OpenZeppelin v5 Safe Imports

Deterministic codemod workflow for migrating Solidity repositories to safe OpenZeppelin Contracts v5 import and symbol paths.

Quick Links

Registry: https://app.codemod.com/registry/%40praddzy/openzeppelin-v5-safe-imports
Live replay demo: https://oz-v5-live-replay-demo.dpratik3005.workers.dev
Case study: https://dev.to/pratik_daithankar_4a5c141/openzeppelin-v5-final-case-study-116k
Verification run: https://github.com/PRADDZY/codemod-v5/actions/runs/25277555948
Evidence docs: docs/submission/evidence_sources.md

Quickstart

Requirements:

Node.js 18+
A target repository containing Solidity files (*.sol)

Preview changes:

npx codemod@latest workflow run -w . -t /path/to/repo --no-interactive --allow-dirty --allow-fs --dry-run

Apply changes:

npx codemod@latest workflow run -w . -t /path/to/repo --no-interactive --allow-dirty --allow-fs

Optional AI follow-up for unresolved TODO markers:

npx codemod@latest workflow run -w . -t /path/to/repo --no-interactive --allow-dirty --allow-fs --param aiReview=true

What It Rewrites Safely

Import path moves:
- @openzeppelin/contracts/security/ReentrancyGuard.sol -> @openzeppelin/contracts/utils/ReentrancyGuard.sol
- @openzeppelin/contracts/security/Pausable.sol -> @openzeppelin/contracts/utils/Pausable.sol
- @openzeppelin/contracts/math/Math.sol -> @openzeppelin/contracts/utils/math/Math.sol
- draft ERC20 permit imports to their v5 paths
Matching upgradeable import moves for safe path changes
Allowlisted symbol rewrites when the import rewrite is safe:
- IERC20Upgradeable -> IERC20
- IERC20MetadataUpgradeable -> IERC20Metadata
- IERC20PermitUpgradeable -> IERC20Permit
- AddressUpgradeable -> Address
- SafeERC20Upgradeable -> SafeERC20

What Requires Manual Review

The workflow preserves explicit TODO markers for code-aware decisions:

ownable_constructor_initial_owner
ownable_initializer_initial_owner
token_hooks_update_migration
removed_module_usage
import_path_layout_review

Safety Boundaries

Non-allowlisted or ambiguous migrations are intentionally not auto-fixed.
OZ-V5-TODO[...] markers are retained unless fully resolved.
Scan scope is limited to Solidity files and excludes node_modules, lib, out, artifacts, and cache.

Validate

npm test
npx codemod@latest workflow validate -w .

Maintainer Commands

Check registry listing:

npx codemod@latest search "openzeppelin v5 safe imports"

Publish:

npx codemod@latest publish

Optional repo-level evaluation:

npm run evaluate -- ./target-repo --compile "forge build" --test "forge test"

Evidence and Submission Docs

For verification artifacts and submission-ready materials, use files under docs/submission, especially:

License

MIT

Name		Name	Last commit message	Last commit date
Latest commit History 20 Commits
.github/workflows		.github/workflows
docs/submission		docs/submission
heavy-matrix-eval-slim		heavy-matrix-eval-slim
live-demo		live-demo
scripts		scripts
src		src
tests		tests
.gitignore		.gitignore
.npmignore		.npmignore
README.md		README.md
codemod.yaml		codemod.yaml
oz-migrate.config.json		oz-migrate.config.json
package-lock.json		package-lock.json
package.json		package.json
tsconfig.json		tsconfig.json
vitest.config.js		vitest.config.js
workflow.yaml		workflow.yaml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

OpenZeppelin v5 Safe Imports

Quick Links

Quickstart

What It Rewrites Safely

What Requires Manual Review

Safety Boundaries

Validate

Maintainer Commands

Evidence and Submission Docs

License

About

Uh oh!

Releases

Packages

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

OpenZeppelin v5 Safe Imports

Quick Links

Quickstart

What It Rewrites Safely

What Requires Manual Review

Safety Boundaries

Validate

Maintainer Commands

Evidence and Submission Docs

License

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Packages