build: Migrate Solidity dependencies from npm to Soldeer

[larryob]

Description

• Replace npm Solidity dependencies with Soldeer package manager
• Add @nomicfoundation/hardhat-foundry plugin for Hardhat compatibility
• Update remappings.txt to map original import paths to dependencies/
• Update CI workflow to run forge soldeer update before tests

Dependencies migrated:

• @openzeppelin/contracts (4.9.3) - via git
• @openzeppelin/contracts-upgradeable (4.9.3) - via git
• @arbitrum/nitro-contracts (1.2.1) - via git
• @chainlink/contracts-ccip (1.5.0) - via git
• @eth-optimism/contracts (0.6.0) - via git
• forge-std (1.9.2) - from Soldeer registry

🤖 Generated with Claude Code

Drive-by changes

Add npm-beta-release.yml. Taken from #7473.

Related issues

Fixes https://linear.app/hyperlane-xyz/issue/ENG-2713/migrate-solidity-dependencies-from-yarn-to-soldeer

Backward compatibility

Yes

Testing

• Unit
• Building the @hyperlane-xyz/helloworld package with a beta release of the core package from this brach works (beta version is 10.1.0-beta.ef595b241). See the test/helloworld-soldeer-core branch.

Summary by CodeRabbit

• Chores
  • Consolidated Solidity dependencies into a packaged dependencies directory and excluded it from linting and TypeScript compilation.
  • Centralized Foundry setup with a reusable CI action and switched workflows to use it.
  • Updated CI build steps to include additional build targets and ensure Foundry setup runs before builds.
  • Adjusted Solidity tooling and package metadata to support soldeer-managed dependencies and new plugin integrations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: b87bb7b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 19 packages

Name	Type
@hyperlane-xyz/core	Minor
@hyperlane-xyz/ccip-server	Patch
@hyperlane-xyz/cli	Patch
@hyperlane-xyz/helloworld	Patch
@hyperlane-xyz/infra	Patch
@hyperlane-xyz/sdk	Patch
@hyperlane-xyz/http-registry-server	Patch
@hyperlane-xyz/widgets	Patch
@hyperlane-xyz/aleo-sdk	Patch
@hyperlane-xyz/starknet-core	Patch
@hyperlane-xyz/cosmos-sdk	Patch
@hyperlane-xyz/cosmos-types	Patch
@hyperlane-xyz/eslint-config	Patch
@hyperlane-xyz/github-proxy	Patch
@hyperlane-xyz/radix-sdk	Patch
@hyperlane-xyz/tsconfig	Patch
@hyperlane-xyz/utils	Patch
@hyperlane-xyz/deploy-sdk	Patch
@hyperlane-xyz/provider-sdk	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​nomicfoundation/​hardhat-foundry@​1.2.0

View full report

[coderabbitai]

📝 Walkthrough

Walkthrough

Moves Solidity dependency management from npm to Soldeer, introduces a composite "Setup Foundry" GitHub Action that installs Foundry and runs forge soldeer install, and updates CI workflows and Solidity configs/remappings to use a dependencies/ directory for Soldeer-managed packages. (50 words)

Changes

Cohort / File(s)	Summary
Changeset ​.changeset/fluffy-tools-decide.md	New changeset declaring a minor bump for @hyperlane-xyz/core and noting the switch to Soldeer for Solidity dependencies.
Foundry Setup Action .github/actions/setup-foundry/action.yml	New composite action that installs Foundry and runs forge soldeer install in ./solidity.
CI/CD Workflow Updates .github/workflows/npm-beta-release.yml, .github/workflows/test.yml, .github/workflows/static-analysis.yml, .github/workflows/storage-analysis.yml, .github/workflows/bytecode-analysis.yml	Replaced external foundry-rs/foundry-toolchain@v1 usage with the local ./.github/actions/setup-foundry action across workflows; adjusted npm-beta-release build to run yarn build && yarn build:zk; removed some direct Foundry installs in test jobs.
Composite Action Enhancement .github/actions/yarn-build-with-cache/action.yml	Inserted a "Setup Foundry" step that invokes the local setup action before cache and build steps.
Solidity Configuration & Remappings solidity/foundry.toml, solidity/remappings.txt, solidity/zk-hardhat.config.cts, solidity/hardhat.config.cts, solidity/package.json	Switched Foundry libs to include "dependencies", added [dependencies] and [soldeer] settings, updated remappings to point at dependencies/ paths, imported @nomicfoundation/hardhat-foundry, removed several npm contract deps and added zksync/foundry-related devDependencies, and added /dependencies to package files.
Tooling / Lint & Ignore solidity/.gitignore, solidity/.solhintignore, solidity/eslint.config.mjs, solidity/tsconfig.json	Added dependencies to gitignore, solhint ignore, ESLint ignores (**/dependencies/**/*), and TS exclude list to prevent lint/TS from processing Soldeer-managed packages.
Scripts solidity/bytecode.sh	Extended EXCLUDE pattern to filter out dependencies during bytecode collection; core bytecode logic unchanged.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

• Inspect .github/workflows/test.yml matrix jobs for consistent insertion/removal of Foundry setup and cache ordering.
• Validate remappings in solidity/remappings.txt correspond to packages placed under dependencies/.
• Verify solidity/package.json removals/additions don't break local or CI tooling (zksync plugin, hardhat-foundry).
• Confirm .github/actions/setup-foundry/action.yml runs forge soldeer install in the correct working dir and respects CI environment.

Possibly related PRs

• feat: add bytecode analysis GitHub action #7500 — Overlaps on bytecode analysis and Foundry/bytecode script changes; likely touches similar CI and script areas.
• feat(ci): adjust yarn caching #7295 — Modifies the composite action .github/actions/yarn-build-with-cache/action.yml and cache logic; may intersect with the added Setup Foundry step.

Suggested reviewers

• ltyu
• yorhodes
• tkporter
• paulbalaji

Poem

In the swamp the toolchains shift and sing,
Foundry wakes and Soldeer brings the ring,
Remaps tuck packages neat in rows,
CI trudges on where the mudgrass grows,
A quiet build—aye, that’s how progress springs. 🐸

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'build: Migrate Solidity dependencies from npm to Soldeer' accurately summarizes the primary change—moving from npm to Soldeer for dependency management.
Description check	✅ Passed	The description covers all required template sections with substantial detail: Description (dependencies migrated listed), Drive-by changes (npm-beta-release.yml), Related issues (ENG-2713), Backward compatibility (Yes), and Testing (Unit + manual).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch test/soldeer-migration

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3461bca and b87bb7b.

📒 Files selected for processing (2)

• solidity/.solhintignore (1 hunks)
• solidity/eslint.config.mjs (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: solidity/foundry.toml:8-8
Timestamp: 2025-11-25T17:10:33.369Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, when using pnpm (instead of Yarn), Foundry's `allow_paths` in solidity/foundry.toml should be set to `["./node_modules"]` rather than `["../node_modules"]` because pnpm's default node_modules structure places dependencies locally in the workspace subdirectory, not requiring access to the parent directory's node_modules.

📚 Learning: 2025-07-01T18:44:43.514Z

Learnt from: larryob
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6661
File: solidity/contracts/avs/HyperlaneServiceManager.sol:21-23
Timestamp: 2025-07-01T18:44:43.514Z
Learning: Test files and script files in Solidity projects typically don't need absolute import fixes with the same urgency as contract files, since they are not imported by other modules in the codebase. The compilation issues from absolute imports mainly affect files under the contracts directory that users import from.

Applied to files:

• solidity/.solhintignore

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (68)

• GitHub Check: coverage-run
• GitHub Check: cli-evm-e2e-matrix (warp-send)
• GitHub Check: cli-evm-e2e-matrix (warp-check-4)
• GitHub Check: cli-evm-e2e-matrix (warp-rebalancer)
• GitHub Check: cli-evm-e2e-matrix (warp-init)
• GitHub Check: cli-evm-e2e-matrix (warp-read)
• GitHub Check: cli-evm-e2e-matrix (warp-check-3)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-2)
• GitHub Check: cli-evm-e2e-matrix (warp-check-1)
• GitHub Check: cli-evm-e2e-matrix (warp-check-5)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-1)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-2)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-route-extension)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-1)
• GitHub Check: cli-evm-e2e-matrix (warp-check-2)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-basic)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-simple-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-recovery)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-submitters)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-rebalancing-config)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-config)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-evm-e2e-matrix (core-read)
• GitHub Check: cli-evm-e2e-matrix (relay)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ism-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-hook-updates)
• GitHub Check: cli-evm-e2e-matrix (core-deploy)
• GitHub Check: cli-evm-e2e-matrix (core-apply)
• GitHub Check: cli-evm-e2e-matrix (core-check)
• GitHub Check: cli-evm-e2e-matrix (core-init)
• GitHub Check: cli-radix-e2e-matrix (warp-deploy)
• GitHub Check: env-test-matrix (mainnet3, optimism, core)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-cross-chain-e2e-matrix (warp-apply)
• GitHub Check: env-test-matrix (mainnet3, optimism, igp)
• GitHub Check: cli-radix-e2e-matrix (core-deploy)
• GitHub Check: cli-cross-chain-e2e-matrix (warp-deploy)
• GitHub Check: env-test-matrix (mainnet3, ethereum, igp)
• GitHub Check: cosmos-sdk-e2e-run
• GitHub Check: env-test-matrix (testnet4, sepolia, core)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, core)
• GitHub Check: env-test-matrix (mainnet3, ethereum, core)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, igp)
• GitHub Check: yarn-test-run
• GitHub Check: cli-cosmos-e2e-matrix (warp-read)
• GitHub Check: cli-cosmos-e2e-matrix (warp-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (core-apply)
• GitHub Check: cli-cosmos-e2e-matrix (core-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (core-read)
• GitHub Check: cli-cosmos-e2e-matrix (core-check)
• GitHub Check: cli-install-test-run
• GitHub Check: aleo-sdk-e2e-run
• GitHub Check: infra-test
• GitHub Check: e2e-matrix (sealevel)
• GitHub Check: e2e-matrix (radix)
• GitHub Check: e2e-matrix (starknet)
• GitHub Check: e2e-matrix (evm)
• GitHub Check: e2e-matrix (cosmosnative)
• GitHub Check: e2e-matrix (cosmwasm)
• GitHub Check: lint-prettier
• GitHub Check: agent-configs (mainnet3)
• GitHub Check: agent-configs (testnet4)
• GitHub Check: lint-rs
• GitHub Check: test-rs
• GitHub Check: lander-coverage
• GitHub Check: diff-check
• GitHub Check: diff-check
• GitHub Check: slither

🔇 Additional comments (2)

solidity/.solhintignore (1)

4-4: Looks good!

Adding the dependencies directory to the solhint ignore list makes sense. External packages managed by Soldeer don't need to be linted by your project rules.

solidity/eslint.config.mjs (1)

12-12: Looks good!

The glob pattern correctly excludes the new dependencies/ directory from ESLint checks. External dependencies don't need your project's linting rules applied to them.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

solidity/zk-hardhat.config.cts (1)

17-19: Clarify the purpose of the empty libraries object.

The settings.libraries object is empty—if it's a required configuration for zksolc or a placeholder for future library linking, a brief comment would help maintainers understand its purpose.

.github/workflows/npm-beta-release.yml (1)

80-90: Add error handling for external tooling steps.

The foundry install (line 81) and Soldeer install (line 85) are critical for the build to work, but there's no explicit error handling. If either step fails silently or partially, the subsequent build could fail in confusing ways or produce a broken release.

Consider adding error handling or at least a check after the Soldeer install:

  - name: Install Soldeer dependencies
    run: forge soldeer install
    working-directory: ./solidity
+   # Verify the install succeeded by checking if dependencies exist
+   if: failure()
+   run: echo "Soldeer install failed" && exit 1

Or better yet, use set -e in shell scripts to fail fast.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b6b8afc and 4f9f91d.

⛔ Files ignored due to path filters (2)

• solidity/soldeer.lock is excluded by !**/*.lock
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (10)

• .changeset/fluffy-tools-decide.md (1 hunks)
• .github/workflows/npm-beta-release.yml (1 hunks)
• .github/workflows/test.yml (2 hunks)
• solidity/.gitignore (1 hunks)
• solidity/foundry.toml (2 hunks)
• solidity/hardhat.config.cts (1 hunks)
• solidity/package.json (2 hunks)
• solidity/remappings.txt (1 hunks)
• solidity/tsconfig.json (1 hunks)
• solidity/zk-hardhat.config.cts (2 hunks)

🧰 Additional context used

🧠 Learnings (10)

📓 Common learnings

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: solidity/foundry.toml:8-8
Timestamp: 2025-11-25T17:10:33.369Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, when using pnpm (instead of Yarn), Foundry's `allow_paths` in solidity/foundry.toml should be set to `["./node_modules"]` rather than `["../node_modules"]` because pnpm's default node_modules structure places dependencies locally in the workspace subdirectory, not requiring access to the parent directory's node_modules.

📚 Learning: 2025-11-25T17:10:33.369Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: solidity/foundry.toml:8-8
Timestamp: 2025-11-25T17:10:33.369Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, when using pnpm (instead of Yarn), Foundry's `allow_paths` in solidity/foundry.toml should be set to `["./node_modules"]` rather than `["../node_modules"]` because pnpm's default node_modules structure places dependencies locally in the workspace subdirectory, not requiring access to the parent directory's node_modules.

Applied to files:

• .changeset/fluffy-tools-decide.md
• .github/workflows/test.yml
• solidity/hardhat.config.cts
• solidity/zk-hardhat.config.cts
• solidity/package.json
• solidity/foundry.toml
• solidity/remappings.txt

📚 Learning: 2025-11-26T13:28:51.658Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: typescript/cli/package.json:20-20
Timestamp: 2025-11-26T13:28:51.658Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, hyperlane-xyz/registry is maintained in a separate repository and published to npm, so it should use a pinned version (e.g., "23.6.0") rather than the workspace protocol ("workspace:*") that other internal Hyperlane packages use.

Applied to files:

• .changeset/fluffy-tools-decide.md
• solidity/package.json

📚 Learning: 2025-07-11T10:06:07.854Z

Learnt from: Mo-Hussain
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6702
File: typescript/utils/src/logging.ts:75-93
Timestamp: 2025-07-11T10:06:07.854Z
Learning: In the hyperlane-xyz/utils package, pino-pretty is added as an optional peer dependency rather than a direct dependency, allowing consuming projects to decide if they want the pretty logging functionality without forcing all consumers to install it.

Applied to files:

• .changeset/fluffy-tools-decide.md
• solidity/package.json

📚 Learning: 2025-11-24T17:19:38.362Z

Learnt from: CR
Repo: hyperlane-xyz/hyperlane-monorepo PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T17:19:38.362Z
Learning: Run all tests using `yarn test` for unified testing; use workspace-specific commands for targeted testing (Hardhat, Forge for Solidity; Unit tests for TypeScript; Cargo for Rust)

Applied to files:

• .github/workflows/test.yml
• solidity/hardhat.config.cts

📚 Learning: 2025-11-24T17:19:38.362Z

Learnt from: CR
Repo: hyperlane-xyz/hyperlane-monorepo PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T17:19:38.362Z
Learning: Use `yarn lint` for all workspaces, `solhint` for Solidity-specific linting, and `cargo clippy` for Rust linting

Applied to files:

• .github/workflows/test.yml

📚 Learning: 2025-07-01T18:44:43.514Z

Learnt from: larryob
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6661
File: solidity/contracts/avs/HyperlaneServiceManager.sol:21-23
Timestamp: 2025-07-01T18:44:43.514Z
Learning: Test files and script files in Solidity projects typically don't need absolute import fixes with the same urgency as contract files, since they are not imported by other modules in the codebase. The compilation issues from absolute imports mainly affect files under the contracts directory that users import from.

Applied to files:

• solidity/.gitignore
• solidity/tsconfig.json
• solidity/foundry.toml
• solidity/remappings.txt

📚 Learning: 2025-11-24T17:19:38.362Z

Learnt from: CR
Repo: hyperlane-xyz/hyperlane-monorepo PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T17:19:38.362Z
Learning: Applies to typescript/sdk/src/**/*.ts : TypeScript SDK must provide `MultiProvider` for multi-chain provider management, `HyperlaneCore` factory for core contract interactions, and `MultiProtocolCore` for protocol-agnostic abstractions across EVM, Cosmos, Sealevel, and Starknet

Applied to files:

• solidity/hardhat.config.cts
• solidity/package.json

📚 Learning: 2025-08-26T13:45:52.227Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6943
File: rust/main/config/testnet_config.json:34-35
Timestamp: 2025-08-26T13:45:52.227Z
Learning: Skip reviewing mainnet_config.json and testnet_config.json configuration files in typescript/infra/config/ and rust/main/config/ directories as requested by paulbalaji to reduce review noise.

Applied to files:

• solidity/tsconfig.json

📚 Learning: 2025-10-21T14:26:22.163Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7223
File: typescript/infra/src/config/chain.ts:56-58
Timestamp: 2025-10-21T14:26:22.163Z
Learning: When adding chains to chainsToSkip in typescript/infra/src/config/chain.ts, it's the expected pattern to keep the chain's configurations in other files like supportedChainNames.ts, agent.ts, validators.ts, and owners.ts. The chainsToSkip array is used selectively by specific scripts (e.g., check-owner-ica.ts) to exclude chains from certain operations, not as a signal to remove all configurations.

Applied to files:

• solidity/tsconfig.json

🔇 Additional comments (18)

solidity/package.json (2)

12-14: Hardhat tooling dependencies correctly placed.

The devDependencies additions look proper—hardhat-foundry plugin and zkSync tooling are build-time concerns, not runtime.

---

57-58: No action required—publishing /dependencies to npm is intentional.

The /dependencies directory is managed by Soldeer (configured in foundry.toml with packages like OpenZeppelin, Arbitrum, and Chainlink). While it's gitignored locally, including it in the npm package allows consumers to use the package without setting up Soldeer themselves. This is a deliberate distribution strategy that trades package size for convenience.

solidity/zk-hardhat.config.cts (1)

1-1: Foundry plugin integration looks good.

Import aligns with the devDependency added to package.json.

solidity/.gitignore (1)

19-20: Soldeer artifacts properly ignored.

Treating the dependencies/ directory like node_modules/ is the right call—keeps generated files out of version control.

.changeset/fluffy-tools-decide.md (1)

1-5: Changeset properly documents the dependency manager migration.

Minor version bump is appropriate for this tooling change.

solidity/hardhat.config.cts (1)

1-1: Foundry plugin integration added.

Consistent with the zkSync config and the new devDependency.

solidity/tsconfig.json (1)

12-13: TypeScript correctly ignores the dependencies directory.

Just like you wouldn't compile node_modules, no point in having TypeScript chew through Soldeer dependencies.

.github/workflows/test.yml (3)

167-169: Soldeer dependency installation added to test workflow.

Placing the Soldeer install step right after foundry-install makes sense—dependencies are ready before the build.

---

828-830: Coverage workflow updated with Soldeer dependencies.

Consistent with the yarn-test-run job.

---

760-761: env-test-matrix already includes Soldeer installation via yarn-build.

The foundry-install step at lines 760-761 is part of a job that also includes a yarn-build step (visible in the workflow context), which handles forge soldeer install as part of the dependency setup. The fork tests use TypeScript scripts and Foundry's cast CLI for RPC interactions, not direct contract compilation, so no additional Soldeer step is needed.

solidity/foundry.toml (3)

43-44: Manual remappings control is sensible for this migration.

Setting remappings_generate = false lets you keep import paths clean without relying on auto-generation. Just make sure remappings.txt stays in sync with the dependencies listed above.

---

35-44: Dependency declarations and remappings are properly configured for Soldeer.

All six packages in foundry.toml use correct Soldeer syntax with appropriate versions and git references. The remappings.txt file correctly maps each Soldeer package to its original import path:

• @openzeppelin-contracts → @openzeppelin/contracts/
• @openzeppelin-contracts-upgradeable → @openzeppelin/contracts-upgradeable/
• @arbitrum-nitro-contracts → @arbitrum/nitro-contracts/src/
• @chainlink-contracts-ccip → @chainlink/contracts-ccip/src/v0.8/
• @eth-optimism-contracts → @eth-optimism/contracts/
• forge-std → forge-std/

Versions in remappings.txt match the declared versions exactly, and paths resolve to the correct dependency directories.

---

5-5: Update hardcoded path in TokenBridgeCctp.t.sol to use Soldeer-managed dependencies instead of node_modules.

The allow_paths removal breaks deployCodeTo() at line 1232 of solidity/test/token/TokenBridgeCctp.t.sol, which contains a hardcoded path to "../node_modules/@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol". Since libs = ["dependencies", "lib"] now points to Soldeer-managed packages, update this path to reference the new dependency location: "dependencies/@openzeppelin-contracts-4.9.3/contracts/proxy/transparent/TransparentUpgradeableProxy.sol".

⛔ Skipped due to learnings

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: solidity/foundry.toml:8-8
Timestamp: 2025-11-25T17:10:33.369Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, when using pnpm (instead of Yarn), Foundry's `allow_paths` in solidity/foundry.toml should be set to `["./node_modules"]` rather than `["../node_modules"]` because pnpm's default node_modules structure places dependencies locally in the workspace subdirectory, not requiring access to the parent directory's node_modules.

Learnt from: larryob
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6661
File: solidity/contracts/avs/HyperlaneServiceManager.sol:21-23
Timestamp: 2025-07-01T18:44:43.514Z
Learning: Test files and script files in Solidity projects typically don't need absolute import fixes with the same urgency as contract files, since they are not imported by other modules in the codebase. The compilation issues from absolute imports mainly affect files under the contracts directory that users import from.

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6943
File: rust/main/config/testnet_config.json:34-35
Timestamp: 2025-08-26T13:45:52.227Z
Learning: Skip reviewing mainnet_config.json and testnet_config.json configuration files in typescript/infra/config/ and rust/main/config/ directories as requested by paulbalaji to reduce review noise.

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6943
File: rust/main/config/mainnet_config.json:965-965
Timestamp: 2025-08-26T13:46:37.695Z
Learning: In the repository hyperlane-xyz/hyperlane-monorepo, skip reviewing the file rust/main/config/testnet_config.json in future code reviews as requested by paulbalaji.

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6943
File: rust/main/config/mainnet_config.json:965-965
Timestamp: 2025-08-26T13:46:37.695Z
Learning: In the repository hyperlane-xyz/hyperlane-monorepo, skip reviewing the file rust/main/config/mainnet_config.json in future code reviews as requested by paulbalaji.

Learnt from: CR
Repo: hyperlane-xyz/hyperlane-monorepo PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T17:19:38.362Z
Learning: Applies to solidity/**/token/**/*.sol : Token Bridge implementation must use `HypERC20` for native token implementations and `HypERC20Collateral` for wrapped/collateral token implementations supporting multi-chain deployments with unified liquidity

.github/workflows/npm-beta-release.yml (5)

69-90: Minor: Optimize conditional execution flow.

The yarn install (line 71) runs unconditionally, but most steps after it are conditional on steps.changesets.outputs.count != '0'. If no changesets exist, the install is wasted work. You could move the install inside the conditional:

-      - name: Install dependencies
-        if: steps.changesets.outputs.count != '0'
-        run: yarn install --immutable
+      - name: Install dependencies
+        if: steps.changesets.outputs.count != '0'
+        run: yarn install --immutable

Actually, looking closer, it's already conditional (line 70). Never mind—this is fine.

---

34-47: Workflow setup looks solid.

Checkout with fetch-depth: 0 and submodules: recursive is the right approach for changesets and version detection. Node setup via .nvmrc keeps things consistent. The short SHA extraction for the beta version tag is clean.

---

57-67: Changeset detection is thorough.

The warning when no changesets are found is helpful. The exclusion of README.md and config.json from the count is correct.

---

92-114: NPM publishing and provenance handling looks correct.

The .npmrc setup, token injection (via env), and NPM_CONFIG_PROVENANCE flag (line 99) follow best practices. Permissions are set correctly (line 32 id-token: write). The summary output (lines 104-114) gives clear install instructions for consumers.

---

80-86: > Likely an incorrect or invalid review comment.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.63%. Comparing base (18b43e9) to head (b87bb7b).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##           main    #7480       +/-   ##
=========================================
+ Coverage      0   77.63%   +77.63%     
=========================================
  Files         0      118      +118     
  Lines         0     2665     +2665     
  Branches      0      244      +244     
=========================================
+ Hits          0     2069     +2069     
- Misses        0      579      +579     
- Partials      0       17       +17     

Components	Coverage Δ
core	87.80% <ø> (∅)
hooks	71.86% <ø> (∅)
isms	81.10% <ø> (∅)
token	90.38% <ø> (∅)
middlewares	84.98% <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4c753f7 and 1c5b0cb.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• .github/workflows/test.yml (6 hunks)
• solidity/package.json (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• solidity/package.json

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: solidity/foundry.toml:8-8
Timestamp: 2025-11-25T17:10:33.369Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, when using pnpm (instead of Yarn), Foundry's `allow_paths` in solidity/foundry.toml should be set to `["./node_modules"]` rather than `["../node_modules"]` because pnpm's default node_modules structure places dependencies locally in the workspace subdirectory, not requiring access to the parent directory's node_modules.

📚 Learning: 2025-11-25T17:10:33.369Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: solidity/foundry.toml:8-8
Timestamp: 2025-11-25T17:10:33.369Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, when using pnpm (instead of Yarn), Foundry's `allow_paths` in solidity/foundry.toml should be set to `["./node_modules"]` rather than `["../node_modules"]` because pnpm's default node_modules structure places dependencies locally in the workspace subdirectory, not requiring access to the parent directory's node_modules.

Applied to files:

• .github/workflows/test.yml

📚 Learning: 2025-11-24T17:19:38.362Z

Learnt from: CR
Repo: hyperlane-xyz/hyperlane-monorepo PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T17:19:38.362Z
Learning: Run all tests using `yarn test` for unified testing; use workspace-specific commands for targeted testing (Hardhat, Forge for Solidity; Unit tests for TypeScript; Cargo for Rust)

Applied to files:

• .github/workflows/test.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (61)

• GitHub Check: cli-evm-e2e-matrix (warp-read)
• GitHub Check: cli-evm-e2e-matrix (warp-check-3)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-1)
• GitHub Check: cli-evm-e2e-matrix (warp-check-1)
• GitHub Check: cli-evm-e2e-matrix (warp-send)
• GitHub Check: cli-evm-e2e-matrix (warp-rebalancer)
• GitHub Check: cli-evm-e2e-matrix (warp-check-4)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-2)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-simple-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-check-2)
• GitHub Check: env-test-matrix (mainnet3, optimism, core)
• GitHub Check: cli-evm-e2e-matrix (warp-init)
• GitHub Check: cli-evm-e2e-matrix (core-deploy)
• GitHub Check: cli-evm-e2e-matrix (relay)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ism-updates)
• GitHub Check: cli-evm-e2e-matrix (core-init)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-1)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-check-5)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-recovery)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-config)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-rebalancing-config)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-2)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-hook-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-submitters)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, core)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-basic)
• GitHub Check: cli-evm-e2e-matrix (core-apply)
• GitHub Check: cli-evm-e2e-matrix (core-read)
• GitHub Check: env-test-matrix (testnet4, sepolia, core)
• GitHub Check: cli-evm-e2e-matrix (core-check)
• GitHub Check: env-test-matrix (mainnet3, optimism, igp)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, igp)
• GitHub Check: env-test-matrix (mainnet3, ethereum, igp)
• GitHub Check: aleo-sdk-e2e-run
• GitHub Check: env-test-matrix (mainnet3, ethereum, core)
• GitHub Check: cosmos-sdk-e2e-run
• GitHub Check: cli-radix-e2e-matrix (core-deploy)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-install-test-run
• GitHub Check: cli-cosmos-e2e-matrix (core-read)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-route-extension)
• GitHub Check: cli-cosmos-e2e-matrix (core-deploy)
• GitHub Check: cli-radix-e2e-matrix (warp-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (core-check)
• GitHub Check: cli-cosmos-e2e-matrix (warp-read)
• GitHub Check: cli-cosmos-e2e-matrix (warp-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (core-apply)
• GitHub Check: yarn-test-run
• GitHub Check: cli-cross-chain-e2e-matrix (warp-apply)
• GitHub Check: cli-cross-chain-e2e-matrix (warp-deploy)
• GitHub Check: infra-test
• GitHub Check: e2e-matrix (starknet)
• GitHub Check: e2e-matrix (cosmwasm)
• GitHub Check: e2e-matrix (radix)
• GitHub Check: e2e-matrix (cosmosnative)
• GitHub Check: e2e-matrix (sealevel)
• GitHub Check: e2e-matrix (evm)
• GitHub Check: test-rs
• GitHub Check: lander-coverage
• GitHub Check: lint-rs

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

target/rust-analyzer/flycheck0/stderr (1)

2-32: Clean up stabilized workspace-inheritance feature flags.

Those warnings about workspace-inheritance being stabilized since Rust 1.64 suggest the Cargo.toml manifests still list it as an unstable feature. It's harmless, but tidying that up would be proper housekeeping for the codebase.

You can remove the workspace-inheritance feature flag from the affected Cargo.toml files to clear these warnings. Here's how to find them all:

#!/bin/bash
# Find all Cargo.toml files that still declare workspace-inheritance feature

echo "=== Finding Cargo.toml files with workspace-inheritance feature ==="
fd -e toml Cargo.toml --type f | xargs rg -l "workspace-inheritance"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1c5b0cb and 77dd8f59dcb8b13624c9808c8746dd99c7ac6b23.

📒 Files selected for processing (3)

• solidity/package.json (2 hunks)
• target/rust-analyzer/flycheck0/stderr (1 hunks)
• target/rust-analyzer/flycheck1/stderr (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• target/rust-analyzer/flycheck1/stderr

🧰 Additional context used

🧠 Learnings (6)

📓 Common learnings

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: solidity/foundry.toml:8-8
Timestamp: 2025-11-25T17:10:33.369Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, when using pnpm (instead of Yarn), Foundry's `allow_paths` in solidity/foundry.toml should be set to `["./node_modules"]` rather than `["../node_modules"]` because pnpm's default node_modules structure places dependencies locally in the workspace subdirectory, not requiring access to the parent directory's node_modules.

📚 Learning: 2025-11-24T17:19:38.362Z

Learnt from: CR
Repo: hyperlane-xyz/hyperlane-monorepo PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T17:19:38.362Z
Learning: Applies to rust/main/chains/**/*.rs : Rust chain implementations must support `hyperlane-ethereum` for EVM, `hyperlane-cosmos` for Cosmos ecosystem, `hyperlane-sealevel` for Solana/SVM, and `hyperlane-fuel` for Fuel VM

Applied to files:

• target/rust-analyzer/flycheck0/stderr

📚 Learning: 2025-07-11T10:06:07.854Z

Learnt from: Mo-Hussain
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6702
File: typescript/utils/src/logging.ts:75-93
Timestamp: 2025-07-11T10:06:07.854Z
Learning: In the hyperlane-xyz/utils package, pino-pretty is added as an optional peer dependency rather than a direct dependency, allowing consuming projects to decide if they want the pretty logging functionality without forcing all consumers to install it.

Applied to files:

• solidity/package.json

📚 Learning: 2025-11-24T17:19:38.362Z

Learnt from: CR
Repo: hyperlane-xyz/hyperlane-monorepo PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T17:19:38.362Z
Learning: Applies to typescript/sdk/src/**/*.ts : TypeScript SDK must provide `MultiProvider` for multi-chain provider management, `HyperlaneCore` factory for core contract interactions, and `MultiProtocolCore` for protocol-agnostic abstractions across EVM, Cosmos, Sealevel, and Starknet

Applied to files:

• solidity/package.json

📚 Learning: 2025-11-25T17:10:33.369Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: solidity/foundry.toml:8-8
Timestamp: 2025-11-25T17:10:33.369Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, when using pnpm (instead of Yarn), Foundry's `allow_paths` in solidity/foundry.toml should be set to `["./node_modules"]` rather than `["../node_modules"]` because pnpm's default node_modules structure places dependencies locally in the workspace subdirectory, not requiring access to the parent directory's node_modules.

Applied to files:

• solidity/package.json

📚 Learning: 2025-11-26T13:28:51.658Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: typescript/cli/package.json:20-20
Timestamp: 2025-11-26T13:28:51.658Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, hyperlane-xyz/registry is maintained in a separate repository and published to npm, so it should use a pinned version (e.g., "23.6.0") rather than the workspace protocol ("workspace:*") that other internal Hyperlane packages use.

Applied to files:

• solidity/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (68)

• GitHub Check: cli-evm-e2e-matrix (warp-check-3)
• GitHub Check: cli-evm-e2e-matrix (core-init)
• GitHub Check: cli-evm-e2e-matrix (warp-check-2)
• GitHub Check: cli-evm-e2e-matrix (warp-init)
• GitHub Check: cli-evm-e2e-matrix (core-read)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-submitters)
• GitHub Check: cli-evm-e2e-matrix (warp-send)
• GitHub Check: cli-evm-e2e-matrix (warp-rebalancer)
• GitHub Check: cli-evm-e2e-matrix (warp-read)
• GitHub Check: cli-evm-e2e-matrix (relay)
• GitHub Check: cli-evm-e2e-matrix (core-apply)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-1)
• GitHub Check: cli-evm-e2e-matrix (warp-check-4)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ism-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-2)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-1)
• GitHub Check: cli-evm-e2e-matrix (core-deploy)
• GitHub Check: cli-evm-e2e-matrix (warp-check-1)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-recovery)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-2)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-hook-updates)
• GitHub Check: cli-evm-e2e-matrix (core-check)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-basic)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-simple-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-check-5)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-config)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-rebalancing-config)
• GitHub Check: env-test-matrix (mainnet3, optimism, igp)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, core)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, igp)
• GitHub Check: cli-cosmos-e2e-matrix (core-check)
• GitHub Check: env-test-matrix (mainnet3, optimism, core)
• GitHub Check: env-test-matrix (testnet4, sepolia, core)
• GitHub Check: cli-cosmos-e2e-matrix (warp-deploy)
• GitHub Check: cli-radix-e2e-matrix (core-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (warp-read)
• GitHub Check: cli-cross-chain-e2e-matrix (warp-apply)
• GitHub Check: env-test-matrix (mainnet3, ethereum, core)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-route-extension)
• GitHub Check: cli-radix-e2e-matrix (warp-deploy)
• GitHub Check: env-test-matrix (mainnet3, ethereum, igp)
• GitHub Check: cli-cosmos-e2e-matrix (core-apply)
• GitHub Check: cli-cosmos-e2e-matrix (core-read)
• GitHub Check: cli-cross-chain-e2e-matrix (warp-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (core-deploy)
• GitHub Check: aleo-sdk-e2e-run
• GitHub Check: cli-install-test-run
• GitHub Check: cosmos-sdk-e2e-run
• GitHub Check: yarn-test-run
• GitHub Check: coverage-run
• GitHub Check: infra-test
• GitHub Check: test-rs
• GitHub Check: lint-rs
• GitHub Check: lander-coverage
• GitHub Check: e2e-matrix (radix)
• GitHub Check: e2e-matrix (sealevel)
• GitHub Check: slither
• GitHub Check: e2e-matrix (cosmwasm)
• GitHub Check: e2e-matrix (cosmosnative)
• GitHub Check: e2e-matrix (starknet)
• GitHub Check: e2e-matrix (evm)
• GitHub Check: agent-configs (mainnet3)
• GitHub Check: lint-prettier
• GitHub Check: agent-configs (testnet4)
• GitHub Check: yarn-install
• GitHub Check: diff-check

🔇 Additional comments (1)

solidity/package.json (1)

5-7: Good — dependencies properly reorganized for Soldeer migration.

The structure here looks right. Runtime deps are now just the one internal utility package, the build tooling (zksync and foundry plugins) landed in devDependencies where they belong, and /dependencies is included in the files array so the Soldeer-managed contracts get shipped with the published package.

To be thorough, verify that the /dependencies directory is properly created and populated by the Soldeer setup in CI before the build runs. Since the PR mentions adding forge soldeer update to the workflow, this should be covered, but worth confirming the integration works end-to-end (e.g., that remappings and foundry.toml are aligned with how Soldeer lays things out).

Also applies to: 12-14, 57-58

[paulbalaji]

workflow changes mostly lgtm, will let yorke approve the soldeer stuff

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fc4d588 and 19d8176.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• solidity/.gitignore (1 hunks)
• solidity/package.json (2 hunks)

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: solidity/foundry.toml:8-8
Timestamp: 2025-11-25T17:10:33.369Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, when using pnpm (instead of Yarn), Foundry's `allow_paths` in solidity/foundry.toml should be set to `["./node_modules"]` rather than `["../node_modules"]` because pnpm's default node_modules structure places dependencies locally in the workspace subdirectory, not requiring access to the parent directory's node_modules.

📚 Learning: 2025-07-11T10:06:07.854Z

Learnt from: Mo-Hussain
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6702
File: typescript/utils/src/logging.ts:75-93
Timestamp: 2025-07-11T10:06:07.854Z
Learning: In the hyperlane-xyz/utils package, pino-pretty is added as an optional peer dependency rather than a direct dependency, allowing consuming projects to decide if they want the pretty logging functionality without forcing all consumers to install it.

Applied to files:

• solidity/package.json

📚 Learning: 2025-11-24T17:19:38.362Z

Learnt from: CR
Repo: hyperlane-xyz/hyperlane-monorepo PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T17:19:38.362Z
Learning: Applies to typescript/sdk/src/**/*.ts : TypeScript SDK must provide `MultiProvider` for multi-chain provider management, `HyperlaneCore` factory for core contract interactions, and `MultiProtocolCore` for protocol-agnostic abstractions across EVM, Cosmos, Sealevel, and Starknet

Applied to files:

• solidity/package.json

📚 Learning: 2025-11-25T17:10:33.369Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: solidity/foundry.toml:8-8
Timestamp: 2025-11-25T17:10:33.369Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, when using pnpm (instead of Yarn), Foundry's `allow_paths` in solidity/foundry.toml should be set to `["./node_modules"]` rather than `["../node_modules"]` because pnpm's default node_modules structure places dependencies locally in the workspace subdirectory, not requiring access to the parent directory's node_modules.

Applied to files:

• solidity/package.json

📚 Learning: 2025-11-26T13:28:51.658Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: typescript/cli/package.json:20-20
Timestamp: 2025-11-26T13:28:51.658Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, hyperlane-xyz/registry is maintained in a separate repository and published to npm, so it should use a pinned version (e.g., "23.6.0") rather than the workspace protocol ("workspace:*") that other internal Hyperlane packages use.

Applied to files:

• solidity/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (69)

• GitHub Check: cli-evm-e2e-matrix (warp-extend-basic)
• GitHub Check: cli-evm-e2e-matrix (warp-init)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-simple-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-read)
• GitHub Check: cli-evm-e2e-matrix (warp-rebalancer)
• GitHub Check: cli-evm-e2e-matrix (warp-check-2)
• GitHub Check: cli-evm-e2e-matrix (warp-check-5)
• GitHub Check: cli-evm-e2e-matrix (warp-check-3)
• GitHub Check: cli-evm-e2e-matrix (warp-check-4)
• GitHub Check: cli-evm-e2e-matrix (warp-send)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-1)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-recovery)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-2)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-1)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-rebalancing-config)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-config)
• GitHub Check: cli-evm-e2e-matrix (warp-check-1)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-submitters)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-2)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-evm-e2e-matrix (core-read)
• GitHub Check: cli-evm-e2e-matrix (relay)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-hook-updates)
• GitHub Check: cli-evm-e2e-matrix (core-init)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ism-updates)
• GitHub Check: cli-evm-e2e-matrix (core-check)
• GitHub Check: cli-radix-e2e-matrix (core-deploy)
• GitHub Check: cli-evm-e2e-matrix (core-deploy)
• GitHub Check: cli-evm-e2e-matrix (core-apply)
• GitHub Check: cli-cosmos-e2e-matrix (core-read)
• GitHub Check: cli-cosmos-e2e-matrix (core-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (warp-deploy)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-cosmos-e2e-matrix (warp-read)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-route-extension)
• GitHub Check: cli-radix-e2e-matrix (warp-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (core-apply)
• GitHub Check: cli-cosmos-e2e-matrix (core-check)
• GitHub Check: env-test-matrix (mainnet3, ethereum, igp)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, igp)
• GitHub Check: env-test-matrix (mainnet3, optimism, core)
• GitHub Check: env-test-matrix (mainnet3, ethereum, core)
• GitHub Check: cli-cross-chain-e2e-matrix (warp-apply)
• GitHub Check: env-test-matrix (testnet4, sepolia, core)
• GitHub Check: env-test-matrix (mainnet3, optimism, igp)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, core)
• GitHub Check: aleo-sdk-e2e-run
• GitHub Check: cli-cross-chain-e2e-matrix (warp-deploy)
• GitHub Check: cli-install-test-run
• GitHub Check: yarn-test-run
• GitHub Check: cosmos-sdk-e2e-run
• GitHub Check: coverage-run
• GitHub Check: infra-test
• GitHub Check: e2e-matrix (starknet)
• GitHub Check: e2e-matrix (radix)
• GitHub Check: e2e-matrix (sealevel)
• GitHub Check: e2e-matrix (evm)
• GitHub Check: e2e-matrix (cosmosnative)
• GitHub Check: lint-prettier
• GitHub Check: e2e-matrix (cosmwasm)
• GitHub Check: agent-configs (mainnet3)
• GitHub Check: agent-configs (testnet4)
• GitHub Check: yarn-install
• GitHub Check: diff-check
• GitHub Check: diff-check
• GitHub Check: lint-rs
• GitHub Check: test-rs
• GitHub Check: lander-coverage
• GitHub Check: slither

🔇 Additional comments (3)

solidity/.gitignore (1)

19-20: LGTM!

Nice bit of housekeeping there. The Soldeer dependencies directory is properly ignored, following the same pattern as the other generated artifacts (Foundry's out, ZKSync's artifacts-zk, etc.).

solidity/package.json (2)

57-58: Verify /dependencies should be in the published package.

Adding /dependencies to the files array means the Soldeer-managed dependencies will be included when this package is published to npm. That's a bit of a departure—typically you'd want consumers to pull those dependencies themselves via Soldeer.

Worth double-checking: is this the intended behavior, or should /dependencies be in .gitignore instead (so it's only used locally during builds)?

---

6-6: LGTM!

Cleaning up the dependencies and keeping only @hyperlane-xyz/utils makes sense—the Solidity packages are now managed by Soldeer. And @hyperlane-xyz/utils is pinned to a specific version, which is the right call for a stable dependency.