From 0f030df392c5940ed75300dd4847812ee0447cca Mon Sep 17 00:00:00 2001
From: tomaioo <hongsaygio.com@gmail.com>
Date: Fri, 8 May 2026 23:12:42 -0700
Subject: [PATCH] fix(helpViewer): tls certificate validation disabled

In src/helpViewer/cran.ts line 17, the code sets `process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'` to bypass TLS certificate verification. This creates a serious security vulnerability allowing man-in-the-middle attacks when fetching packages from CRAN mirrors.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
---
 src/helpViewer/cran.ts | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/src/helpViewer/cran.ts b/src/helpViewer/cran.ts
index e26cf883..189b2899 100644
--- a/src/helpViewer/cran.ts
+++ b/src/helpViewer/cran.ts
@@ -25,7 +25,6 @@ export async function getPackagesFromCran(cranUrl: string): Promise<Package[]> {
     for(const site of cranSites){
         try{
             // fetch html
-            process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'; // seems to fail otherwise?
             const res = await fetch(site.url);
             const html = await (res).text();
 
@@ -33,9 +32,6 @@ export async function getPackagesFromCran(cranUrl: string): Promise<Package[]> {
             packages = site.parseFunction(html, site.url);
         } catch(e) {
             // These errors are expected, if the repo does not serve a specific URL
-        } finally {
-            // make sure to use safe https again
-            process.env.NODE_TLS_REJECT_UNAUTHORIZED = '1';
         }
 
         // break if successfully fetched & parsed