`@webex/http-core` uses deprecated `request` package with critical security vulnerabilities

[3copelan]

Describe the bug

The @webex/http-core package (v3.11.0) depends on the deprecated request package (v2.88.2), which has not been maintained since February 2020 and contains multiple known security vulnerabilities.

Package	Severity	CVE/Advisory	Description
request	Moderate	GHSA-p8p7-x288-28g6	SSRF via cross-protocol redirect
form-data (<2.5.4)	Critical	GHSA-fjxv-7rqg-78g4	Unsafe random function for boundary
tough-cookie	Moderate	GHSA-72xf-g2v4-qvf3	Prototype pollution
qs (<6.14.0)	High	GHSA-6fqm-j4vh-chwr	DoS via memory exhaustion

To Reproduce

1. Create a new Node.js project
2. Run npm install webex@3.11.0
3. Run npm audit
4. See multiple vulnerabilities reported from request and its transitive dependencies

Expected behavior

The SDK should use a maintained HTTP client without known security vulnerabilities.

Screenshots

N/A - This is a dependency vulnerability issue.

Platform (please complete the following information):

• OS: Windows 11 / Linux
• Browser: N/A (Node.js SDK)
• Version: webex@3.11.0, Node.js 20.x
• Device Type: Desktop

Additional context

Dependency chain:

webex@3.11.0
└── @webex/internal-plugin-calendar
    └── @webex/internal-plugin-conversation
        └── @webex/helper-image
            └── @webex/http-core@3.11.0
                └── request@2.88.2 (DEPRECATED)
                    ├── form-data@2.3.3 (CRITICAL CVE)
                    ├── tough-cookie@2.5.0 (CVE)
                    └── qs@6.5.3 (CVE)

The request package was officially deprecated in February 2020: request/request#3142

This blocks security-conscious organizations from using the SDK in production environments that require vulnerability-free dependencies.