defirisk.co
rubric v1.7.0

GitHub malicious-dependency incident touching protocol deps

Maple Finance's assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No active GHSA advisory flagging malicious release in maple-core-v2 dependencies. Foundry-based repo with no npm supply-chain exposure in core contracts. No advisory affecting maple-labs deps identified.

Detail #

Threshold: malicious release in a dependency consumed by this protocol confirmed by GHSA or npm audit. Observed: no active advisory. Maple uses Foundry build toolchain (no package.json per data-cache: github.package_json_present = false). Foundry's dependency management uses git submodules rather than npm, reducing supply-chain attack surface vs npm-dependent protocols. No GHSA advisory for maple-labs dependencies found in public search.

Sources #

  • Internal
    00-data-cache.json — github.package_json_present = false, foundry_toml_present = trueretrieved 2026-04-27

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol maple-finance factor RD-F-160 score green collected_at 2026-04-27 05:38:08