6 high severity vulnerabilities in @openzeppelin/hardhat-upgrades: ^3.1.1

when I try to start a repo with the latest version of the @openzeppelin/hardhat-upgrades I get 6 high security alerts.

When trying to fix it with the npm audit by forcing the solution is downgrade the library to version: 2.1.1:

Will install @openzeppelin/hardhat-upgrades@2.1.1, which is a break change
node_modules/@ethersproject/providers/node_modules/ws
  @ethersproject/providers <=5.7.2
  Depends on vulnerable versions of ws
  node_modules/@ethersproject/providers
    ethers 5.0.0-beta.119 - 5.7.2
    Depends on vulnerable versions of @ethersproject/providers
    node_modules/@openzeppelin/defender-admin-client/node_modules/ethers
    node_modules/eth-gas-reporter/node_modules/ethers
      @openzeppelin/defender-admin-client *
      Depends on vulnerable versions of ethers
      node_modules/@openzeppelin/defender-admin-client
        @openzeppelin/hardhat-upgrades >=2.2.0
        Depends on vulnerable versions of @openzeppelin/defender-admin-client
        node_modules/@openzeppelin/hardhat-upgrades
      eth-gas-reporter >=0.2.26
      Depends on vulnerable versions of ethers
      node_modules/eth-gas-reporter

6 high severity vulnerabilities

  "devDependencies": {
    "@nomicfoundation/hardhat-toolbox": "^5.0.0",
    "hardhat": "^2.22.4"
  },
  "dependencies": {
    "@openzeppelin/contracts-upgradeable": "^5.0.2",
    "@openzeppelin/hardhat-upgrades": "^2.1.1",
    "dotenv": "^16.4.5",
    "ethers": "^6.13.0"
  }

Even so, serious vulnerabilites are available:

fix available via `npm audit fix`
node_modules/@ethersproject/providers/node_modules/ws
  @ethersproject/providers  <=5.7.2
  Depends on vulnerable versions of ws
  node_modules/@ethersproject/providers
    ethers  5.0.0-beta.119 - 5.7.2
    Depends on vulnerable versions of @ethersproject/providers
    node_modules/eth-gas-reporter/node_modules/ethers
      eth-gas-reporter  >=0.2.26
      Depends on vulnerable versions of ethers
      node_modules/eth-gas-reporter

4 high severity vulnerabilities

With such a low version of openzeppelin/hardhat-upgrades will it not affect the manifest of the contracts?

What would be the most stable and suitable configuration for an upgradeable contract project?

See comment in https://github.com/OpenZeppelin/openzeppelin-upgrades/issues/1039#issuecomment-2179424575