Drop deprecated punycode dependency via whatwg-url override

[dweinber]

Summary

Every CLI invocation printed a Node `DEP0040` deprecation warning:

```
(node:NNN) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
```

The warning leaks into every command's stderr and clutters scripted output.

Root cause

The warning comes from the SDK's transitive dependency chain:

```
@bitmovin/api-sdk → isomorphic-fetch → node-fetch@2 → whatwg-url@5 → tr46@0.0.3
```

Both `whatwg-url@5/lib/url-state-machine.js` and `tr46@0.0.3/index.js` do `require("punycode")` without the trailing slash, which Node resolves to the deprecated builtin instead of the userland package.

Changes

Add an npm override pinning `whatwg-url` to `^14.0.0`. `whatwg-url@14` brings `tr46@5+` which uses `require("punycode/")` (forcing the userland package), so the warning disappears at its source rather than being silenced.

The SDK does not call into `whatwg-url` APIs directly — it only loads transitively through `node-fetch` for URL parsing — so the major-version bump is safe.

Verification

• All 108 tests pass.
• No `DEP0040` warning on any invocation (`bitmovin --version`, `bitmovin encoding outputs list`, `npm test`).
• Verified end-to-end against the real API: `bitmovin encoding outputs list` returns the expected output cleanly.

Test plan

• CI green
• No `DEP0040` deprecation warning on any CLI invocation
• Real API calls still succeed

[lukaskroepfl]

Root-cause diagnosis is correct and the fix is at the right layer. One compatibility concern I'd like verified before merging.

Concern: whatwg-url@5 → 14 is a large API jump under node-fetch@2

node-fetch@2 calls into whatwg-url for Request/URL parsing. The exports surface and behavior between v5 and v14 are not identical (constructor exports, URL vs URLImpl shapes, URLSearchParams semantics around special chars and IDN). The npm overrides mechanism forces this swap without node-fetch knowing. The smoke tests (--version, outputs list, real API call) are fine for the happy path but won't catch URL-edge cases.

Before merging, please run a request through the SDK that exercises:

• A URL with a non-ASCII domain (the actual reason punycode/tr46 exist), e.g. an input/output URL with an IDN host.
• A URL with reserved/percent-encoded characters in the path or query (e.g. signed S3 URLs with +, =, encoded slashes).

If those round-trip cleanly, this is a clean win. If not, an alternative path is bumping @bitmovin/api-sdk to a version that uses native fetch (Node 18+) and dropping isomorphic-fetch/node-fetch from the dep tree entirely.

Other notes

• package-lock.json flips punycode from dev to runtime — consistent with the new tr46@5 runtime dep, looks intentional and correct.
• Engine >=20 already shipped in 0fdbf75, so no extra concern there.

[dweinber]

I guess the correct fix would be to update/remove that dependency in the @bitmovin/api-sdk (the latest version still uses that dep). Will look into feasibility/effort of that first.

[lukaskroepfl]

Agreed — upstream SDK fix is the cleaner path. The override approach in this PR works around the symptom but force-swaps whatwg-url v5→v14 under node-fetch@2, which I'd rather not ship without IDN/percent-encoding verification. Bumping the SDK (or moving it to native fetch) drops isomorphic-fetch / node-fetch from the tree entirely and the deprecation warning goes with them.

Happy to leave this PR open as a reference, or close it once the SDK direction is decided — whichever you prefer.