defirisk.co
rubric v1.7.0

Dependency manifest uses unpinned versions

Jupiter Perpetual Exchange's assessment for RD-F-133 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Closed-source program; no public Cargo.toml, package.json, or foundry.toml for the perps program is accessible. Data-cache: github.repo_url: null, github.foundry_toml_present: false. Dependency pinning cannot be assessed without access to the manifest files.

Sources #

  • GitHub
    jup-ag GitHub organizationjup-ag GitHub org — 185 public repos searched; no public perps source repo or manifest files foundretrieved 2026-05-16
  • Internal
    00-data-cache.json github fieldsData cache: github.repo_url: null, github.foundry_toml_present: false, github.package_json_present: falseretrieved 2026-05-16

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol jupiter-perps factor RD-F-133 score gray collected_at 2026-05-16 01:53:11