Skip to content

[GLOBAL-2] [MEDIUM] Submodules pull conflicting openzeppelin-contracts/forge-std versions #412

Open
Open
[GLOBAL-2] [MEDIUM] Submodules pull conflicting openzeppelin-contracts/forge-std versions#412
Assignees
thedavidmeister
Labels
auditAudit findingmediumSeverity: mediumpass4Audit Pass 4: Code Quality
@thedavidmeister

Description

@thedavidmeister
thedavidmeister
opened on Apr 26, 2026

Submodules pull conflicting versions of openzeppelin-contracts and forge-std

Transitive submodules pin different versions of shared dependencies. Solidity merges them under a single remapping target, so whichever version foundry.toml resolves first wins, and the others are silently ignored. The mismatch is invisible at compile time and easy to drift further.

lib/openzeppelin-contracts versions across submodules:

  • lib/rain.factory/lib/openzeppelin-contracts — v4.9.5-2 (dc44c9f1...)
  • lib/rain.interpreter.interface/lib/openzeppelin-contracts — v4.9.5 (bd325d56...)
  • lib/rain.math.fixedpoint/lib/openzeppelin-contracts — v4.8.3 (0a25c194...)
  • lib/openzeppelin-contracts-upgradeable (top-level) — v4.9.3 (3d4c0d57...)

lib/forge-std versions across submodules:

  • top-level — v1.6.1
  • lib/rain.factory/lib/forge-std — v1.9.3
  • lib/rain.interpreter.interface/lib/forge-std — v1.7.6
  • lib/rain.math.fixedpoint/lib/forge-std — v1.5.2

Fix: bump lib/rain.math.fixedpoint to a release that tracks v4.9.x oz / a current forge-std, or add explicit per-import remappings so each consumer resolves its expected version. Pinning a single oz/forge-std at the top level via remappings.txt would also work but only if every submodule's API surface is compatible.

Metadata

Metadata

Assignees

Labels

auditAudit findingmediumSeverity: mediumpass4Audit Pass 4: Code Quality

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions