Dependency manifest uses unpinned versions

M^0's assessment for RD-F-133 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Protocol repo .gitmodules: forge-std on branch v1 (floating), common (MZero-Labs/common.git, no pinning), solmate (transmissions11/solmate, no pinning). TTG repo: forge-std@v1, erc20-helper (maple-labs, no pinning), common (MZero-Labs, no pinning). Both repos use branch-head references, not commit SHA pins. No foundry.lock file. Supply-chain hygiene concern for future builds; current deployed bytecode verified as Exact Match on Etherscan.

Sources #

GitHub
Protocol .gitmodulesProtocol .gitmodules — floating branch referencesretrieved 2026-05-16
GitHub
TTG .gitmodulesTTG .gitmodules — floating branch referencesretrieved 2026-05-16

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol m0 factor RD-F-133 score yellow collected_at 2026-05-16 09:46:19