outdated / un-mainted dependency on request #834
Description
Describe the bug
a code, which uses [email protected] triggers security report
and it leads to the fact that [email protected] depends in the long run on request package
via this chain
yarn why v1.22.19
[1/4] Why do we have the module "request"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
- "ethereum-waffle#@ethereum-waffle#compiler#@resolver-engine#imports#@resolver-engine#core" depends on it
which is in turn stopped to be maintained
request/request#3142
and package resolver-engine in the middle had been made aware about request package CVE but doesn't look reacting
Crypto-Punkers/resolver-engine#301
hence I suggest to move with different engine for resolving ... (?)
To Reproduce
switch on dependabot in code which uses [email protected] and let it run security checks
bottom of the output is like this
updater | [email protected] requires tough-cookie@~2.5.0 via a transitive dependency on [email protected]
updater | 2023/09/05 14:28:49 INFO <job_718265214> Dependabot could not find a non-vulnerable version
updater | 2023/09/05 14:28:49 INFO <job_718265214> Finished job processing
updater | 2023/09/05 14:28:49 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +------------------------------+
updater | | Errors |
updater | +------------------------------+
updater | | security_update_not_possible |
updater | +------------------------------+
updater | time="2023-09-05T14:28:49Z" level=info msg="task complete" container_id=job-718265214-updater exit_code=0 job_id=718265214 step=updater
Software versions
ethereum-waffleversion -- 4.0.10@nomiclabs/hardhat-waffle-- 2.0.5@nomiclabs/hardhat-ethers-- 2.2.3hardhat-- 2.17.2- Package manager -- yarn
- Node version -- v16.20.2