Update OkHttp to 4.10.0

[TacoTheDank]

What is it?

• Bugfix (user facing)
• Feature (user facing)
• Codebase improvement (dev facing)
• Meta improvement to the project (dev facing)

Description of the changes in your PR

• Update OkHttp 3.12.13 -> 4.10.0 (changelog for the rest of 3.x, the migration guide for 4.x, and the 4.x changelog)
• Now that Bump minSdk to 21 - Android 5 / Lollipop #7613 is merged, this can finally be upgraded.

It would probably be good to get this done before a certain PR as well.

Read through the changelogs and see if anything else needs to be done. I did so, and didn't really find anything of interest, but check for yourselves anyway.

This PR adds around 227KB to the debug APK, and 75KB to the release APK.

APK testing

The APK can be found by going to the "Checks" tab below the title. On the left pane, click on "CI", scroll down to "artifacts" and click "app" to download the zip file which contains the debug APK of this PR.

Due diligence

• I read the contribution guidelines.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

0.0% Coverage
0.0% Duplication

[Stypox]

I tested a while on emulator and it seems to work well.

I looked mostly at the migration guide and there seems to be nothing specific we should do. The changelog included many things, but nothing that should touch us. See the findings hereafter. If you agree these are not problematic for us, then I am ok with merging this PR.

• TLSv1 and TLSv1.1 are no longer enabled by default. - is our code affected?
• This release candidate turns on web socket compression. - I guess this is just internal, so we shouldn't need to worry
• Follow HTTP 307 and 308 redirects on methods other than GET and POST. The new behavior is now consistent with RFC 7231 - do we have anything to do with this?
• okhttp-tls no longer depends on Bouncy Castle and doesn’t install the Bouncy Castle security provider. - I have no idea if we use Bouncy Castle (and don't even know myself what it is)

Other notable things (not important for this PR):

• OkHttp’s new okhttp-brotli module implements Brotli compression. - maybe some services in NewPipe support this, and we could reduce data transfer?
• Publish a bill of materials (BOM) for OkHttp - maybe it is useful? Anyway, we only have one dependency, so probably not.

[TacoTheDank]

TLSv1 and TLSv1.1 are no longer enabled by default. - is our code affected?

There's this, but idk if that still applies with the support drop for API 19.

okhttp-tls no longer depends on Bouncy Castle and doesn’t install the Bouncy Castle security provider. - I have no idea if we use Bouncy Castle (and don't even know myself what it is)

We don't use okhttp-tls anyway, so that's fine.

[litetex]

Code LGTM

[opusforlife2]

🙌

Anything interesting in the changelog? Any feature we're getting for free or something?

[TobiGr]

No features, but a fix. The upgrade comes at the right time. However, we were not affected by the vul, but the incident shows that it's important to not use lib versions which run out of support.

[opusforlife2]

I'm surprised there isn't already a long list of known CVEs for the 3.12.13 version we were using.