Ok to use 'old' version of OpenZeppelin Contracts ERC721 contract?

I’m building a project that uses OZ’s ERC721 contracts. My contract is a fork of another, which was built a year ago, and used the most up to date version of the contracts at that time (which is version 2.2) but are now a year old.

There are newer versions out since then, but I do not want to risk breaking something or introducing some attack vector in the process of upgrading, unless it is strictly necessary. Do you think this approach makes sense? Is it ok to use an older version of the ERC721 contracts in my project?

I have scanned through the patch notes since version 2.2 and I don’t think there is anything that would necessitate an update?

Hi @mcplums,

My recommendation is to use the current version, OpenZeppelin Contracts v2.5

If you use off chain metadata, then ERC721Metadata.baseURI is worth using for the gas saving.

Whilst there doesn't appear to be anything obvious in the changelog between 2.2 and 2.5, I haven't been through the code to see what changes were made https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/CHANGELOG.md

I am very cautious about forking other projects smart contract code.
I would check that the code has installed OpenZeppelin Contracts from a release version and hasn't been modified.

https://docs.openzeppelin.com/contracts/2.x/#usage
To keep your system secure, you should always use the installed code as-is, and neither copy-paste it from online sources, nor modify it yourself.

Any solution should be appropriately tested and audited. I wouldn't depend on testing and auditing of the original solution that you are forking from.