TrueFiEng
outdated / un-mainted dependency on request
Describe the bug a code, which uses [email protected] triggers security report and it leads to the fact that [email protected] depends in the long run on request package via this chain
yarn why v1.22.19 [1/4] Why do we have the module "request"...? [2/4] Initialising dependency graph... [3/4] Finding dependency... [4/4] Calculating file sizes... => Found "[email protected]" info Reasons this module exists
- "ethereum-waffle#@ethereum-waffle#compiler#@resolver-engine#imports#@resolver-engine#core" depends on it
which is in turn stopped to be maintained https://github.com/request/request/issues/3142
and package resolver-engine in the middle had been made aware about request package CVE but doesn't look reacting https://github.com/Crypto-Punkers/resolver-engine/issues/301
hence I suggest to move with different engine for resolving ... (?)
To Reproduce switch on dependabot in code which uses [email protected] and let it run security checks
bottom of the output is like this
updater | [email protected] requires tough-cookie@~2.5.0 via a transitive dependency on [email protected] updater | 2023/09/05 14:28:49 INFO <job_718265214> Dependabot could not find a non-vulnerable version updater | 2023/09/05 14:28:49 INFO <job_718265214> Finished job processing updater | 2023/09/05 14:28:49 INFO Results: updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details. updater | +------------------------------+ updater | | Errors | updater | +------------------------------+ updater | | security_update_not_possible | updater | +------------------------------+ updater | time="2023-09-05T14:28:49Z" level=info msg="task complete" container_id=job-718265214-updater exit_code=0 job_id=718265214 step=updater
Software versions
-
ethereum-waffleversion -- 4.0.10 -
@nomiclabs/hardhat-waffle-- 2.0.5 -
@nomiclabs/hardhat-ethers-- 2.2.3 -
hardhat-- 2.17.2 - Package manager -- yarn
- Node version -- v16.20.2
