defirisk.co
rubric v1.7.0

Dependency manifest uses unpinned versions

Jupiter's assessment for RD-F-133 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Primary programs are closed-source binaries — Cargo.toml/package.json not publicly accessible. Open-source sub-repos: jup-ag/distributor pins Anchor 0.28.0, solana 1.16.25, rust 1.68.0 (pinned exact versions — positive); jup-ag/jup-lock uses Anchor build system (version not fully visible). Core program dependency pinning cannot be verified. Gray per methodology: dependency manifest not accessible for core programs.

Sources #

  • GitHub
    Jupiter Lock — GitHubjup-ag/jup-lock — Anchor/Rust project, dependency manifest not fully visibleretrieved 2026-04-29
  • GitHub
    Jupiter Distributor — GitHubjup-ag/distributor — Anchor 0.28.0, solana 1.16.25, rust 1.68.0 pinned (open-source GPL-3.0)retrieved 2026-04-29

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol jupiter factor RD-F-133 score gray collected_at 2026-04-29 11:51:25