defer TLS init past offline and no-op early returns ([41cfb40](https://github.com/rvben/upd/commit/41cfb40f2f72e6090fc0f083c13371c3a4269347))
+- **http**: skip CA bundle resolution when --insecure is set ([8d73e27](https://github.com/rvben/upd/commit/8d73e27aadaa5ac488bbbf7f556476cf9bfaa0e6))
+
+## [0.1.5](https://github.com/rvben/upd/compare/v0.1.4...v0.1.5) - 2026-04-28
+
+### Added
+
+- **audit**: include package names and HTTP body in OSV error diagnostics ([87b9aa8](https://github.com/rvben/upd/commit/87b9aa8d27545abf449461c3c3d096a661fa377f))
+
 ## [0.1.4](https://github.com/rvben/upd/compare/v0.1.3...v0.1.4) - 2026-04-28
 
 ### Added

{upd_cli-0.1.4 → upd_cli-0.1.6}/Cargo.lock

@@ -2024,7 +2024,7 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 
 [[package]]
 name = "upd"
-version = "0.1.4"
+version = "0.1.6"
 dependencies = [
  "anyhow",
  "async-trait",

{upd_cli-0.1.4 → upd_cli-0.1.6}/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "upd"
-version = "0.1.4"
+version = "0.1.6"
 edition = "2024"
 rust-version = "1.95.0"
 description = "A fast dependency updater for Python, Node.js, Rust, Go, Ruby, Terraform, GitHub Actions, pre-commit, and Mise projects"

{upd_cli-0.1.4 → upd_cli-0.1.6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: upd-cli
-Version: 0.1.4
+Version: 0.1.6
 Classifier: Development Status :: 4 - Beta
 Classifier: Environment :: Console
 Classifier: Intended Audience :: Developers

{upd_cli-0.1.4 → upd_cli-0.1.6}/src/audit/mod.rs

@@ -20,6 +20,35 @@ const BATCH_SIZE: usize = 1000;
 /// Maximum concurrent requests for fetching vulnerability details
 const MAX_CONCURRENT_REQUESTS: usize = 20;
 
+/// Cap for how many bytes of a non-success OSV response body we surface in
+/// an error message. A proxy or CDN can return arbitrarily large HTML error
+/// pages on the failure path, so we bound the read at the network layer
+/// (via `Response::chunk`) rather than buffering the whole body and then
+/// truncating. 1 KiB comfortably fits typical OSV/proxy diagnostics.
+const ERROR_BODY_LIMIT: usize = 1024;
+
+/// Read up to `max` bytes from `response`'s body and return them as a
+/// lossy UTF-8 string. Stops early at the first chunk that fills the cap
+/// so an oversized or slow body cannot stall the call up to the client
+/// timeout or balloon memory beyond `max` bytes.
+async fn read_bounded_body(response: &mut reqwest::Response, max: usize) -> String {
+    let mut buf: Vec<u8> = Vec::with_capacity(max);
+    while buf.len() < max {
+        match response.chunk().await {
+            Ok(Some(chunk)) => {
+                let remaining = max - buf.len();
+                let take = chunk.len().min(remaining);
+                buf.extend_from_slice(&chunk[..take]);
+                if take < chunk.len() {
+                    break;
+                }
+            }
+            Ok(None) | Err(_) => break,
+        }
+    }
+    String::from_utf8_lossy(&buf).into_owned()
+}
+
 /// Ecosystem names for OSV API
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum Ecosystem {
@@ -174,10 +203,11 @@ impl OsvClient {
     /// Create a client pointing at a custom base URL (used by tests).
     pub fn with_base_url(base_url: String) -> Self {
         Self {
-            client: Client::builder()
-                .timeout(Duration::from_secs(30))
-                .build()
-                .expect("Failed to create HTTP client. This usually indicates a TLS/SSL configuration issue on your system."),
+            client: crate::http::apply(
+                Client::builder().timeout(Duration::from_secs(30))
+            )
+            .build()
+            .expect("Failed to create HTTP client. This usually indicates a TLS/SSL configuration issue on your system."),
             base_url,
         }
     }
@@ -273,7 +303,12 @@ impl OsvClient {
                     }
                 }
                 Err(e) => {
-                    result.errors.push(format!("Batch query failed: {}", e));
+                    let pkg_names: Vec<&str> = chunk.iter().map(|p| p.name.as_str()).collect();
+                    result.errors.push(format!(
+                        "Batch query failed for [{}]: {}",
+                        pkg_names.join(", "),
+                        e
+                    ));
                 }
             }
         }
@@ -299,15 +334,23 @@ impl OsvClient {
 
         let request = OsvBatchRequest { queries };
 
-        let response = self
+        let url = format!("{}/querybatch", self.base_url);
+        let mut response = self
             .client
-            .post(format!("{}/querybatch", self.base_url))
+            .post(&url)
             .json(&request)
             .send()
-            .await?;
+            .await
+            .map_err(|e| crate::http::wrap_send_err(e, &url))?;
 
         if !response.status().is_success() {
-            anyhow::bail!("OSV API error: HTTP {}", response.status());
+            let status = response.status();
+            let snippet = read_bounded_body(&mut response, ERROR_BODY_LIMIT).await;
+            if snippet.is_empty() {
+                anyhow::bail!("OSV API error: HTTP {}", status);
+            } else {
+                anyhow::bail!("OSV API error: HTTP {}: {}", status, snippet);
+            }
         }
 
         let batch_response: OsvBatchResponse = response.json().await?;
@@ -357,11 +400,13 @@ impl OsvClient {
 
     /// Fetch vulnerability details by ID
     async fn fetch_vuln_by_id(&self, id: &str) -> Result<Vulnerability> {
+        let url = format!("{}/vulns/{}", self.base_url, id);
         let response = self
             .client
-            .get(format!("{}/vulns/{}", self.base_url, id))
+            .get(&url)
             .send()
-            .await?;
+            .await
+            .map_err(|e| crate::http::wrap_send_err(e, &url))?;
 
         if !response.status().is_success() {
             anyhow::bail!(
@@ -1003,4 +1048,169 @@ mod tests {
         assert_eq!(result.safe_count, 1);
         // wiremock will assert that no requests were received when the server drops.
     }
+
+    // ─── batch failure error message ─────────────────────────────────────────
+
+    #[tokio::test]
+    async fn batch_failure_error_includes_package_names_status_and_body() {
+        use wiremock::matchers::{method, path};
+        use wiremock::{Mock, MockServer, ResponseTemplate};
+
+        let server = MockServer::start().await;
+
+        // OSV returns a non-success response with a body. Both should surface
+        // in the AuditResult error so operators can diagnose the failure.
+        Mock::given(method("POST"))
+            .and(path("/querybatch"))
+            .respond_with(
+                ResponseTemplate::new(503).set_body_string("upstream temporarily unavailable"),
+            )
+            .mount(&server)
+            .await;
+
+        let client = OsvClient::with_base_url(server.uri());
+        let pkgs = vec![
+            Package {
+                name: "requests".into(),
+                version: "2.0.0".into(),
+                ecosystem: Ecosystem::PyPI,
+            },
+            Package {
+                name: "boto3".into(),
+                version: "1.0.0".into(),
+                ecosystem: Ecosystem::PyPI,
+            },
+        ];
+
+        let result = client.check_packages(&pkgs).await.unwrap();
+
+        assert!(result.vulnerable.is_empty());
+        assert_eq!(
+            result.errors.len(),
+            1,
+            "one error for the failing batch, got {:?}",
+            result.errors
+        );
+        let err = &result.errors[0];
+        assert!(
+            err.contains("requests") && err.contains("boto3"),
+            "error should list the failing batch's package names: {err}"
+        );
+        assert!(
+            err.contains("503"),
+            "error should include the HTTP status: {err}"
+        );
+        assert!(
+            err.contains("upstream temporarily unavailable"),
+            "error should include the response body: {err}"
+        );
+    }
+
+    #[tokio::test]
+    async fn batch_failure_stops_reading_at_cap_when_body_stalls() {
+        // Stand up a TCP server that lies about Content-Length: it claims
+        // 1 MB but only delivers 2 KiB, then stalls forever. The bounded
+        // read in query_batch must fill its 1 KiB cap from the head of
+        // the body and return immediately. An unbounded read (e.g.
+        // `response.text().await`) would block until either the rest of
+        // the body arrives or the 30 s client timeout fires.
+        use std::time::{Duration, Instant};
+        use tokio::io::{AsyncReadExt, AsyncWriteExt};
+        use tokio::net::TcpListener;
+
+        let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
+        let addr = listener.local_addr().unwrap();
+
+        let server = tokio::spawn(async move {
+            let (mut stream, _) = listener.accept().await.unwrap();
+
+            // Drain the request until we see the empty header line.
+            let mut buf = [0u8; 4096];
+            loop {
+                let n = match stream.read(&mut buf).await {
+                    Ok(n) if n > 0 => n,
+                    _ => return,
+                };
+                if buf[..n].windows(4).any(|w| w == b"\r\n\r\n") {
+                    break;
+                }
+            }
+
+            // Headers promise 1 MB; we send only 2 KiB then stall.
+            let head = b"HTTP/1.1 503 Service Unavailable\r\n\
+                         Content-Type: text/plain\r\n\
+                         Content-Length: 1000000\r\n\
+                         Connection: close\r\n\r\n";
+            let _ = stream.write_all(head).await;
+            let _ = stream.write_all(&vec![b'x'; 2048]).await;
+            let _ = stream.flush().await;
+
+            // Park the task so the connection stays open without further
+            // bytes. The test will abort the handle after the client
+            // returns.
+            std::future::pending::<()>().await;
+        });
+
+        let client = OsvClient::with_base_url(format!("http://{}", addr));
+        let started = Instant::now();
+        let outcome = tokio::time::timeout(
+            Duration::from_secs(10),
+            client.check_packages(&[Package {
+                name: "pkg".into(),
+                version: "1.0.0".into(),
+                ecosystem: Ecosystem::PyPI,
+            }]),
+        )
+        .await;
+        let elapsed = started.elapsed();
+
+        server.abort();
+
+        let result = outcome
+            .expect(
+                "OSV call must return promptly when the body stalls; \
+                 if it didn't, the body is being read unbounded",
+            )
+            .unwrap();
+
+        assert_eq!(result.errors.len(), 1, "{:?}", result.errors);
+        let err = &result.errors[0];
+        assert!(err.contains("503"), "should include status: {err}");
+        // 5 s leaves a >100x margin over the expected ~1 RTT return
+        // time, while staying well under the 30 s client timeout that
+        // the buggy implementation would hit.
+        assert!(
+            elapsed < Duration::from_secs(5),
+            "bounded read should return promptly; took {:?}",
+            elapsed
+        );
+    }
+
+    #[tokio::test]
+    async fn batch_failure_error_includes_package_names_on_network_error() {
+        // Point at a closed port so reqwest fails to connect. Package names
+        // should still be embedded in the resulting error message.
+        let client = OsvClient::with_base_url("http://127.0.0.1:1/".to_string());
+        let pkgs = vec![
+            Package {
+                name: "lonely-pkg".into(),
+                version: "1.0.0".into(),
+                ecosystem: Ecosystem::PyPI,
+            },
+            Package {
+                name: "another-pkg".into(),
+                version: "2.0.0".into(),
+                ecosystem: Ecosystem::PyPI,
+            },
+        ];
+
+        let result = client.check_packages(&pkgs).await.unwrap();
+
+        assert_eq!(result.errors.len(), 1, "{:?}", result.errors);
+        let err = &result.errors[0];
+        assert!(
+            err.contains("lonely-pkg") && err.contains("another-pkg"),
+            "network-level errors should still name the failing packages: {err}"
+        );
+    }
 }

{upd_cli-0.1.4 → upd_cli-0.1.6}/src/cli.rs

@@ -192,6 +192,16 @@ pub struct Cli {
     /// Explicit file paths are always processed regardless of this flag.
     #[arg(long = "no-ignore", global = true)]
     pub no_ignore: bool,
+
+    /// Disable TLS certificate verification.
+    ///
+    /// Skips verification of server certificates for all HTTPS requests this run.
+    /// Hostname verification is also disabled on a best-effort basis (may not be
+    /// honored under every TLS backend). Use only as a last resort in environments
+    /// where the system trust store cannot be configured. Prefer setting
+    /// REQUESTS_CA_BUNDLE or SSL_CERT_FILE to your corporate CA bundle.
+    #[arg(long, global = true)]
+    pub insecure: bool,
 }
 
 #[derive(Subcommand)]
@@ -297,6 +307,7 @@ mod tests {
         assert!(cli.paths.is_empty());
         assert!(cli.command.is_none());
         assert!(cli.min_age.is_none());
+        assert!(!cli.insecure);
     }
 
     #[test]
@@ -874,4 +885,24 @@ mod tests {
         assert!(cli.no_ignore);
         assert!(matches!(cli.command, Some(Command::Align { .. })));
     }
+
+    #[test]
+    fn test_cli_parses_insecure() {
+        let cli = Cli::try_parse_from(["upd", "--insecure"]).unwrap();
+        assert!(cli.insecure);
+    }
+
+    #[test]
+    fn test_cli_insecure_default_false() {
+        let cli = Cli::try_parse_from(["upd"]).unwrap();
+        assert!(!cli.insecure);
+    }
+
+    #[test]
+    fn test_cli_insecure_is_global_across_subcommands() {
+        for sub in ["audit", "update", "align"] {
+            let cli = Cli::try_parse_from(["upd", sub, "--insecure"]).unwrap();
+            assert!(cli.insecure, "--insecure must be accepted under `{sub}`");
+        }
+    }
 }