outdated / un-mainted dependency on request

[aytvill]

Describe the bug a code, which uses ethereum-waffle@4.0.10 triggers security report and it leads to the fact that ethereum-waffle@4.0.10 depends in the long run on request package via this chain

yarn why v1.22.19 [1/4] Why do we have the module "request"...? [2/4] Initialising dependency graph... [3/4] Finding dependency... [4/4] Calculating file sizes... => Found "request@2.88.2" info Reasons this module exists

• "ethereum-waffle#@ethereum-waffle#compiler#@resolver-engine#imports#@resolver-engine#core" depends on it

which is in turn stopped to be maintained https://github.com/request/request/issues/3142

and package resolver-engine in the middle had been made aware about request package CVE but doesn't look reacting https://github.com/Crypto-Punkers/resolver-engine/issues/301

hence I suggest to move with different engine for resolving ... (?)

To Reproduce switch on dependabot in code which uses ethereum-waffle@4.0.10 and let it run security checks

bottom of the output is like this

updater | ethereum-waffle@4.0.10 requires tough-cookie@~2.5.0 via a transitive dependency on request@2.88.2 updater | 2023/09/05 14:28:49 INFO Dependabot could not find a non-vulnerable version updater | 2023/09/05 14:28:49 INFO Finished job processing updater | 2023/09/05 14:28:49 INFO Results: updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details. updater | +------------------------------+ updater | | Errors | updater | +------------------------------+ updater | | security_update_not_possible | updater | +------------------------------+ updater | time="2023-09-05T14:28:49Z" level=info msg="task complete" container_id=job-718265214-updater exit_code=0 job_id=718265214 step=updater

Software versions

• ethereum-waffle version -- 4.0.10
• @nomiclabs/hardhat-waffle -- 2.0.5
• @nomiclabs/hardhat-ethers -- 2.2.3
• hardhat -- 2.17.2
  • Package manager -- yarn
  • Node version -- v16.20.2