cowprotocol · igorroncevic · May 6, 2026 · May 8, 2026 · fedgiac · May 8, 2026
@@ -12,3 +12,7 @@ docs/
 
 # Dotenv file
 .env
+
+# Local development dependencies
+dev/node_modules/
+dev/.venv/
@@ -6,7 +6,6 @@ This project is meant to be used as a templated during the creation of new Githu
 
 It will contain some useful configuration files and scripts, that can be used also with existing projects (manually copied).
 
-
 ## Usage
 
 ### Build
@@ -27,6 +26,25 @@ forge test
 forge fmt
 ```
 
+### Local tooling
+
+Solhint and Slither are pinned as local development dependencies under `dev/`.
+The pnpm setup waits 7 days before installing newly released packages, matching CoW repos and giving more review time than a 2-day delay.
+Install them with:
+
+```shell
+pnpm --dir dev install --frozen-lockfile
+python -m venv dev/.venv
+dev/.venv/bin/pip install -r dev/requirements.txt
+```
+
+Use the local binaries when running these tools:
+
+```shell
+dev/node_modules/.bin/solhint --version
+dev/.venv/bin/slither --version
+```
+
 ### Gas Snapshots
 
 ```shell
@@ -44,18 +62,20 @@ forge script script/Counter.s.sol:CounterScript --rpc-url <your_rpc_url> --priva
 The following operations need to be performed after this repository has been created.
 
 - [ ] In GitHub repo settings:
-    - [ ] Add a new ruleset called "Protected branches" and include the following changes:
-        - Enforcement status: active
-        - Target branches: Include default branch
-        - Require linear history
-        - Require a pull request before merging
-          - Required approvals: 1
-          - Allowed merge methods: Squash
-        - Block force pushes
-    - [ ] In General → Features → Pull requests:
-        - Select "Pull request title and description" in "Default commit message" option
-        - Unckeck "Allow merge commits" option
-        - Check "Allow auto-merge" option
+  - [ ] Add a new ruleset called "Protected branches" and include the following changes:
+    - Enforcement status: active
+    - Target branches: Include default branch
+    - Require linear history
+    - Require a pull request before merging
+      - Required approvals: 1
+      - Allowed merge methods: Squash
+    - Block force pushes
+  - [ ] In General → Features → Pull requests:
+    - Select "Pull request title and description" in "Default commit message" option
+    - Unckeck "Allow merge commits" option
+    - Check "Allow auto-merge" option
 - [ ] Run `forge install` to install the dependencies. This will create a new `foundry.lock` file which you should commit to the project
+- [ ] Set up [Local tooling](#local-tooling) so Solhint and Slither use the pinned project versions
+- [ ] Update the project details in `dev/package.json`, including `name` and `description`
 - [ ] Make sure you use the [latest version of Solidity](https://github.com/argotorg/solidity/releases) by updating the `solc` version in `foundry.toml`
-- [ ] Once all entries in this list are checked, delete this section from the readme
+- [ ] Once all entries in this list are checked, delete this section from the readme
@@ -0,0 +1,11 @@
+{
+  "name": "contracts-template-dev",
+  "version": "0.0.0",
+  "private": true,
+  "description": "Local development dependencies for the contracts template.",
+  "license": "UNLICENSED",
+  "packageManager": "pnpm@10.33.2",
+  "devDependencies": {
+    "solhint": "6.0.3"
+  }
+}