Dependency manifest uses unpinned versions

Axelar Network's assessment for RD-F-133 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

axelar-cgp-solidity package.json: sole production dependency is @axelar-network/axelar-gmp-sdk-solidity pinned exactly at version 6.0.6 (no caret or tilde). No OpenZeppelin production dependency exists (Axelar uses its own gmp-sdk). axelar-core go.mod pins Cosmos SDK to a specific Axelar fork commit (v0.50.14-0.20251027135325-71cefd84b6c7). Critical library pinning is exact.

Sources #

GitHub
axelar-core go.mod - Cosmos SDK Pinaxelar-core go.mod: Cosmos SDK pinned to specific Axelar fork commitretrieved 2026-05-17
GitHub
axelar-cgp-solidity package.json - Exact Pin Confirmedaxelar-cgp-solidity package.json: @axelar-network/axelar-gmp-sdk-solidity pinned at 6.0.6 exactlyretrieved 2026-05-17

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol axelar factor RD-F-133 score green collected_at 2026-05-16 21:57:49