Dependency manifest uses unpinned versions
Aerodrome Finance's assessment for RD-F-133 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Aerodrome Pools package.json: @openzeppelin/contracts pinned at exact '4.8.0' (not ^). Other devDependencies use ^ but are dev-only. OZ is pinned. Slipstream uses git submodules (no ^ semantics); submodule commit SHAs not confirmed from WebFetch. Yellow pending Slipstream SHA confirmation.
Sources #
- GitHubSlipstream .gitmodules (SHA confirmation pending)Slipstream .gitmodules — submodule SHAs not confirmedretrieved 2026-05-04
- Aerodrome package.json (OZ exact pin)package.json — OZ 4.8.0 exact pin confirmedretrieved 2026-05-04
Methodology #
Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol aerodrome factor RD-F-133 score yellow collected_at 2026-05-04 19:56:03