Skip to content

refactor(deps): replace createx with direct openzeppelin dependency#174

Merged
iap merged 6 commits into
devfrom
refactor/remove-createx-dependency
May 20, 2026
Merged

refactor(deps): replace createx with direct openzeppelin dependency#174
iap merged 6 commits into
devfrom
refactor/remove-createx-dependency

Conversation

@iap

@iap iap commented May 20, 2026

Copy link
Copy Markdown
Contributor

Summary

Replace nested CreateX → OpenZeppelin dependency with direct OpenZeppelin v5.1.0 submodule.

Changes

  • Install OpenZeppelin v5.1.0 as direct git submodule
  • Remove createx dependency (only used for nested OZ)
  • Remove unused DeployUtils.sol library
  • Update remappings: @openzeppelin/=lib/openzeppelin-contracts/
  • Consolidate all remappings to foundry.toml
  • Remove root remappings.txt to avoid conflicts
  • Add forge-std/ remapping for completeness

Benefits

  • ✅ Smaller dependency tree (3 deps instead of 4)
  • ✅ Direct control over OpenZeppelin version
  • ✅ No nested dependencies
  • ✅ Single source of truth for remappings

Verification

cd contracts
forge clean
forge build  # ✅ Success
forge test   # ✅ 159 tests passed

Dependencies

Before:

lib/
├── createx/
│   └── lib/openzeppelin-contracts/  ← nested
├── forge-std/
└── interop-lib/

After:

lib/
├── forge-std/
├── interop-lib/
└── openzeppelin-contracts/  ← direct

Risk Assessment

  • Low risk: Only dependency management changes
  • No contract logic modified
  • All tests pass
  • Build verified

Summary by CodeRabbit

  • Documentation
    • Redesigned README with streamlined quick start and documentation hub focus
    • Added new documentation index for organized navigation across guides
    • Enhanced deployment verification instructions with Sourcify-based option
    • Updated gas monitoring guidance with improved tooling references
    • Improved changelog organization

Review Change Stack

iap added 5 commits May 19, 2026 21:13
- Fix: Remove outdated .nvmrc reference in README (now using mise)
- Fix: Update PoseidonT3.sol Solidity version from ^0.8.24 to ^0.8.25
- Docs: Update CHANGELOG with recent merged PRs (#170, #169, #168, #163)
- Refactor: Move documentation to docs/ directory for better organization
  - CONTRIBUTING.md -> docs/CONTRIBUTING.md
  - BRANCHING.md -> docs/BRANCHING.md
  - DEPLOYMENT.md -> docs/DEPLOYMENT.md
  - TROUBLESHOOTING.md -> docs/TROUBLESHOOTING.md
  - Copy THREAT_MODEL.md, KNOWN_ISSUES.md, ARCHITECTURE.md to docs/
- Update README links to reflect new docs/ structure
- Add evm_version = "paris" to foundry.toml
- Ensures bytecode compatibility with Optimism Superchain
- Paris is the EVM version used by OP Mainnet and OP Sepolia
- All 148 tests pass with Paris EVM
- Install OpenZeppelin v5.1.0 as direct git submodule
- Remove createx dependency (only used for nested OZ)
- Remove unused DeployUtils.sol library
- Update remappings: @openzeppelin/=lib/openzeppelin-contracts/
- Consolidate all remappings to foundry.toml
- Remove root remappings.txt to avoid conflicts
- Add forge-std/ remapping for completeness
- Clean forge cache and verify build

Benefits:
- Smaller dependency tree (3 deps instead of 4)
- Direct control over OpenZeppelin version
- No nested dependencies
- Single source of truth for remappings

Verified:
- forge build: success
- forge test: 159 tests passed
@iap iap requested a review from a team as a code owner May 20, 2026 12:49
@github-actions

github-actions Bot commented May 20, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/DEPLOYMENT.md`:
- Line 488: The command uses an undefined env var $RPC; replace it with the
documented MAINNET RPC env var $MAINNET_RPC so the command reads use MAINNET_RPC
consistently (update the line containing "cast gas-price --rpc-url $RPC" to
reference $MAINNET_RPC) and verify other occurrences in docs/DEPLOYMENT.md
follow the same $MAINNET_RPC convention.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 0686d551-0185-4425-af4f-3d54f6b5bb9b

📥 Commits

Reviewing files that changed from the base of the PR and between 1cc9e07 and 246aee9.

⛔ Files ignored due to path filters (6)
  • .gitmodules is excluded by none and included by none
  • contracts/foundry.lock is excluded by !**/*.lock and included by none
  • contracts/lib/createx is excluded by none and included by none
  • contracts/lib/openzeppelin-contracts is excluded by none and included by none
  • contracts/libraries/DeployUtils.sol is excluded by none and included by none
  • remappings.txt is excluded by none and included by none
📒 Files selected for processing (5)
  • CHANGELOG.md
  • README.md
  • contracts/foundry.toml
  • docs/DEPLOYMENT.md
  • docs/INDEX.md

Comment thread docs/DEPLOYMENT.md Outdated
@greptile-apps

greptile-apps Bot commented May 20, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR replaces the nested OpenZeppelin dependency (via createx) with a direct openzeppelin-contracts v5.1.0 git submodule, removes the now-unused DeployUtils.sol library, consolidates all remappings into contracts/foundry.toml, and deletes the root remappings.txt. Documentation is also refreshed (streamlined README, new docs/INDEX.md, Sourcify verification guidance).

  • Dependency swap: contracts/lib/createx submodule removed; contracts/lib/openzeppelin-contracts added at commit 69c8def (v5.1.0); remapping updated from lib/createx/lib/openzeppelin-contracts/lib/openzeppelin-contracts/ — build and all 159 tests confirmed passing.
  • Remapping consolidation: forge-std/ remapping added to foundry.toml; root remappings.txt deleted to remove a conflict source.
  • foundry.lock partially updated: new contracts/lib/forge-std and contracts/lib/interop-lib entries added, but the stale lib/createx entry remains and the new contracts/lib/openzeppelin-contracts entry is absent (flagged in a previous review).

Confidence Score: 5/5

Safe to merge — the dependency swap is build-verified with all 159 tests passing, and the only open issue is a stale foundry.lock entry that does not affect the actual build since submodule commits are pinned at the git level.

The core change (submodule swap + remapping update) is low-risk and fully test-verified. The foundry.lock inconsistency carried over from the previous review is cosmetic: the submodule itself is pinned in .gitmodules at the correct commit. The newly added Sourcify documentation contains an incorrect file reference and a legacy endpoint, but this affects only developer experience during manual verification — not contract behaviour or deployment correctness.

contracts/foundry.lock (stale createx entry, missing openzeppelin-contracts entry) and docs/DEPLOYMENT.md (Sourcify curl command references the wrong file type)

Important Files Changed

Filename Overview
.gitmodules Replaces the createx submodule with a direct openzeppelin-contracts submodule pointing to GitHub/OpenZeppelin — straightforward and correct.
contracts/foundry.toml Updates @openzeppelin/ remapping from the nested createx path to lib/openzeppelin-contracts/ and adds forge-std/ remapping — both are correct relative to the contracts/ project root.
contracts/foundry.lock Partially updated: adds contracts/lib/forge-std and contracts/lib/interop-lib entries, but retains the stale lib/createx entry and is missing a contracts/lib/openzeppelin-contracts entry for the newly added submodule.
contracts/libraries/DeployUtils.sol Deleted unused deployment utility that depended on the removed createx library — correct cleanup.
remappings.txt Root-level remappings.txt removed; all remappings are now consolidated into contracts/foundry.toml, eliminating a potential conflict source.
docs/DEPLOYMENT.md Adds Sourcify verification guidance and updates gas-tracker link, but the Sourcify curl command uses the wrong file type (artifact JSON instead of metadata.json) and a legacy API endpoint.
docs/INDEX.md New documentation index file providing a navigation hub — purely additive, no issues.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[contracts/foundry.toml] -->|remapping: @openzeppelin/=lib/openzeppelin-contracts/| B[contracts/lib/openzeppelin-contracts\nv5.1.0 @ 69c8def]
    A -->|remapping: @interop-lib/=lib/interop-lib/src/| C[contracts/lib/interop-lib]
    A -->|remapping: forge-std/=lib/forge-std/src/| D[contracts/lib/forge-std]

    E[BEFORE: contracts/lib/createx\n@ de53df6] -.->|nested dep| F[createx/lib/openzeppelin-contracts]
    E -.->|also provided| G[contracts/libraries/DeployUtils.sol\n deleted]

    style B fill:#22c55e,color:#fff
    style E fill:#ef4444,color:#fff
    style F fill:#ef4444,color:#fff
    style G fill:#ef4444,color:#fff
Loading

Reviews (2): Last reviewed commit: "fix(docs): use consistent MAINNET_RPC va..." | Re-trigger Greptile

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 246aee91bc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread contracts/foundry.toml
Comment thread docs/DEPLOYMENT.md Outdated
Address CodeRabbit feedback: line 488 used generic $RPC instead of
$MAINNET_RPC. Since this is in the Mainnet Deployment section and
the previous line uses $MAINNET_RPC, update for consistency.
@iap iap merged commit f137c13 into dev May 20, 2026
20 checks passed
@iap iap deleted the refactor/remove-createx-dependency branch May 20, 2026 13:31
iap added a commit that referenced this pull request May 22, 2026
Restore tagline:
- README.md: restore 'No DAO, no drama. Don't Trust, Verify.' which was
  accidentally removed in refactor(deps) commit f137c13 (#174)

Move CONTRIBUTING.md to root:
- GitHub automatically surfaces CONTRIBUTING.md at root in the repo
  sidebar and new issue flow — docs/ location bypasses this
- Update all internal relative links within CONTRIBUTING.md
- Update all references across README.md, CONTRIBUTORS.md, CODEOWNERS,
  ISSUE_TEMPLATE/config.yml, docs/INDEX.md
@trade trade deleted a comment from coderabbitai Bot May 25, 2026
iap added a commit that referenced this pull request Jun 2, 2026
…174)

* chore: fix typo, bug, update docs, and reorganize project structure

- Fix: Remove outdated .nvmrc reference in README (now using mise)
- Fix: Update PoseidonT3.sol Solidity version from ^0.8.24 to ^0.8.25
- Docs: Update CHANGELOG with recent merged PRs (#170, #169, #168, #163)
- Refactor: Move documentation to docs/ directory for better organization
  - CONTRIBUTING.md -> docs/CONTRIBUTING.md
  - BRANCHING.md -> docs/BRANCHING.md
  - DEPLOYMENT.md -> docs/DEPLOYMENT.md
  - TROUBLESHOOTING.md -> docs/TROUBLESHOOTING.md
  - Copy THREAT_MODEL.md, KNOWN_ISSUES.md, ARCHITECTURE.md to docs/
- Update README links to reflect new docs/ structure

* chore(contracts): set EVM version to paris for OP Stack compatibility

- Add evm_version = "paris" to foundry.toml
- Ensures bytecode compatibility with Optimism Superchain
- Paris is the EVM version used by OP Mainnet and OP Sepolia
- All 148 tests pass with Paris EVM

* refactor(deps): replace createx with direct openzeppelin dependency

- Install OpenZeppelin v5.1.0 as direct git submodule
- Remove createx dependency (only used for nested OZ)
- Remove unused DeployUtils.sol library
- Update remappings: @openzeppelin/=lib/openzeppelin-contracts/
- Consolidate all remappings to foundry.toml
- Remove root remappings.txt to avoid conflicts
- Add forge-std/ remapping for completeness
- Clean forge cache and verify build

Benefits:
- Smaller dependency tree (3 deps instead of 4)
- Direct control over OpenZeppelin version
- No nested dependencies
- Single source of truth for remappings

Verified:
- forge build: success
- forge test: 159 tests passed

* fix(docs): use consistent MAINNET_RPC variable in deployment guide

Address CodeRabbit feedback: line 488 used generic $RPC instead of
$MAINNET_RPC. Since this is in the Mainnet Deployment section and
the previous line uses $MAINNET_RPC, update for consistency.
iap added a commit that referenced this pull request Jun 2, 2026
Restore tagline:
- README.md: restore 'No DAO, no drama. Don't Trust, Verify.' which was
  accidentally removed in refactor(deps) commit f137c13 (#174)

Move CONTRIBUTING.md to root:
- GitHub automatically surfaces CONTRIBUTING.md at root in the repo
  sidebar and new issue flow — docs/ location bypasses this
- Update all internal relative links within CONTRIBUTING.md
- Update all references across README.md, CONTRIBUTORS.md, CODEOWNERS,
  ISSUE_TEMPLATE/config.yml, docs/INDEX.md
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant