2025 11 29 deps

[thedavidmeister]

Motivation

Solution

Checks

By submitting this for review, I'm confirming I've done the following:

• made this PR as small as possible
• unit-tested any new functionality
• linked any relevant issues or PRs
• included screenshots (if this involves a front-end change)

Summary by CodeRabbit

• Chores
  • Updated EVM version to Cancun in foundry configuration.
  • Updated gas benchmark snapshots.
  • Bumped internal dependency versions across multiple libraries.
  • Refactored internal cryptographic utility implementation with no behavioral impact.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR updates multiple submodule dependencies to newer commits, bumps the EVM version from "paris" to "cancun" in foundry.toml, updates gas benchmark snapshots, and replaces ECDSA utility usage with MessageHashUtils in LibContext and its tests.

Changes

Cohort / File(s)	Summary
Configuration & Benchmarks foundry.toml, .gas-snapshot	EVM version updated from "paris" to "cancun"; gas benchmark snapshot values recalculated
Submodule Updates lib/openzeppelin-contracts, lib/rain.intorastring, lib/rain.lib.hash, lib/rain.lib.typecast, lib/rain.math.binary, lib/rain.math.float, lib/rain.sol.codegen, lib/rain.solmem	Submodule commit pointers updated to newer versions (metadata-only changes)
ECDSA to MessageHashUtils Migration src/lib/caller/LibContext.sol, test/src/lib/caller/LibContext.t.sol	Replaced ECDSA import and usage with MessageHashUtils for computing Ethereum-signed message hashes; behavior unchanged

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Bulk of changes are repetitive submodule pointer updates (metadata-only, no functional impact)
• EVM version bump is a straightforward single-line configuration change
• ECDSA → MessageHashUtils migration is a direct utility replacement with no control-flow changes
• Gas snapshot updates are automatically derived values

Possibly related PRs

• 2025 10 04 float #87: Updates multiple identical submodule pointers (lib/rain.math.float, lib/rain.sol.codegen, lib/rain.solmem, etc.)
• 2025 10 20 audit #93: Updates overlapping set of submodule pointers including lib/rain.intorastring, lib/rain.lib.hash, lib/rain.lib.typecast, lib/rain.math.float, and lib/rain.sol.codegen
• float #81: Updates lib/rain.math.float submodule pointer in the same series of coordinated dependency upgrades

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title '2025 11 29 deps' is vague and appears to be a date-based branch name rather than a descriptive summary. While it likely refers to dependency updates, it uses generic terminology without conveying what specific changes or improvements were made.	Revise the title to clearly describe the primary changes, such as 'Update EVM version to Cancun and upgrade dependencies' or 'Bump OpenZeppelin and library dependencies with EVM upgrade'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 2025-11-29-deps

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3c834ad and 1b925a3.

⛔ Files ignored due to path filters (1)

• foundry.lock is excluded by !**/*.lock

📒 Files selected for processing (12)

• .gas-snapshot (1 hunks)
• foundry.toml (1 hunks)
• lib/openzeppelin-contracts (1 hunks)
• lib/rain.intorastring (1 hunks)
• lib/rain.lib.hash (1 hunks)
• lib/rain.lib.typecast (1 hunks)
• lib/rain.math.binary (1 hunks)
• lib/rain.math.float (1 hunks)
• lib/rain.sol.codegen (1 hunks)
• lib/rain.solmem (1 hunks)
• src/lib/caller/LibContext.sol (2 hunks)
• test/src/lib/caller/LibContext.t.sol (2 hunks)

🔇 Additional comments (14)

foundry.toml (1)

18-18: Verify Cancun EVM compatibility and clarify motivation.

The EVM version is being bumped from "paris" to "cancun". While Cancun is a valid EVM version, I need to verify:

1. Whether this version bump is intentional and necessary (the PR description is empty, so the motivation isn't documented).
2. Whether solc 0.8.25 properly supports Cancun.
3. Whether the MessageHashUtils change mentioned in the AI summary requires or benefits from Cancun.
4. Whether gas benchmark snapshots have been properly regenerated for the new EVM version.

Please confirm the motivation for this EVM version bump and verify that all downstream changes (gas benchmarks, hashing utilities) are compatible with Cancun.

lib/rain.math.binary (1)

1-1: Submodule status requires clarification: lib/rain.math.binary is configured but not initialized in the repository.

The commit hash f44f846a43928ba0a7ed4a7bb810a8933e23cce1 is registered in git's index for lib/rain.math.binary. However, the submodule directory itself is empty (not initialized), and no code in the repository currently imports or uses the rain.math.binary library. The foundry configuration uses Solidity 0.8.25 with EVM version "cancun".

Without the submodule initialized, automated integration tests cannot be run, and upstream commit verification requires network access. Additionally, the code snippet in the original review is empty, making it unclear what specific change is being reviewed. If this is a submodule version update, verify that the change is intentional and that the submodule will be properly initialized before deployment.

lib/rain.sol.codegen (2)

1-1: Incomplete PR scope: other files mentioned in AI summary are not provided for review.

The AI-generated summary references changes to multiple files that are not included in this review:

• foundry.toml (EVM version bump: "paris" → "cancun")
• src/lib/caller/LibContext.sol (ECDSA → MessageHashUtils migration)
• test/src/lib/caller/LibContext.t.sol (test updates)
• Multiple other submodule pointers: lib/openzeppelin-contracts, lib/rain.intorastring, lib/rain.lib.hash, lib/rain.lib.typecast, lib/rain.math.binary, lib/rain.math.float, lib/rain.solmem

Please either:

1. Provide all changed files for a comprehensive review, or
2. Clarify if this review should focus only on submodule pointers.

---

1-1: PR description is incomplete; multiple files changed but only submodule pointer provided for review.

The commit modifies ~70 files including foundry.toml, .gas-snapshot, and multiple submodule references (rain.sol.codegen, rain.solmem, openzeppelin-contracts, and others), but the PR description contains only "solmem"—insufficient context for assessing the full impact. Please provide:

1. Motivation: What prompted these dependency updates?
2. Summary of changes: Which submodules were updated and why? What did foundry.toml changes address?
3. Breaking changes or migrations: Do these updates require code changes elsewhere?

Additionally, only lib/rain.sol.codegen was provided for code review despite multiple files being modified in this commit. Ensure all material changes (especially foundry.toml and src/lib/caller/LibContext.sol if modified) are reviewed.

lib/rain.lib.typecast (1)

1-1: Submodule update requires documentation.

The rain.lib.typecast submodule pointer is updated to 1eaa22e, but this repository has no direct imports from this submodule. As a transitive dependency, verify that:

1. The new submodule version is compatible with any dependent libraries
2. The PR description is completed with proper Motivation and Solution sections explaining the rationale for this dependency update

lib/rain.math.float (1)

1-1: Verify submodule commit validity.

This submodule reference is being updated to a new commit. While this is part of routine maintenance for this dependency (frequent regular updates occur), please confirm:

1. Commit existence: Verify the new commit 150f48bb909dd5f8970726d515c87c5257107699 exists in the lib/rain.math.float repository.
2. Breaking changes: Confirm whether the submodule update introduces any breaking API changes or behavioral differences.
3. Tests: Ensure all tests pass after this update with no regressions.

Likely an incorrect or invalid review comment.

lib/rain.solmem (1)

1-1: This review comment addresses changes that are already implemented in the codebase.

The concerns raised do not require action:

• EVM version: Already set to "cancun" in foundry.toml (not pending a bump from paris)
• MessageHashUtils integration: Already in use in LibContext.sol (no ECDSA migration needed)
• Rain.solmem compatibility: Properly integrated with standard library usage patterns (LibPointer, LibBytes, LibMemCpy in LibBytecode; LibUint256Array in LibContext), validated by 17 test files

The submodule update (commit de9c71b) was a routine pointer bump with no breaking changes detected. The codebase compiles with Solidity 0.8.25 and Cancun EVM targeting, with active test coverage for the integrated modules.

Likely an incorrect or invalid review comment.

lib/openzeppelin-contracts (1)

1-1: This submodule update has been properly integrated; no action required.

The OpenZeppelin upgrade and ECDSA migration are complete. The codebase contains no ECDSA imports or usages—only MessageHashUtils is present in LibContext.sol and LibContext.t.sol, both of which are correctly updated. The evm_version in foundry.toml is already set to "cancun" (not changed from "paris"). All tests are properly configured and gas snapshots have been maintained.

Likely an incorrect or invalid review comment.

lib/rain.intorastring (1)

1-1: Include all changed files in the review; submodule updates require clear justification.

This PR modifies 13+ files including multiple submodule pointers, but only the lib/rain.intorastring submodule is provided for review. The diff also includes changes to foundry.toml, src/lib/caller/LibContext.sol, test/src/lib/caller/LibContext.t.sol, and 8 other submodules (openzeppelin-contracts, rain.lib.hash, rain.lib.typecast, rain.math.binary, rain.math.float, rain.sol.codegen, rain.solmem).

Submodule pointer updates are metadata-only changes—the actual validity and impact of the new commit f92fa66a5f8601bee55692488a198c0a79715707 cannot be assessed without access to the submodule repository. Additionally, the PR description lacks motivation and context for these dependency updates, making it impossible to evaluate whether the changes are justified or contain breaking updates.

Please provide:

• All files changed in this PR for comprehensive review
• Justification for each submodule version update
• Details on any breaking changes across the updated dependencies

.gas-snapshot (1)

1-70: LGTM! Gas benchmark updates are expected.

The numeric changes in gas measurements are expected results from the dependency updates, EVM version upgrade (Paris → Cancun), and the ECDSA to MessageHashUtils migration. These are deterministic outputs from the test suite.

test/src/lib/caller/LibContext.t.sol (2)

6-6: Test import updated consistently with production code.

The test import has been updated to use MessageHashUtils instead of ECDSA, matching the change in src/lib/caller/LibContext.sol.

---

31-31: Test usage updated consistently with production code.

The test call site has been updated to use MessageHashUtils.toEthSignedMessageHash, matching the change in the production code. This ensures the test validates the same signature generation flow as the implementation.

src/lib/caller/LibContext.sol (2)

195-195: MessageHashUtils.toEthSignedMessageHash is behaviorally equivalent to ECDSA.toEthSignedMessageHash.

This change is part of the OpenZeppelin v5 library migration, where digest helpers (including toEthSignedMessageHash) were moved from the ECDSA module into the dedicated MessageHashUtils library. Both functions produce identical EIP-191 prefixed hashes using the standard "\x19Ethereum Signed Message:\n" prefix followed by keccak256, making them fully compatible with ECDSA.recover for signature verification. No behavioral differences exist between the two implementations.

---

9-9: MessageHashUtils is correctly imported and available in OpenZeppelin v5.x.

The import statement properly references MessageHashUtils from OpenZeppelin Contracts v5.0+, where it was introduced as part of the cryptography utilities refactoring. The utility is stable, well-maintained, and includes the toEthSignedMessageHash method for producing ERC-191 formatted message digests. No compatibility issues.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify submodule state and commit validity

echo "=== Checking submodule configuration ==="
git config --file=.gitmodules --get-regexp path

echo -e "\n=== Checking .gitmodules content ==="
cat .gitmodules

echo -e "\n=== Checking current submodule status ==="
git status lib/rain.lib.hash || echo "No changes or submodule not present"

echo -e "\n=== Checking if submodule is initialized ==="
if [ -d "lib/rain.lib.hash/.git" ]; then
  echo "Submodule is initialized"
  cd lib/rain.lib.hash
  echo "Current HEAD in submodule:"
  git rev-parse HEAD
  echo "Checking if new commit exists:"
  git cat-file -t 9677b7063fc9ae8c580636760474719d910c2134 2>&1 || echo "Commit not found in this repository"
  cd - > /dev/null
else
  echo "Submodule not initialized"
fi

echo -e "\n=== Checking LibContext.sol for ECDSA and MessageHashUtils usage ==="
find . -name "LibContext.sol" -type f -exec cat {} \; 2>/dev/null | head -50

Repository: rainlanguage/rain.interpreter.interface

Length of output: 4481

---

🏁 Script executed:

#!/bin/bash
# Check for ECDSA usage and verify the PR context

echo "=== Searching for ECDSA imports in the codebase ==="
rg "import.*ECDSA" --type solidity

echo -e "\n=== Searching for MessageHashUtils usage ==="
rg "MessageHashUtils" --type solidity

echo -e "\n=== Searching for rain.lib.hash imports ==="
rg "rain\.lib\.hash" --type solidity

echo -e "\n=== Checking git status for the submodule change ==="
git diff HEAD -- lib/rain.lib.hash || git show HEAD:lib/rain.lib.hash 2>/dev/null | head -5

echo -e "\n=== Checking for any file in lib/rain.lib.hash ==="
ls -la lib/rain.lib.hash 2>/dev/null || echo "Directory empty or not present"

echo -e "\n=== Getting git log for lib/rain.lib.hash ==="
git log --oneline lib/rain.lib.hash | head -5

Repository: rainlanguage/rain.interpreter.interface

Length of output: 620

---

🏁 Script executed:

#!/bin/bash
# Re-run searches with correct file patterns and inspect git changes

echo "=== Searching for ECDSA imports (corrected) ==="
rg "import.*ECDSA" . --glob "*.sol"

echo -e "\n=== Searching for MessageHashUtils usage (corrected) ==="
rg "MessageHashUtils" . --glob "*.sol"

echo -e "\n=== Searching for rain.lib.hash imports (corrected) ==="
rg "rain\.lib\.hash" . --glob "*.sol"

echo -e "\n=== Showing git diff for lib/rain.lib.hash change ==="
git show HEAD:lib/rain.lib.hash

echo -e "\n=== Checking git log message for HEAD commit ==="
git log -1 --format="%B" HEAD

echo -e "\n=== Checking if HEAD has a PR description or body ==="
git log -1 --pretty=format:"%B%n%N" HEAD

Repository: rainlanguage/rain.interpreter.interface

Length of output: 1541

---

Do not merge: the submodule pointer update references a non-existent commit.

The new commit 9677b7063fc9ae8c580636760474719d910c2134 does not exist in the rain.lib.hash repository (fatal error: "not our ref"). This will break the build when attempting to initialize the submodule.

Additionally:

• The commit message "solmem" suggests this may have been mis-targeted (appears related to a solmem submodule change, not rain.lib.hash)
• rain.lib.hash is actively used in the codebase (LibHashNoAlloc imports and usage in LibContext.sol, LibContextSlow.sol, and tests)
• PR description is missing; add motivation and rationale for any submodule version bump

🤖 Prompt for AI Agents

In lib/rain.lib.hash around line 1, the submodule pointer was updated to a
non-existent commit (9677b7063fc9ae8c580636760474719d910c2134) and appears
mis-targeted (commit message "solmem"); revert this pointer or update it to a
valid commit SHA from the rain.lib.hash repository, ensure the commit actually
exists in that submodule remote (fetch/check tags/branches), update the commit
message/PR description with the motivation for the bump, run and verify git
submodule sync && git submodule update --init --recursive to confirm the pointer
resolves, and re-run tests that exercise LibHashNoAlloc/LibContext to validate
the change before merging.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

The PR description is empty and provides no context for dependency updates—this is a blocker.

Submodule pointer updates must be accompanied by clear motivation, changelog references, and evidence of compatibility testing. The empty template makes it impossible to assess whether this change is intentional, safe, or aligns with project goals.

The AI summary mentions related changes (EVM version bump to "cancun", MessageHashUtils replacements), but these are not documented in the PR description.

Please update the PR description with:

• Motivation: Why is rain.math.binary being updated? (new features, bug fixes, security patches, compatibility requirements)
• Solution: Summary of the actual changes being made
• Breaking changes: Any API or behavior changes that consumers should know about
• Testing: Confirmation that the test suite passes with these updates
• Migration notes: Any steps downstream consumers need to take

Once the PR description is complete, re-request review.

🤖 Prompt for AI Agents

In lib/rain.math.binary around lines 1 to 1, the PR description is empty which
blocks review; update the PR description to include Motivation (why
rain.math.binary is updated: features, fixes, security, or compatibility),
Solution (concise summary of actual changes made in the submodule update),
Breaking changes (explicitly list any API/behavior changes for consumers),
Testing (state that unit/integration tests were run and pass, include CI links
or test commands and any compatibility checks), and Migration notes (clear steps
downstream consumers must take, version bumps, or code changes). After updating
the PR description with these sections and any relevant changelog references or
evidence, re-request review.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

PR description is incomplete—unable to assess motivation and scope of submodule update.

The PR template shows empty Motivation and Solution sections. Without understanding why the rain.solmem submodule is being updated, it is difficult to review the changes for correctness and compatibility.

Please provide:

• Motivation: Why is the rain.solmem submodule being updated?
• Solution: What specific improvements or fixes does this update deliver?
• Compatibility notes: Any breaking changes or required downstream adjustments (e.g., due to the EVM version bump from paris → cancun or the ECDSA → MessageHashUtils migration mentioned in the AI summary)?

🤖 Prompt for AI Agents

In lib/rain.solmem around lines 1 to 1, the PR description is missing Motivation
and Solution sections which prevents reviewers from assessing the submodule
update; update the PR template by filling the Motivation with a concise
rationale for the update (e.g., security bugfix, performance improvement,
dependency alignment, EVM version bump) and the Solution with a clear list of
changes introduced by the new rain.solmem commit (files changed, APIs modified,
refactors like ECDSA → MessageHashUtils, or any internal behavior changes), and
add Compatibility notes enumerating breaking changes (ABI/ABI-encoding, function
signatures, required downstream code changes, EVM version impacts such as
paris→cancun), migration steps for integrators, required test updates, and links
to the upstream commit/changelog and any manual verification steps so reviewers
can validate compatibility and impact.

[github-actions]

@coderabbitai assess this PR size classification for the totality of the PR with the following criterias and report it in your comment:

S/M/L PR Classification Guidelines:

This guide helps classify merged pull requests by effort and complexity rather than just line count. The goal is to assess the difficulty and scope of changes after they have been completed.

Small (S)

Characteristics:

• Simple bug fixes, typos, or minor refactoring
• Single-purpose changes affecting 1-2 files
• Documentation updates
• Configuration tweaks
• Changes that require minimal context to review

Review Effort: Would have taken 5-10 minutes

Examples:

• Fix typo in variable name
• Update README with new instructions
• Adjust configuration values
• Simple one-line bug fixes
• Import statement cleanup

Medium (M)

Characteristics:

• Feature additions or enhancements
• Refactoring that touches multiple files but maintains existing behavior
• Breaking changes with backward compatibility
• Changes requiring some domain knowledge to review

Review Effort: Would have taken 15-30 minutes

Examples:

• Add new feature or component
• Refactor common utility functions
• Update dependencies with minor breaking changes
• Add new component with tests
• Performance optimizations
• More complex bug fixes

Large (L)

Characteristics:

• Major feature implementations
• Breaking changes or API redesigns
• Complex refactoring across multiple modules
• New architectural patterns or significant design changes
• Changes requiring deep context and multiple review rounds

Review Effort: Would have taken 45+ minutes

Examples:

• Complete new feature with frontend/backend changes
• Protocol upgrades or breaking changes
• Major architectural refactoring
• Framework or technology upgrades

Additional Factors to Consider

When deciding between sizes, also consider:

• Test coverage impact: More comprehensive test changes lean toward larger classification
• Risk level: Changes to critical systems bump up a size category
• Team familiarity: Novel patterns or technologies increase complexity

Notes:

• the assessment must be for the totality of the PR, that means comparing the base branch to the last commit of the PR
• the assessment output must be exactly one of: S, M or L (single-line comment) in format of: SIZE={S/M/L}
• do not include any additional text, only the size classification
• your assessment comment must not include tips or additional sections
• do NOT tag me or anyone else on your comment

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

SIZE=M