defirisk.co
rubric v1.7.0

Dependency manifest uses unpinned versions

Dolomite's assessment for RD-F-133 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The dolomite-margin core package.json uses @openzeppelin/contracts: '^2.5.1' — a caret range permitting any OZ 2.x version. This means OZ is NOT pinned to an exact version. Additionally, @uniswap/lib: '^4.0.1-alpha' uses a caret range. The modules layer uses @nomicfoundation/hardhat-foundry: '^1.1.3' with a caret range. OpenZeppelin is unpinned in the core manifest.

Sources #

  • GitHub
    DolomiteMargin package.jsonpackage.json: @openzeppelin/contracts '^2.5.1' (caret range, unpinned); @uniswap/lib '^4.0.1-alpha' (unpinned)retrieved 2026-05-16

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol dolomite factor RD-F-133 score red collected_at 2026-05-16 11:12:56