Allow minor/patch version updates for web3-provider-engine?

[brianlenz]

Is there are reason web3-provider-engine needs to be fixed at 16.0.1 without allowing minor/patch version updates?

https://github.com/WalletConnect/walletconnect-monorepo/blob/v1.0/packages/providers/web3-provider/package.json#L71

It would be great if this used ^16.0.1 so that security updates can be applied. For example, there is currently a security vulnerability in web3-provider-engine:

GHSA-r683-j2x4-v87g

Ideally, web3-provider-engine will push an update to address this:

MetaMask/web3-provider-engine#401
MetaMask/web3-provider-engine#404

Without allowing at least patch updates to web3-provider-engine, the security vulnerability can't be mitigated, even once it's addressed in the underlying library.

[finessevanes]

@brianlenz is this still an issue?

[brianlenz]

@finessevanes, honestly, I'm not sure. I can see that the v1.0 link referenced above still has the issue, but it looks like the repository changed pretty dramatically in v2.0 (which I've not used), so I can't comment on whether it's an issue there or not...