Contracts used as dependencies do not track upstream changes

Question

Contracts used as dependencies do not track upstream changes

mgcolburn opened this issue 4 years ago · comments

Severity: Low

Description

Several third-party contracts are copy-pasted into the repository, including several OpenZeppelin contracts as well as some from DappHub. Moreover, the code documentation does not specify the exact revision that was used and if it was modified. This makes receiving updates and security fixes on these dependencies unreliable as they must be updated manually.

Recommendations

Short term, review the codebase and document the source and version used of each dependency. Include the third-party sources as submodules in your Git repository so that internal path consistency can be maintained and dependencies are updated periodically.

Long term, use an Ethereum development environment and NPM to manage packages as part of your project.

dChef · Answer 1 · Mon Jul 13 2020 12:51:02 GMT+0800 (China Standard Time)

Will do it as you suggested.

Hui Min HE · Answer 2 · Mon Jul 13 2020 23:13:35 GMT+0800 (China Standard Time)

We are reviewing the third-party packages and modifications we have made some to adapt to our own goal. We will try to minimize our changes and use a more standardized approach.