Dependency manifest uses unpinned versions

Maple Finance's assessment for RD-F-133 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Maple uses Foundry with git submodules (no package.json / npm). Git submodules are pinned to specific commits, not floating semver ranges. No unpinned version risk from npm-style floating ranges.

Sources #

Partner feed
Data-cache: package_json_present=false, foundry_toml_present=true — submodule-based dependency managementretrieved 2026-04-27
GitHub
https://github.com/maple-labs/maple-core-v2/tree/main/modulesretrieved 2026-04-27

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol maple-finance factor RD-F-133 score green collected_at 2026-04-27 05:38:08