Replace deprecated request package with Fetch API

[colinrotherham]

I've split this change from #2850 so it's easier to review

The changes resolve 3x vulnerabilities in node-sass and removes this message on install:

npm WARN deprecated request@2.88.2: request has been deprecated, see request/request#3142

We'll see to check for CSS changes from node-sass@7.01 → node-sass@7.03

I've replaced request() with Fetch API following this approach (until native support arrives in Node.js 17):
https://blog.logrocket.com/fetch-api-node-js/#undici

[36degrees]

Just to check, is there any connection between removing request and bumping node sass? Or is it just that they both alter the lock file so they're lumped in together?

[colinrotherham]

Just to check, is there any connection between removing request and bumping node sass? Or is it just that they both alter the lock file so they're lumped in together?

@36degrees Yeah it's a child dependency that they recently removed:

govuk-frontend-repository@ /path/to/project/govuk-frontend
├─┬ node-sass@7.0.1
│ └── request@2.88.2 deduped
└── request@2.88.2

[colinrotherham]

Rebased with #2857 and rebuilt package-lock.json

[36degrees]

Yeah it's a child dependency that they recently removed

Just to flag as this confused me – although request has been removed in node-sass' master branch it looks like v7.0.3 was released from a hotfix branch that is currently 17 commits behind master and still includes request.

➜ npm ls request                   
govuk-frontend-repository@ /Users/oliver.byford/Code/govuk-frontend
└─┬ node-sass@7.0.3
  └── request@2.88.2

It looks like this is because 7.0.2 broke compatibility with Node 16 and so they yanked the release and released 7.0.3 as a hotfix.

[36degrees]

Looks like #2856 also bumps node-sass – do you have a preference re either merging that and rebasing this, or closing Dependabot's PR in favour of this one?

[colinrotherham]

@36degrees I'm happy with this PR, and let the Dependabot one auto-close. Thanks for checking

[colinrotherham]

@36degrees Good spot on the hot fix branch though

I've updated my commit message to say "Begin removing"

If you can review? Thanks

[36degrees]

I haven't used undici before – from a quick look at their docs it looks like there's some best practise for using it in tests which suggest reducing the keep alive timeouts, which we may want to consider.

Otherwise I'm happy with these changes 👍🏻

[36degrees]

Actually, just a thought – given the node-sass change is now unrelated is it worth backing that change out? Dependabot has a PR open for it anyway which we can use and it should automatically rebase 🤷🏻

[colinrotherham]

@36degrees Yeah course, your call. I'll rebase after

[colinrotherham]

@36degrees Thanks for the link on this bit, hopefully keeps the test runs short and sweet

Ready to review again now