Skip to content

fix: do not pull in aws-lc-rs by default #1101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
thomaseizinger wants to merge 1 commit into from
+2 −205
Closed

fix: do not pull in aws-lc-rs by default #1101

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
205 changes: 1 addition & 204 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion sentry/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ curl = ["dep:curl", "httpdate"]
ureq = ["dep:ureq", "httpdate"]
# transport settings
native-tls = ["dep:native-tls", "reqwest?/native-tls", "ureq?/native-tls"]
rustls = ["dep:rustls", "reqwest?/rustls", "ureq?/rustls"]
rustls = ["dep:rustls", "reqwest?/rustls-no-provider", "ureq?/rustls"]
Copy link
Copy Markdown

@sentry sentry Bot Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The rustls feature now uses rustls-no-provider, requiring users to manually configure a crypto provider to avoid a runtime panic. This new requirement is not documented.
Severity: MEDIUM

Suggested Fix

Update the documentation for the rustls feature in sentry/lib.rs and sentry/README.md to explicitly state that users must install a crypto provider themselves. Provide a code example showing how to install a provider like ring or aws_lc_rs.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: sentry/Cargo.toml#L60

Potential issue: The `reqwest` dependency feature was changed from `rustls` to
`rustls-no-provider`. This intentionally removes the default crypto provider that was
previously included. As a result, users who enable the `sentry` crate's `rustls` feature
must now explicitly install a crypto provider (like `ring` or `aws_lc_rs`) in their
application's `main()` function. Without this manual step, the application will panic at
runtime when it attempts to make an HTTPS request. This new requirement is not
documented, potentially causing unexpected crashes for users upgrading the crate.

Did we get this right? 👍 / 👎 to inform future reviews.

Copy link
Copy Markdown

@cursor cursor Bot Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rustls feature causes runtime panic without crypto provider

High Severity

Changing reqwest?/rustls to reqwest?/rustls-no-provider means the rustls feature no longer provides a working TLS backend for the reqwest transport. Users who enable rustls and disable native-tls (as the documentation at line 74 recommends) will hit a runtime panic at reqwest::Client::builder().build().expect(...) because no CryptoProvider is installed. The ring crate appearing in the workspace Cargo.lock is a red herring — it's pulled in by ureq?/rustls, but end-users who only enable reqwest won't have it. The existing docs and feature table still imply rustls is a drop-in TLS backend.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit d0ea483. Configure here.

embedded-svc-http = ["dep:embedded-svc", "dep:esp-idf-svc"]

[dependencies]
Expand Down
Loading