fix(deps): use minreq for native-tls, ureq for rustls to control binary size (#59)

On `main`, both `native-tls` and `rustls` use `ureq` via
`ureq/native-tls` and `ureq/rustls`. This PR switches the sync HTTP
client so each feature uses the dependency that produces the smallest
binary:

- **`native-tls`** → `minreq 3.0.0-rc.0` + `https-native-tls`. minreq
with system TLS is the smallest option (~540 KB). The feature name
change from `native-tls` to `https-native-tls` fixes a compilation
failure against minreq 3.x (renamed from 2.x).
- **`rustls`** → `ureq 3.3.0` + `ureq/rustls`. ureq's rustls backend
uses `ring`; minreq's `https-rustls` uses `aws-lc-rs`, which adds ~1.7
MB to the binary.

Both dependencies are now optional and only pulled in by their
respective feature. A `compile_error!` is emitted if neither TLS feature
is enabled.

Author: tylerbutler

.changes/unreleased/Dependencies-20260421-181304.yaml

@@ -1,15 +1,10 @@
 kind: Dependencies
 body: |-
-    Replace ureq 3.3.0 with minreq 3.0.0-rc.0
+    Use minreq 3.0.0-rc.0 for native-tls and ureq 3.3.0 for rustls
 
-    Reverts the ureq substitution from v1.1.2. The original compilation failure
-    with minreq 3.0.0-rc.0 was caused by using the renamed feature incorrectly:
-    the 2.x `rustls` feature became `https-rustls` in 3.0, and `native-tls`
-    became `https-native-tls`. Using `https-rustls` builds cleanly against
-    rustls 0.23.x.
-
-    Note: the `rustls` feature binary is ~1.7 MB larger than with ureq because
-    minreq's `https-rustls` uses rustls's default crypto provider (aws-lc-rs)
-    rather than ring. This is a minreq API limitation with no workaround on the
-    dependent side. The default `native-tls` build is unaffected.
+    The `native-tls` feature now uses `minreq 3.0.0-rc.0` (system TLS), which
+    produces the smallest binary (~540 KB). The `rustls` feature keeps `ureq
+    3.3.0` because minreq's rustls backend uses `aws-lc-rs` rather than `ring`,
+    adding ~1.7 MB. Both dependencies are now optional and only included when
+    their respective feature is enabled.
 time: 2026-04-21T18:13:04.362142000+00:00

Cargo.lock

@@ -15,14 +15,21 @@ readme = "README.md"
 
 [dependencies]
 semver = "1.0.27"
-minreq = { version = "=3.0.0-rc.0", default-features = false }
+# native-tls feature only: minreq + system TLS produces the smallest binary (~540 KB).
+# minreq's https-rustls uses aws-lc-rs, which adds ~1.7 MB; ureq is used for rustls instead.
+minreq = { version = "=3.0.0-rc.0", default-features = false, optional = true }
+# rustls feature only: ureq's rustls uses ring rather than aws-lc-rs, keeping the binary small.
+# minreq's https-rustls would add ~1.7 MB due to aws-lc-rs; ureq avoids this.
+ureq = { version = "3.3.0", default-features = false, optional = true }
 serde_json = { version = "1", default-features = false, features = ["std"] }
 reqwest = { version = "0.13.2", optional = true, default-features = false, features = ["rustls"] }
 
 [features]
 default = ["native-tls", "do-not-track"]
-native-tls = ["minreq/https-native-tls"]
-rustls = ["minreq/https-rustls"]
+# Uses minreq + system TLS. Smallest binary (~540 KB). Mutually exclusive with `rustls`.
+native-tls = ["dep:minreq", "minreq/https-native-tls"]
+# Uses ureq + rustls/ring. Pure-Rust TLS, no system dependencies. Mutually exclusive with `native-tls`.
+rustls = ["dep:ureq", "ureq/rustls"]
 async = ["reqwest"]
 do-not-track = []
 response-body = []

Cargo.toml

@@ -17,8 +17,9 @@ Existing update checker crates add significant binary bloat:
 | updates | ~1.8MB |
 
 This crate achieves minimal size by:
-- Using `native-tls` (system TLS) instead of bundling rustls
-- Minimal JSON parsing (string search instead of serde)
+- Using `native-tls` (system TLS via `minreq`) instead of bundling rustls by default
+- Using `ureq` for the `rustls` feature, which uses `ring` rather than `aws-lc-rs` (minreq's
+  rustls backend would add ~1.7 MB due to aws-lc-rs)
 - Simple file-based caching
 
 ## Installation
@@ -138,9 +139,9 @@ async fn main() {
 
 | Feature | Default | Description |
 |---------|---------|-------------|
-| `native-tls` | ✅ | Uses system TLS libraries, smaller binary |
+| `native-tls` | ✅ | System TLS via `minreq`. Smallest binary (~540 KB). |
 | `do-not-track` | ✅ | Respects the `DO_NOT_TRACK` environment variable |
-| `rustls` | | Pure Rust TLS, no system dependencies |
+| `rustls` | | Pure-Rust TLS via `ureq` + ring. No system dependencies; good for cross-compilation. Uses `ureq` rather than `minreq` to avoid `aws-lc-rs` (~1.7 MB overhead). |
 | `async` | | Async support using `reqwest` |
 | `response-body` | | Includes the raw crates.io response body in `UpdateInfo` |
 

README.md

@@ -40,8 +40,10 @@
 //!
 //! ## Feature Flags
 //!
-//! - `native-tls` (default): Uses system TLS, smaller binary size
-//! - `rustls`: Pure Rust TLS, better for cross-compilation
+//! - `native-tls` (default): Uses `minreq` + system TLS. Smallest binary (~540 KB).
+//! - `rustls`: Uses `ureq` + rustls/ring. Pure-Rust TLS, no system dependencies.
+//!   Uses `ureq` rather than `minreq` because `minreq`'s rustls backend pulls in `aws-lc-rs`,
+//!   adding ~1.7 MB. `ureq`'s rustls uses `ring`, keeping the binary small.
 //! - `async`: Enables async support using `reqwest`
 //! - `do-not-track` (default): Respects [`DO_NOT_TRACK`] environment variable
 //! - `response-body`: Includes the raw crates.io response body in [`DetailedUpdateInfo`]
@@ -90,6 +92,9 @@ use std::fs;
 use std::path::PathBuf;
 use std::time::{Duration, SystemTime};
 
+#[cfg(not(any(feature = "native-tls", feature = "rustls")))]
+compile_error!("At least one TLS feature must be enabled: `native-tls` or `rustls`");
+
 pub(crate) const USER_AGENT: &str = concat!(env!("CARGO_PKG_NAME"), "/", env!("CARGO_PKG_VERSION"));
 
 const MAX_MESSAGE_SIZE: usize = 4096;
@@ -401,24 +406,53 @@ impl UpdateChecker {
         Ok((latest, response_body))
     }
 
+    /// Build a ureq agent with the configured timeout.
+    ///
+    /// ureq is used for the `rustls` feature because its rustls backend uses ring
+    /// rather than aws-lc-rs, avoiding the ~1.7 MB binary size increase that
+    /// minreq's https-rustls feature would add.
+    #[cfg(feature = "rustls")]
+    fn build_ureq_agent(&self) -> ureq::Agent {
+        ureq::Agent::config_builder()
+            .timeout_global(Some(self.timeout))
+            .build()
+            .into()
+    }
+
     /// Fetch the latest version from crates.io.
     fn fetch_latest_version(&self) -> Result<(String, Option<String>), Error> {
         let url = format!("https://crates.io/api/v1/crates/{}", self.crate_name);
 
-        let response = minreq::get(&url)
-            .with_timeout(self.timeout.as_secs())
-            .with_header("User-Agent", USER_AGENT)
-            .send()
+        // rustls uses ureq (ring-based, small binary); native-tls uses minreq (system TLS, smallest binary).
+        // See Cargo.toml for why the two features use different HTTP clients.
+        #[cfg(feature = "rustls")]
+        let body = self
+            .build_ureq_agent()
+            .get(&url)
+            .header("User-Agent", USER_AGENT)
+            .call()
+            .map_err(|e| Error::HttpError(e.to_string()))?
+            .body_mut()
+            .read_to_string()
             .map_err(|e| Error::HttpError(e.to_string()))?;
 
-        let body = response
-            .as_str()
-            .map_err(|e| Error::HttpError(e.to_string()))?;
+        #[cfg(not(feature = "rustls"))]
+        let body = {
+            let response = minreq::get(&url)
+                .with_timeout(self.timeout.as_secs())
+                .with_header("User-Agent", USER_AGENT)
+                .send()
+                .map_err(|e| Error::HttpError(e.to_string()))?;
+            response
+                .as_str()
+                .map_err(|e| Error::HttpError(e.to_string()))?
+                .to_string()
+        };
 
-        let version = extract_newest_version(body)?;
+        let version = extract_newest_version(&body)?;
 
         #[cfg(feature = "response-body")]
-        return Ok((version, Some(body.to_string())));
+        return Ok((version, Some(body)));
 
         #[cfg(not(feature = "response-body"))]
         Ok((version, None))
@@ -428,14 +462,29 @@ impl UpdateChecker {
     ///
     /// Best-effort: returns `None` on any failure.
     fn fetch_message(&self, url: &str) -> Option<String> {
-        let response = minreq::get(url)
-            .with_timeout(self.timeout.as_secs())
-            .with_header("User-Agent", USER_AGENT)
-            .send()
+        // Same client split as fetch_latest_version — see Cargo.toml for rationale.
+        #[cfg(feature = "rustls")]
+        let body = self
+            .build_ureq_agent()
+            .get(url)
+            .header("User-Agent", USER_AGENT)
+            .call()
+            .ok()?
+            .body_mut()
+            .read_to_string()
             .ok()?;
 
-        let body = response.as_str().ok()?;
-        truncate_message(body)
+        #[cfg(not(feature = "rustls"))]
+        let body = {
+            let response = minreq::get(url)
+                .with_timeout(self.timeout.as_secs())
+                .with_header("User-Agent", USER_AGENT)
+                .send()
+                .ok()?;
+            response.as_str().ok()?.to_string()
+        };
+
+        truncate_message(&body)
     }
 }
 
@@ -862,6 +911,57 @@ mod tests {
         }
     }
 
+    // Tests that are specific to the rustls feature (ureq HTTP client path).
+    // The native-tls path is covered by the tests above, which run with default features.
+    #[cfg(feature = "rustls")]
+    mod rustls_tests {
+        use super::*;
+        use std::fs;
+
+        #[test]
+        fn builder_works_with_rustls_feature() {
+            let checker = UpdateChecker::new("test-crate", "1.0.0")
+                .cache_duration(Duration::from_secs(3600))
+                .timeout(Duration::from_secs(10));
+            assert_eq!(checker.crate_name, "test-crate");
+            assert_eq!(checker.timeout, Duration::from_secs(10));
+        }
+
+        #[test]
+        fn cache_hit_does_not_invoke_http() {
+            // Verifies the cache layer works correctly with the ureq path:
+            // a fresh cache entry must be returned without making any network call.
+            let dir = tempfile::tempdir().unwrap();
+            let cache_file = dir.path().join("test-crate-update-check");
+            fs::write(&cache_file, "99.0.0").unwrap();
+
+            let checker = UpdateChecker::new("test-crate", "1.0.0")
+                .cache_dir(Some(dir.path().to_path_buf()))
+                .cache_duration(Duration::from_secs(3600));
+
+            let result = checker.check().unwrap();
+            assert!(result.is_some());
+            assert_eq!(result.unwrap().latest, "99.0.0");
+        }
+
+        #[cfg(feature = "do-not-track")]
+        #[test]
+        fn do_not_track_returns_none_with_rustls() {
+            temp_env::with_var("DO_NOT_TRACK", Some("1"), || {
+                let checker = UpdateChecker::new("test-crate", "1.0.0").cache_dir(None);
+                assert!(checker.check().unwrap().is_none());
+                assert!(checker.check_detailed().unwrap().is_none());
+            });
+        }
+
+        #[test]
+        fn invalid_crate_name_rejected_before_http() {
+            // Ensures validation fires before any HTTP call in the ureq path.
+            let checker = UpdateChecker::new("", "1.0.0").cache_dir(None);
+            assert!(matches!(checker.check(), Err(Error::InvalidCrateName(_))));
+        }
+    }
+
     #[test]
     fn test_message_url_default() {
         let checker = UpdateChecker::new("test-crate", "1.0.0");