Removing dependency on vulnerable deprecated package (request) and updating other dependencies

[BOstendorf]

Reason for pull request

While installing redcap with npm, npm generates a security report listing some vulnerabilities (see npm audit report below). The vulnerabilities in debug, diff, growl and mkdirp are resolved by updating mocha. Updating mocha contains breaking changes, but I suspect them not to be relevant. For the vulnerability in request and it's dependency tough-cookie is no fix available. Request has been fully deprecated in 2020 and should no longer be used.

I dug a bit in the code base and request seems to be only used in lib/utils/postFileUpload.js and should be able to be replaced with the https and form-data package from the standard library. This pull request attempts just that.

Caveat

I do not have a REDCap project with full feature support. Therefor I can't execute all unit tests to validate that the mocha breaking changes are irrelevant. I also can't test the postFileUpload utility since the REDCap project I have available does not support file uploads and I can't enable the capability myself.
I expect my changes to work, but if possible please check the code and test the functionality, before considering to merge.

What was done?

Update dependencies

Using npm update and npm audit fix --force

Removing request

1. Replace request.post with https.request
2. Manage file upload using a FormData object instead of letting request.post handle the file encoding

The rest should be pretty much the same, but I'm not entirely sure, because I'm basically writing the patch blind.

I hope the patch doesn't require that much more work.

Kind regards
Benjamin

# npm audit report debug <=2.6.8 Severity: high debug Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-9vvw-cc9w-f27h Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c fix available via `npm audit fix --force` Will install mocha@11.2.2, which is a breaking change node_modules/debug mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mocha diff <3.5.0 Severity: high Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-h6ch-v84p-w6p9 fix available via `npm audit fix --force` Will install mocha@11.2.2, which is a breaking change node_modules/diff growl <1.10.0 Severity: critical Growl before 1.10.0 vulnerable to Command Injection - https://github.com/advisories/GHSA-qh2h-chj9-jffq fix available via `npm audit fix --force` Will install mocha@11.2.2, which is a breaking change node_modules/growl minimist <=0.2.3 Severity: critical Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h fix available via `npm audit fix --force` Will install mocha@11.2.2, which is a breaking change node_modules/minimist mkdirp 0.4.1 - 0.5.1 Depends on vulnerable versions of minimist node_modules/mkdirp request * Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie No fix available node_modules/request tough-cookie <4.1.3 Severity: moderate tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 No fix available node_modules/tough-cookie 8 vulnerabilities (2 moderate, 2 high, 4 critical)