ERC20Permit: deprecate DOMAIN_SEPARATOR in favor of ERC-5267

[Atul-Koundal]

Description

Adds a deprecation notice to DOMAIN_SEPARATOR() in ERC20Permit
and IERC20Permit, scheduling it for removal in v6.0.

Motivation

ERC-5267 provides native support for domain information via eip712Domain(),
making the standalone DOMAIN_SEPARATOR() function redundant.
EIP712 has native support for ERC-5267 and the DOMAIN_SEPARATOR()
function is not recommended going forward.

Changes

• ERC20Permit.sol: Added @custom:deprecated notice, added virtual, replaced @inheritdoc with full NatSpec
• IERC20Permit.sol: Added @custom:deprecated notice to the function comment
• CHANGELOG.md: Documented deprecation under ## Unreleased
• ERC20Permit.test.js: Added deprecation comment above the domain separator test

Migration

Users should replace:

bytes32 separator = token.DOMAIN_SEPARATOR();

With:

(, string memory name, string memory version, uint256 chainId, 
 address verifyingContract,,) = token.eip712Domain();

References

• Closes Remove DOMAIN_SEPARATOR function from ERC20Permit #6363
• Related EIP: https://eips.ethereum.org/EIPS/eip-5267

[changeset-bot]

⚠️ No Changeset found

Latest commit: 548ab42

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

The DOMAIN_SEPARATOR() function in ERC20Permit is marked as deprecated via updated documentation and made virtual to permit overrides. Changes include: adding virtual to the function signature in ERC20Permit.sol, updating deprecation notices in both the implementation and interface documentation, updating the test file with a deprecation comment, and extending the changelog with a deprecation entry. The function remains functional but directs users toward ERC-5267's eip712Domain as the preferred alternative. Removal is planned for v6.0.

Possibly related issues

• #6363: The main issue requesting deprecation of DOMAIN_SEPARATOR() in ERC20Permit and transition toward ERC-5267 domain introspection, which this PR directly implements with deprecation notices and virtual keyword addition.

Possibly related PRs

• #5908: Implements ERC-5267 domain separator helpers in MessageHashUtils, providing the alternative mechanism that this PR directs users toward with its DOMAIN_SEPARATOR() deprecation.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: deprecating DOMAIN_SEPARATOR() in favor of ERC-5267.
Linked Issues check	✅ Passed	The PR successfully addresses issue #6366 by adding @custom:deprecated notices to DOMAIN_SEPARATOR() in both ERC20Permit.sol and IERC20Permit.sol, marking it virtual, updating NatSpec, and documenting changes in CHANGELOG.md.
Out of Scope Changes check	✅ Passed	All changes are directly related to the deprecation objective: NatSpec updates, virtual keyword addition, changelog entry, and test comment—no unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description clearly relates to the changeset, providing detailed motivation, specific changes, and migration guidance for deprecating DOMAIN_SEPARATOR().

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CHANGELOG.md`:
- Line 6: Update the placeholder PR reference in the CHANGELOG entry that
mentions "`ERC20Permit`: `DOMAIN_SEPARATOR()` is deprecated..." by replacing
`#XXXX` with the actual pull request number or link to the merged PR so the
citation is valid; locate the changelog line containing `ERC20Permit` and
`#XXXX` and substitute the placeholder with the real PR identifier or URL before
merging.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ca6f5fa and d4b06f6.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (4)

• CHANGELOG.md
• contracts/token/ERC20/extensions/ERC20Permit.sol
• contracts/token/ERC20/extensions/IERC20Permit.sol
• test/token/ERC20/extensions/ERC20Permit.test.js

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Replace placeholder PR link before merge.

Line 6 still references #XXXX, which leaves a broken changelog citation.

Suggested fix

-- `ERC20Permit`: `DOMAIN_SEPARATOR()` is deprecated and will be removed in v6.0. Use `eip712Domain()` as defined by {ERC-5267} instead, which provides full domain information with native EIP-712 tooling support. ([`#XXXX`](https://github.com/OpenZeppelin/openzeppelin-contracts/pull/XXXX))
+- `ERC20Permit`: `DOMAIN_SEPARATOR()` is deprecated and will be removed in v6.0. Use `eip712Domain()` as defined by {ERC-5267} instead, which provides full domain information with native EIP-712 tooling support. ([`#6382`](https://github.com/OpenZeppelin/openzeppelin-contracts/pull/6382))

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- `ERC20Permit`: `DOMAIN_SEPARATOR()` is deprecated and will be removed in v6.0. Use `eip712Domain()` as defined by {ERC-5267} instead, which provides full domain information with native EIP-712 tooling support. ([#XXXX](https://github.com/OpenZeppelin/openzeppelin-contracts/pull/XXXX))
	- `ERC20Permit`: `DOMAIN_SEPARATOR()` is deprecated and will be removed in v6.0. Use `eip712Domain()` as defined by {ERC-5267} instead, which provides full domain information with native EIP-712 tooling support. ([`#6382`](https://github.com/OpenZeppelin/openzeppelin-contracts/pull/6382))

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CHANGELOG.md` at line 6, Update the placeholder PR reference in the CHANGELOG
entry that mentions "`ERC20Permit`: `DOMAIN_SEPARATOR()` is deprecated..." by
replacing `#XXXX` with the actual pull request number or link to the merged PR
so the citation is valid; locate the changelog line containing `ERC20Permit` and
`#XXXX` and substitute the placeholder with the real PR identifier or URL before
merging.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​undici@​7.19.2 ⏵ 7.22.0	-24		+1
	npm/​globals@​17.3.0 ⏵ 17.4.0	+1		+1	+1
	npm/​rimraf@​6.1.2 ⏵ 6.1.3	+1		+1
	npm/​p-limit@​7.2.0 ⏵ 7.3.0			+1
	npm/​@​nomicfoundation/​hardhat-chai-matchers@​2.1.0 ⏵ 2.1.2	+1			+6
	npm/​hardhat@​2.28.5 ⏵ 2.28.6	+1		+1
	npm/​eslint@​9.39.2 ⏵ 9.39.3	+1
	npm/​semver@​7.7.3 ⏵ 7.7.4
	npm/​glob@​13.0.0 ⏵ 13.0.6	-4			-1
	npm/​lint-staged@​16.2.7 ⏵ 16.3.1	+1			+7
	npm/​minimatch@​10.2.3 ⏵ 10.2.4	+1		+1

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code augments a meta-schema to permit remote dereferencing of keyword schemas via a hardcoded data.json resource. This introduces network dependency and potential changes to validation semantics at runtime. While not inherently malicious, the remote reference constitutes a notable security and reliability risk that should be mitigated with local fallbacks, input validation, and explicit remote-resource governance. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@9.39.3 → npm/ajv@6.14.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code is a straightforward build script to bundle and minify a specified package using Browserify and UglifyJS. The primary security concern is potential path manipulation: json.main is used to form a require path without validating that it stays within the target package directory. If a malicious or misconfigured package.json includes an absolute path or traversal outside the package, the script could bundle unintended files. Otherwise, the script does not perform network access, data exfiltration, or backdoor actions, and there is no hard-coded secrets or dynamic code execution beyond standard bundling/minification. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@9.39.3 → npm/ajv@6.14.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard AJV-like dynamic parser generator for JTD schemas. There are no explicit malware indicators in this fragment. The primary security concern is the dynamic code generation and execution from external schemas, which introduces a medium risk if schemas are untrusted. With trusted schemas and proper schema management, the risk is typically acceptable within this pattern. Confidence: 1.00 Severity: 0.60 From: ? → npm/solhint@6.0.3 → npm/@openzeppelin/upgrade-safe-transpiler@0.4.1 → npm/ajv@8.18.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code implements standard timestamp validation with clear logic for normal and leap years and leap seconds. There is no network, file, or execution of external code within this isolated fragment. The only anomalous aspect is assigning a string to validTimestamp.code, which could enable external tooling to inject behavior in certain environments, but this does not constitute active malicious behavior in this isolated snippet. Overall, low to moderate security risk in typical usage; no malware detected within the shown code. Confidence: 1.00 Severity: 0.60 From: ? → npm/solhint@6.0.3 → npm/@openzeppelin/upgrade-safe-transpiler@0.4.1 → npm/ajv@8.18.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: This module generates JavaScript code at runtime via standaloneCode(...) and then immediately executes it with require-from-string. Because the generated code can incorporate user-supplied schemas or custom keywords without sanitization or sandboxing, an attacker who controls those inputs could inject arbitrary code and achieve remote code execution in the Node process. Users should audit and lock down the standaloneCode output or replace dynamic evaluation with a safer, static bundling approach. Confidence: 1.00 Severity: 0.60 From: ? → npm/solhint@6.0.3 → npm/@openzeppelin/upgrade-safe-transpiler@0.4.1 → npm/ajv@8.18.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm glob is 100.0% likely to have a medium risk anomaly Notes: The Glob utilities implement a conventional and well-structured filesystem glob-walking mechanism with robust control flow (abort signals, backpressure) and safe output semantics. There is no evidence of malicious behavior, backdoors, or data exfiltration within this fragment. Risks mainly relate to how downstream consumers may handle emitted paths, not to the library itself. Confidence: 1.00 Severity: 0.60 From: package.json → npm/glob@13.0.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/glob@13.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report