fix: Refactor HTTP client usage to utilize truststore for SSL context

[ramusbucket]

When specify command is run behind a proxy (enterprise proxy like zscalar, or anti-virus web scan proxy, etc.), it hangs on Fetch latest release step, saying "contacting GitHub API". This PR fixes that issue with the use of local truststore with httpx and makes it work provided python cert settings are configured according to the proxy provider's documentation. For example: https://help.zscaler.com/zia/adding-custom-certificate-application-specific-trust-store

[nomagicln]

Good jobs, but I think it would be better if there were an option to skip TLS verification.

[localden]

This sounds like a reasonable change, but I am curious as @nomagicln called out - is it better to introduce a new package dependency vs. disable TLS verification altogether? Seems like the latter might be preferred.

[ramusbucket]

Taken @localden @nomagicln, disabling TLS verification altogether is one option. To provide more flexibility, I've implemented the --skip-tls cli option. As a secure alternative for users with enterprise proxy certificates or self-signed certificates, I've also retained a package dependency that enables the use of a custom truststore.

[localden]

@ramusbucket I am more curious if just disabling TLS verification is enough? Seems like the threat vector of doing it is that if you are getting MITM-d, then you may download a bad package from someone that is injecting bad payloads. But even then, the CLI doesn't execute anything and just extracts the content so the risk is somewhat contained.

Also, looks like pip itself is using truststore, so I am less concerned about this particular dependency.

I'll review this PR and we can merge it soon.