defirisk.co
rubric v1.7.0

GitHub malicious-dependency incident touching protocol deps

Liquity V1 + V2 (LUSD / BOLD)'s assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

GitHub-flagged malicious-dependency incident touching protocol dependencies. Applicable: yes (bold repo has package.json present per cache; Node.js tooling). Current posture: no current GHSA or npm advisory flagged against Liquity's dependency tree via public search. Cache github.package_json_present: true. Active development (last commit 2026-05-16). No supply-chain dependency incident reported for Liquity.

Sources #

  • GitHub
    Liquity v2 GitHub repositoryLiquity bold repository: active development, well-maintained; no public GHSA advisory found for Liquity dependenciesretrieved 2026-05-16
  • Internal
    00-data-cache.json githubData cache github.package_json_present: true; last_commit_date: 2026-05-16; no static_analysis findings in cacheretrieved 2026-05-16

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquity factor RD-F-160 score green collected_at 2026-05-16 10:35:50