Dependency had malicious-release incident (last 90d)

Uniswap (v2 + v3)'s assessment for RD-F-134 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Pre-marked not_applicable. V3-core has no npm production dependencies. UniversalRouter uses solmate — no flagged malicious release for solmate in last 90 days as of 2026-05-12. Factor not applicable per pre-mark.

Detail #

Even setting aside the pre-mark, no malicious release of solmate, forge-std, or any other Uniswap dependency was identified in the 90-day window before 2026-05-12.

Sources #

GitHub
v3-core package.json — no production dependencies to check for malicious releasesv3-core package.json — no production npm depsretrieved 2026-05-12

Methodology #

Determine whether any npm/PyPI/crates.io dependency of this protocol had a flagged malicious release in the trailing 90 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol uniswap factor RD-F-134 score not_applicable collected_at 2026-05-12 10:36:11