replace request dependency with got to install the right native package

[shiftkey]

CVE-2018-3737 was raised against a project I maintain because of this dependency chain:

sshpk <- http-signature <- request <- dugite

request is a very featured library but I don't think we have a need for most of what it's doing, particular when it's pulling in a dependency like sshpk.

I would be interested in migrating this library to use got, which is a simpler library, based on what the Electron team do inside electron-download.

[shiftkey]

request has just been marked as "done" and will only be considering bugfixes and security fixes from here on: request/request#3142

[j-f1]

When I need to do HTTP requests in Node, I use node-fetch or isomorphic-fetch since the fetch API is pretty easy to use and it’s supported in the browser too.

[shiftkey]

@j-f1 i'm essentially looking for something that's got as few dependencies as possible to achieve the job of downloading an archive - it's a dependency only because we need it to install the right native package, but after that it's not needed for any functionality within dugite. With that in mind, node-fetch does look like a good candidate.