refactor(deps): replace createx with direct openzeppelin dependency#174
Conversation
- Fix: Remove outdated .nvmrc reference in README (now using mise) - Fix: Update PoseidonT3.sol Solidity version from ^0.8.24 to ^0.8.25 - Docs: Update CHANGELOG with recent merged PRs (#170, #169, #168, #163) - Refactor: Move documentation to docs/ directory for better organization - CONTRIBUTING.md -> docs/CONTRIBUTING.md - BRANCHING.md -> docs/BRANCHING.md - DEPLOYMENT.md -> docs/DEPLOYMENT.md - TROUBLESHOOTING.md -> docs/TROUBLESHOOTING.md - Copy THREAT_MODEL.md, KNOWN_ISSUES.md, ARCHITECTURE.md to docs/ - Update README links to reflect new docs/ structure
- Add evm_version = "paris" to foundry.toml - Ensures bytecode compatibility with Optimism Superchain - Paris is the EVM version used by OP Mainnet and OP Sepolia - All 148 tests pass with Paris EVM
- Install OpenZeppelin v5.1.0 as direct git submodule - Remove createx dependency (only used for nested OZ) - Remove unused DeployUtils.sol library - Update remappings: @openzeppelin/=lib/openzeppelin-contracts/ - Consolidate all remappings to foundry.toml - Remove root remappings.txt to avoid conflicts - Add forge-std/ remapping for completeness - Clean forge cache and verify build Benefits: - Smaller dependency tree (3 deps instead of 4) - Direct control over OpenZeppelin version - No nested dependencies - Single source of truth for remappings Verified: - forge build: success - forge test: 159 tests passed
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/DEPLOYMENT.md`:
- Line 488: The command uses an undefined env var $RPC; replace it with the
documented MAINNET RPC env var $MAINNET_RPC so the command reads use MAINNET_RPC
consistently (update the line containing "cast gas-price --rpc-url $RPC" to
reference $MAINNET_RPC) and verify other occurrences in docs/DEPLOYMENT.md
follow the same $MAINNET_RPC convention.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 0686d551-0185-4425-af4f-3d54f6b5bb9b
⛔ Files ignored due to path filters (6)
.gitmodulesis excluded by none and included by nonecontracts/foundry.lockis excluded by!**/*.lockand included by nonecontracts/lib/createxis excluded by none and included by nonecontracts/lib/openzeppelin-contractsis excluded by none and included by nonecontracts/libraries/DeployUtils.solis excluded by none and included by noneremappings.txtis excluded by none and included by none
📒 Files selected for processing (5)
CHANGELOG.mdREADME.mdcontracts/foundry.tomldocs/DEPLOYMENT.mddocs/INDEX.md
Greptile SummaryThis PR replaces the nested OpenZeppelin dependency (via
Confidence Score: 5/5Safe to merge — the dependency swap is build-verified with all 159 tests passing, and the only open issue is a stale foundry.lock entry that does not affect the actual build since submodule commits are pinned at the git level. The core change (submodule swap + remapping update) is low-risk and fully test-verified. The foundry.lock inconsistency carried over from the previous review is cosmetic: the submodule itself is pinned in .gitmodules at the correct commit. The newly added Sourcify documentation contains an incorrect file reference and a legacy endpoint, but this affects only developer experience during manual verification — not contract behaviour or deployment correctness. contracts/foundry.lock (stale createx entry, missing openzeppelin-contracts entry) and docs/DEPLOYMENT.md (Sourcify curl command references the wrong file type) Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[contracts/foundry.toml] -->|remapping: @openzeppelin/=lib/openzeppelin-contracts/| B[contracts/lib/openzeppelin-contracts\nv5.1.0 @ 69c8def]
A -->|remapping: @interop-lib/=lib/interop-lib/src/| C[contracts/lib/interop-lib]
A -->|remapping: forge-std/=lib/forge-std/src/| D[contracts/lib/forge-std]
E[BEFORE: contracts/lib/createx\n@ de53df6] -.->|nested dep| F[createx/lib/openzeppelin-contracts]
E -.->|also provided| G[contracts/libraries/DeployUtils.sol\n deleted]
style B fill:#22c55e,color:#fff
style E fill:#ef4444,color:#fff
style F fill:#ef4444,color:#fff
style G fill:#ef4444,color:#fff
Reviews (2): Last reviewed commit: "fix(docs): use consistent MAINNET_RPC va..." | Re-trigger Greptile |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 246aee91bc
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Address CodeRabbit feedback: line 488 used generic $RPC instead of $MAINNET_RPC. Since this is in the Mainnet Deployment section and the previous line uses $MAINNET_RPC, update for consistency.
Restore tagline: - README.md: restore 'No DAO, no drama. Don't Trust, Verify.' which was accidentally removed in refactor(deps) commit f137c13 (#174) Move CONTRIBUTING.md to root: - GitHub automatically surfaces CONTRIBUTING.md at root in the repo sidebar and new issue flow — docs/ location bypasses this - Update all internal relative links within CONTRIBUTING.md - Update all references across README.md, CONTRIBUTORS.md, CODEOWNERS, ISSUE_TEMPLATE/config.yml, docs/INDEX.md
…174) * chore: fix typo, bug, update docs, and reorganize project structure - Fix: Remove outdated .nvmrc reference in README (now using mise) - Fix: Update PoseidonT3.sol Solidity version from ^0.8.24 to ^0.8.25 - Docs: Update CHANGELOG with recent merged PRs (#170, #169, #168, #163) - Refactor: Move documentation to docs/ directory for better organization - CONTRIBUTING.md -> docs/CONTRIBUTING.md - BRANCHING.md -> docs/BRANCHING.md - DEPLOYMENT.md -> docs/DEPLOYMENT.md - TROUBLESHOOTING.md -> docs/TROUBLESHOOTING.md - Copy THREAT_MODEL.md, KNOWN_ISSUES.md, ARCHITECTURE.md to docs/ - Update README links to reflect new docs/ structure * chore(contracts): set EVM version to paris for OP Stack compatibility - Add evm_version = "paris" to foundry.toml - Ensures bytecode compatibility with Optimism Superchain - Paris is the EVM version used by OP Mainnet and OP Sepolia - All 148 tests pass with Paris EVM * refactor(deps): replace createx with direct openzeppelin dependency - Install OpenZeppelin v5.1.0 as direct git submodule - Remove createx dependency (only used for nested OZ) - Remove unused DeployUtils.sol library - Update remappings: @openzeppelin/=lib/openzeppelin-contracts/ - Consolidate all remappings to foundry.toml - Remove root remappings.txt to avoid conflicts - Add forge-std/ remapping for completeness - Clean forge cache and verify build Benefits: - Smaller dependency tree (3 deps instead of 4) - Direct control over OpenZeppelin version - No nested dependencies - Single source of truth for remappings Verified: - forge build: success - forge test: 159 tests passed * fix(docs): use consistent MAINNET_RPC variable in deployment guide Address CodeRabbit feedback: line 488 used generic $RPC instead of $MAINNET_RPC. Since this is in the Mainnet Deployment section and the previous line uses $MAINNET_RPC, update for consistency.
Restore tagline: - README.md: restore 'No DAO, no drama. Don't Trust, Verify.' which was accidentally removed in refactor(deps) commit f137c13 (#174) Move CONTRIBUTING.md to root: - GitHub automatically surfaces CONTRIBUTING.md at root in the repo sidebar and new issue flow — docs/ location bypasses this - Update all internal relative links within CONTRIBUTING.md - Update all references across README.md, CONTRIBUTORS.md, CODEOWNERS, ISSUE_TEMPLATE/config.yml, docs/INDEX.md
Summary
Replace nested CreateX → OpenZeppelin dependency with direct OpenZeppelin v5.1.0 submodule.
Changes
@openzeppelin/=lib/openzeppelin-contracts/Benefits
Verification
Dependencies
Before:
After:
Risk Assessment
Summary by CodeRabbit