Dependency manifest uses unpinned versions

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-133 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v3-periphery package.json: '@uniswap/lib': '\^4.0.1-alpha' uses caret range specifier (semver-unpinned — any compatible 4.x release accepted). This is a security-critical dependency. '@openzeppelin/contracts': '3.4.2-solc-0.7' is exact-pinned. '@uniswap/v3-core': '1.0.0' is exact-pinned. v2-core package.json: '@openzeppelin/contracts': '3.1.0' (exact). SushiXSwap v2 foundry.toml: libs=['lib'] with no explicit version pins visible. Scoring yellow: one unpinned critical security dep found (@uniswap/lib ^4.0.1-alpha in v3-periphery).

Sources #

GitHub
sushiswap/v3-periphery package.jsonsushiswap/v3-periphery package.json — @uniswap/lib: '^4.0.1-alpha' (unpinned caret range)retrieved 2026-05-17
GitHub
sushiswap/v2-core package.json rawsushiswap/v2-core package.json raw — @openzeppelin/contracts 3.1.0 (exact pin)retrieved 2026-05-17

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-133 score yellow collected_at 2026-05-16 19:50:37