GitHub malicious-dependency incident touching protocol deps
QuickSwap's assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
QuickSwap V2 core repo (github.com/QuickSwap/quickswap-core) last commit 2022-12-27 — frozen dependency surface. Uniswap v2 vintage npm packages are stable and not subject to active malicious-release campaigns. No GitHub security advisory for npm packages in QuickSwap's V2 dependency tree found in trailing 90 days (Feb-May 2026). V3 periphery npm deps not fully assessed but no public advisory found.
Sources #
- GitHubQuickSwap V2 core GitHubQuickSwap/quickswap-core: last commit 2022-12-27; Uniswap v2 vintage frozen dependencies; no active advisory foundretrieved 2026-05-16
Methodology #
Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol quickswap factor RD-F-160 score green collected_at 2026-05-16 08:48:31