Dependency manifest uses unpinned versions
Venus Protocol's assessment for RD-F-133 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
isolated-pools/package.json uses @openzeppelin/contracts: ^4.8.3 (caret — allows minor updates). venus-protocol/package.json uses @openzeppelin/contracts: 4.9.3 (pinned). Main repo is correctly pinned; isolated-pools caret on OZ 4.8.x allows silent minor-version updates.
Sources #
- GitHubvenus-protocol package.json — @openzeppelin/contracts: 4.9.3 (pinned)venus-protocol package.json — OZ 4.9.3 pinnedretrieved 2026-04-28
- isolated-pools package.json — @openzeppelin/contracts: ^4.8.3 (caret)isolated-pools package.json — OZ ^4.8.3 caretretrieved 2026-04-28
Methodology #
Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol venus factor RD-F-133 score yellow collected_at 2026-04-28 18:30:49