defirisk.co
rubric v1.7.0

Dependency manifest uses unpinned versions

OpenEden's assessment for RD-F-133 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Cache records oz_contracts_version: 4.9.0 from package.json inspection. The npm version range string (whether pinned as 4.9.0 or unpinned as ^4.9.0 or ^4.x.x) is not confirmable from the GitHub repo preview available. Gray pending direct package.json content inspection to confirm pinning vs unpinned range.

Sources #

  • Internal
    00-data-cache.json — github.oz_contracts_versionData cache github.oz_contracts_version: 4.9.0 — version range not confirmed as pinnedretrieved 2026-05-16
  • GitHub
    OpenEden Vault Audit Repo — GitHubOpenEden vault.audit repo — package.json present per cache (hardhat_config_present: true, package_json_present: true)retrieved 2026-05-16

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol openeden factor RD-F-133 score gray collected_at 2026-05-16 10:11:45