when I try to start a repo with the latest version of the @openzeppelin/hardhat-upgrades I get 6 high security alerts.
When trying to fix it with the npm audit by forcing the solution is downgrade the library to version: 2.1.1:
Will install @openzeppelin/hardhat-upgrades@2.1.1, which is a break change
node_modules/@ethersproject/providers/node_modules/ws
@ethersproject/providers <=5.7.2
Depends on vulnerable versions of ws
node_modules/@ethersproject/providers
ethers 5.0.0-beta.119 - 5.7.2
Depends on vulnerable versions of @ethersproject/providers
node_modules/@openzeppelin/defender-admin-client/node_modules/ethers
node_modules/eth-gas-reporter/node_modules/ethers
@openzeppelin/defender-admin-client *
Depends on vulnerable versions of ethers
node_modules/@openzeppelin/defender-admin-client
@openzeppelin/hardhat-upgrades >=2.2.0
Depends on vulnerable versions of @openzeppelin/defender-admin-client
node_modules/@openzeppelin/hardhat-upgrades
eth-gas-reporter >=0.2.26
Depends on vulnerable versions of ethers
node_modules/eth-gas-reporter
6 high severity vulnerabilities
"devDependencies": {
"@nomicfoundation/hardhat-toolbox": "^5.0.0",
"hardhat": "^2.22.4"
},
"dependencies": {
"@openzeppelin/contracts-upgradeable": "^5.0.2",
"@openzeppelin/hardhat-upgrades": "^2.1.1",
"dotenv": "^16.4.5",
"ethers": "^6.13.0"
}
Even so, serious vulnerabilites are available:
fix available via `npm audit fix`
node_modules/@ethersproject/providers/node_modules/ws
@ethersproject/providers <=5.7.2
Depends on vulnerable versions of ws
node_modules/@ethersproject/providers
ethers 5.0.0-beta.119 - 5.7.2
Depends on vulnerable versions of @ethersproject/providers
node_modules/eth-gas-reporter/node_modules/ethers
eth-gas-reporter >=0.2.26
Depends on vulnerable versions of ethers
node_modules/eth-gas-reporter
4 high severity vulnerabilities
With such a low version of openzeppelin/hardhat-upgrades will it not affect the manifest of the contracts?
What would be the most stable and suitable configuration for an upgradeable contract project?