security issue in request client library

[stefreak]

Describe the bug
Dependabot reports this issue for us:
Server-Side Request Forgery in Request

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

NOTE: The request package is no longer supported by the maintainer.

Additional context
We need to switch to using a different HTTP client library. One possible solution might be to use the fetch API.

[stefreak]

There seem to be issues already for this, namely #414 and #754

[mstruebing]

There is the release-1.x branch which reimplements the client with the fetch API instead of request.
If you want to try it there is an RC out there: https://www.npmjs.com/package/@kubernetes/client-node?activeTab=versions

1.0.0-rc3 which you could try to use.

[brendandburns]

Though this is a client library for Kubernetes, and if your Kubernetes server is compromised, you have bigger problems than someone triggering an SSRF.

But @mstruebing is correct, the release-1.x branch moves to fetch. Eventually we'll move it from RC to the real release.

Closing this issue since this is covered elsewhere.