Describe the bug
a code, which uses ethereum-waffle@4.0.10 triggers security report
and it leads to the fact that ethereum-waffle@4.0.10 depends in the long run on request package
via this chain
yarn why v1.22.19
[1/4] Why do we have the module "request"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "request@2.88.2"
info Reasons this module exists
"ethereum-waffle#@ethereum-waffle#compiler#@resolver-engine#imports#@resolver-engine#core" depends on it
Describe the bug a code, which uses ethereum-waffle@4.0.10 triggers security report and it leads to the fact that ethereum-waffle@4.0.10 depends in the long run on request package via this chain
which is in turn stopped to be maintained https://github.com/request/request/issues/3142
and package resolver-engine in the middle had been made aware about request package CVE but doesn't look reacting https://github.com/Crypto-Punkers/resolver-engine/issues/301
hence I suggest to move with different engine for resolving ... (?)
To Reproduce switch on dependabot in code which uses ethereum-waffle@4.0.10 and let it run security checks
bottom of the output is like this
Software versions
ethereum-waffle
version -- 4.0.10@nomiclabs/hardhat-waffle
-- 2.0.5@nomiclabs/hardhat-ethers
-- 2.2.3hardhat
-- 2.17.2