next.js

56fed4d6 - Turbopack: Add an option to use system TLS certificates (fixes #79060, fixes #79059) (#81818)

Turbopack: Add an option to use system TLS certificates (fixes #79060, fixes #79059) (#81818) It's common in enterprise environments for employers to MITM all HTTPS traffic on employee machines to enforce network policies or to detect and block malware. For this to work, they install custom CA roots into the system store. Applications must read from this store. The default behavior of `reqwests` is to bundle the mozilla CA roots into the application, and only trust those. This is reasonable given some of the tradeoffs of the current rustls resolver implementations they use, but long-term it's better for most applications to just use the system CA store. This provides an opt-in experimental option for using the system CA store. We may use system CA certs by default in the future once https://github.com/seanmonstar/reqwest/issues/2159 is resolved. Fixes #79059 Fixes #79060 ### Testing - Install [mitmproxy](https://docs.mitmproxy.org/stable/overview/installation/). - Install the generated mitmproxy CA cert to the system store: https://docs.mitmproxy.org/stable/concepts/certificates/ - Run `./mitmdump` (with no arguments) - Run an example app that uses google fonts: ``` pnpm pack-next --project ~/shadcn-ui/apps/v4 --no-js-build -- --release cd ~/shadcn-ui/apps/v4 pnpm i NEXT_TURBOPACK_EXPERIMENTAL_USE_SYSTEM_TLS_CERTS=0 HTTP_PROXY=localhost:8080 HTTPS_PROXY=localhost:8080 pnpm dev NEXT_TURBOPACK_EXPERIMENTAL_USE_SYSTEM_TLS_CERTS=1 HTTP_PROXY=localhost:8080 HTTPS_PROXY=localhost:8080 pnpm dev ``` When system TLS certs are disabled, we get warnings like this: ``` ⚠ [next]/internal/font/google/geist_mono_77f2790.module.css Error while requesting resource There was an issue establishing a connection while requesting https://fonts.googleapis.com/css2?family=Geist+Mono:wght@400&display=swap. Import trace: [next]/internal/font/google/geist_mono_77f2790.module.css [next]/internal/font/google/geist_mono_77f2790.js ./apps/v4/lib/fonts.ts ./apps/v4/app/layout.tsx ``` And mitmproxy shows the handshakes failing  When system TLS certs are enabled, the app works.