defirisk.co
rubric v1.7.0

Dependency manifest uses unpinned versions

Rocket Pool's assessment for RD-F-133 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

package.json uses caret-prefixed OZ versions: "@openzeppelin/contracts": "^3.4.0" and "@openzeppelin4/contracts": "npm:@openzeppelin/contracts@^4.9.2". Caret allows npm to resolve any compatible minor/patch upgrade. package-lock.json is present (provides effective pin at npm install time), but the package.json manifest itself does not pin to an exact version. This is the standard npm pattern but not best practice for security-critical Solidity libraries. Yellow (not red because package-lock.json mitigates; not green because manifest is unpinned).

Sources #

  • GitHub
    package.jsonpackage.json — ^3.4.0 and ^4.9.2 caret ranges for OZretrieved 2026-05-04

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol rocket-pool factor RD-F-133 score yellow collected_at 2026-05-04 15:40:28