Gaps in url_replacements Coverage

[jstriebel]

mise supports a url_replacements setting that lets users redirect HTTP requests to internal mirrors or proxies — useful in enterprise/DMZ environments where upstream URLs are not directly reachable.

This works by calling apply_url_replacements() in src/http.rs before every request made through mise's central HTTP client. However, several dependencies make their own HTTP requests, completely bypassing this mechanism. Users who configure url_replacements to mirror upstream registries (e.g., GitHub, conda-forge, Sigstore infrastructure) will find that these five code paths silently ignore the setting and continue contacting the original upstream URLs.

Affected Code Paths

1. sigstore-verification

Used in src/backend/github.rs and crates/vfox/src/vfox.rs for attestation and SLSA provenance verification.

Contacts:

• GitHub attestations API (api.github.com)
• Sigstore/Rekor transparency log (rekor.sigstore.dev)
• Fulcio CA (fulcio.sigstore.dev)

These URLs are hardcoded inside the sigstore crate and there is no hook to intercept or redirect them. Simply passing different URLs is not possible — the entire TUF trust root would need to be replaced, which is not a realistic option in most environments. The practical workaround is skipping attestation verification entirely.

See also: #8846, jdx/sigstore-verification#32.

2. gix

Used in src/git.rs for cloning and fetching plugin repositories (gix::prepare_clone, fetch_then_checkout).

gix is configured with the blocking-http-transport-reqwest-* feature, meaning it creates its own reqwest client for HTTP(S) git operations. Plugin git URLs pass through gix directly, not through mise's HTTP client.

3. ubi

Used in src/backend/ubi.rs via UbiBuilder / ubi.install_binary().

ubi drives its own reqwest client to:

• Query GitHub/GitLab release APIs for asset discovery
• Download release binary assets

mise sets the auth token on the builder but has no way to intercept the URLs ubi resolves and fetches internally.

4. rattler_repodata_gateway

Used in src/backend/conda.rs via Gateway::builder().finish().

rattler's gateway fetches conda channel repodata (e.g., from conda-forge or custom channels) using its own HTTP client. The channel URL is resolved and fetched entirely inside rattler, outside of mise's HTTP client.

5. vfox download client

Used in crates/vfox/src/vfox.rs for downloading tool archives.

The vfox crate defines its own CLIENT in crates/vfox/src/http.rs and uses it directly for downloads.

See also: #8427.

(This document was partially generated with GitHub Copilot.)