Dependency manifest uses unpinned versions

Superstate's assessment for RD-F-133 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Factor is Cat 8 fork/dependency lineage context for fork-inherited library drift. For original-design protocols this factor is not_applicable under the fork-lineage framing. Note for curator: all 5 submodules in superstateinc/ustb are pinned to specific commit SHAs (OZ upgradeable at 3d4c0d57 = v4.9.3; OZ contracts at c343ee37; onchain-redemptions at 5986d9b6). No unpinned version ranges found.

Sources #

GitHub
superstateinc/ustb submodule pinned SHAsGitHub API tree showing 5 submodule entries with pinned commit SHAs (160000 mode entries)retrieved 2026-05-16

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol superstate factor RD-F-133 score not_applicable collected_at 2026-05-16 00:06:37