Good catch. Yep generally not something you want to do in production and it shouldn't be forced by a library. Aside from some edge scenario where the server will be connecting to arbitrary endpoints taking the time to set CURLOPT_{CAINFO,CAPATH} will allow VERIFYPEER to work properly.

While reviewing this section of the code they should also probably do manual support for FOLLOWLOCATION or check open_basedir, which is usually set--or should be.