From a99a78df6eba85e5bc93b436a45ab03e72f46c20 Mon Sep 17 00:00:00 2001
From: Alexander Uvizhev <uvizhe@gmail.com>
Date: Tue, 25 Nov 2025 11:18:21 +0100
Subject: [PATCH 1/4] Add insecure-dep test task to Makefile and CI

---
 .github/workflows/test-suite.yml | 2 ++
 Cargo.toml                       | 2 +-
 Makefile                         | 9 +++++++++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/test-suite.yml b/.github/workflows/test-suite.yml
index 7344a9367b7..f9a411cc0a5 100644
--- a/.github/workflows/test-suite.yml
+++ b/.github/workflows/test-suite.yml
@@ -329,6 +329,8 @@ jobs:
       run: make cargo-fmt
     - name: Lint code for quality and style with Clippy
       run: make lint-full
+    - name: Check dependencies for usage of an unencrypted HTTP
+      run: make insecure-deps
     - name: Certify Cargo.lock freshness
       run: git diff --exit-code Cargo.lock
     - name: Typecheck benchmark code without running it
diff --git a/Cargo.toml b/Cargo.toml
index d5d1687c764..13afbececb2 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -274,7 +274,7 @@ validator_test_rig = { path = "testing/validator_test_rig" }
 warp = { version = "0.3.7", default-features = false, features = ["tls"] }
 warp_utils = { path = "common/warp_utils" }
 workspace_members = { path = "common/workspace_members" }
-xdelta3 = { git = "https://github.com/sigp/xdelta3-rs", rev = "4db64086bb02e9febb584ba93b9d16bb2ae3825a" }
+xdelta3 = { git = "http://github.com/sigp/xdelta3-rs", rev = "4db64086bb02e9febb584ba93b9d16bb2ae3825a" }
 zeroize = { version = "1", features = ["zeroize_derive", "serde"] }
 zip = "0.6"
 zstd = "0.13"
diff --git a/Makefile b/Makefile
index 9d08c3ebe18..7e4d00d7d13 100644
--- a/Makefile
+++ b/Makefile
@@ -343,6 +343,15 @@ vendor:
 udeps:
 	cargo +$(PINNED_NIGHTLY) udeps --tests --all-targets --release --features "$(TEST_FEATURES)"
 
+# Checks dependencies for usage of an unencrypted HTTP
+# Tee preserves output. If there are matches, print a message and return 1
+insecure-deps:
+	bash -c \
+	  "find -name Cargo.toml \
+			| xargs grep -P \"git\s?=\s?[\\\"']http:\" \
+			| tee /dev/tty \
+			| [ \`wc -l\` == 0 ] || (echo \"Using plain HTTP in dependencies is forbidden\" && false)"
+
 # Performs a `cargo` clean and cleans the `ef_tests` directory.
 clean:
 	cargo clean

From f70d3ae629a07bf192c08857e55214a33dcbb36d Mon Sep 17 00:00:00 2001
From: Alexander Uvizhev <uvizhe@gmail.com>
Date: Tue, 23 Dec 2025 10:42:42 +0100
Subject: [PATCH 2/4] Apply review suggestions

---
 .github/workflows/test-suite.yml | 2 +-
 Cargo.toml                       | 2 +-
 Makefile                         | 5 +++--
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/test-suite.yml b/.github/workflows/test-suite.yml
index f9a411cc0a5..f7f53431451 100644
--- a/.github/workflows/test-suite.yml
+++ b/.github/workflows/test-suite.yml
@@ -329,7 +329,7 @@ jobs:
       run: make cargo-fmt
     - name: Lint code for quality and style with Clippy
       run: make lint-full
-    - name: Check dependencies for usage of an unencrypted HTTP
+    - name: Check dependencies for unencrypted HTTP links
       run: make insecure-deps
     - name: Certify Cargo.lock freshness
       run: git diff --exit-code Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
index 13afbececb2..d5d1687c764 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -274,7 +274,7 @@ validator_test_rig = { path = "testing/validator_test_rig" }
 warp = { version = "0.3.7", default-features = false, features = ["tls"] }
 warp_utils = { path = "common/warp_utils" }
 workspace_members = { path = "common/workspace_members" }
-xdelta3 = { git = "http://github.com/sigp/xdelta3-rs", rev = "4db64086bb02e9febb584ba93b9d16bb2ae3825a" }
+xdelta3 = { git = "https://github.com/sigp/xdelta3-rs", rev = "4db64086bb02e9febb584ba93b9d16bb2ae3825a" }
 zeroize = { version = "1", features = ["zeroize_derive", "serde"] }
 zip = "0.6"
 zstd = "0.13"
diff --git a/Makefile b/Makefile
index 7e4d00d7d13..f1b94aec92c 100644
--- a/Makefile
+++ b/Makefile
@@ -343,14 +343,15 @@ vendor:
 udeps:
 	cargo +$(PINNED_NIGHTLY) udeps --tests --all-targets --release --features "$(TEST_FEATURES)"
 
-# Checks dependencies for usage of an unencrypted HTTP
+# Checks dependencies for unencrypted HTTP links
 # Tee preserves output. If there are matches, print a message and return 1
 insecure-deps:
 	bash -c \
 	  "find -name Cargo.toml \
 			| xargs grep -P \"git\s?=\s?[\\\"']http:\" \
 			| tee /dev/tty \
-			| [ \`wc -l\` == 0 ] || (echo \"Using plain HTTP in dependencies is forbidden\" && false)"
+			| [ \`wc -l\` == 0 ] && echo \"All Git dependencies use secure HTTPS\" \
+			  || (echo \"Using plain HTTP in dependencies is forbidden\" && false)"
 
 # Performs a `cargo` clean and cleans the `ef_tests` directory.
 clean:

From 37230494433f4164e1c3879afaf845688e73c31d Mon Sep 17 00:00:00 2001
From: Alexander Uvizhev <uvizhe@gmail.com>
Date: Tue, 23 Dec 2025 13:52:38 +0100
Subject: [PATCH 3/4] Do not rely on tty

---
 Makefile | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/Makefile b/Makefile
index f1b94aec92c..cd2f42be07c 100644
--- a/Makefile
+++ b/Makefile
@@ -345,13 +345,12 @@ udeps:
 
 # Checks dependencies for unencrypted HTTP links
 # Tee preserves output. If there are matches, print a message and return 1
+.ONESHELL:
+SHELL = /bin/bash
 insecure-deps:
-	bash -c \
-	  "find -name Cargo.toml \
-			| xargs grep -P \"git\s?=\s?[\\\"']http:\" \
-			| tee /dev/tty \
-			| [ \`wc -l\` == 0 ] && echo \"All Git dependencies use secure HTTPS\" \
-			  || (echo \"Using plain HTTP in dependencies is forbidden\" && false)"
+	BAD_LINKS=`find -name Cargo.toml | xargs grep -P 'git\s?=\s?["]http:'`;
+	if [ "_$$BAD_LINKS" == "_" ]; then echo "All Git dependencies use secure HTTPS"; \
+	else echo $$BAD_LINKS; echo "Using plain HTTP in dependencies is forbidden"; false; fi
 
 # Performs a `cargo` clean and cleans the `ef_tests` directory.
 clean:

From df3a0b86143afdc0b043742e5c302f9a0170885a Mon Sep 17 00:00:00 2001
From: Alexander Uvizhev <uvizhe@gmail.com>
Date: Wed, 24 Dec 2025 09:44:22 +0100
Subject: [PATCH 4/4] Make pure dash version + remove obsolete comment

---
 Makefile | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/Makefile b/Makefile
index cd2f42be07c..76d7e5f2537 100644
--- a/Makefile
+++ b/Makefile
@@ -344,13 +344,10 @@ udeps:
 	cargo +$(PINNED_NIGHTLY) udeps --tests --all-targets --release --features "$(TEST_FEATURES)"
 
 # Checks dependencies for unencrypted HTTP links
-# Tee preserves output. If there are matches, print a message and return 1
-.ONESHELL:
-SHELL = /bin/bash
 insecure-deps:
-	BAD_LINKS=`find -name Cargo.toml | xargs grep -P 'git\s?=\s?["]http:'`;
-	if [ "_$$BAD_LINKS" == "_" ]; then echo "All Git dependencies use secure HTTPS"; \
-	else echo $$BAD_LINKS; echo "Using plain HTTP in dependencies is forbidden"; false; fi
+	BAD_LINKS=`find -name Cargo.toml | xargs grep -P "git\s?=\s?[\"']http:"`; \
+	if [ "_$$BAD_LINKS" = "_" ]; then echo "All Git dependencies use secure HTTPS"; \
+	else echo "$$BAD_LINKS"; echo "Using plain HTTP in dependencies is forbidden"; false; fi
 
 # Performs a `cargo` clean and cleans the `ef_tests` directory.
 clean: