Dependency manifest uses unpinned versions
Raydium's assessment for RD-F-133 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
CLMM: anchor-lang =0.32.1, anchor-spl =0.32.1, bytemuck 1.19.0 — all exact pinning. Exception: uint is a git dep from raydium-io/parity-common (Raydium-controlled org, no external supply-chain risk). CPMM: anchor-lang 0.32.1, anchor-spl 0.32.1 — exact. Standard AMM: solana-program =2.1.0, spl-token =7.0.0 — exact. Dev deps (test-only) use ranges. All production security-critical dependencies are exactly pinned.
Sources #
- GitHubCPMM Cargo.toml — prod deps pinnedCPMM programs/cp-swap/Cargo.toml (anchor-lang 0.32.1)retrieved 2026-04-29
- CLMM Cargo.toml — all prod deps exactly pinnedCLMM programs/amm/Cargo.toml (anchor-lang =0.32.1 exact)retrieved 2026-04-29
- Standard AMM Cargo.toml — solana-program exactly pinnedStandard AMM program/Cargo.toml (solana-program =2.1.0 exact)retrieved 2026-04-29
Methodology #
Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).
See the full factor methodology and distribution across all protocols →