Dependency manifest uses unpinned versions

Cap (cUSD / stcUSD)'s assessment for RD-F-133 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

package.json uses '@openzeppelin/contracts': '^5.2.0' in the resolutions field — the caret allows minor version updates within v5.x. .gitmodules contains layerzero-devtools, layerzero-v2, openzeppelin-foundry-upgrades, forge-std, and other submodules without explicit commit pins. The OZ resolutions field partially pins (5.2.0 baseline) but '^' allows 5.2.x → 5.x.x updates. For maximum security, exact version pinning (no caret/tilde) is best practice. However, within a major version, OZ minor releases are typically backward compatible and security-reviewed.

Sources #

GitHub
Cap Contracts package.json — OZ Version Pinningpackage.json — resolutions: '@openzeppelin/contracts': '^5.2.0' (caret wildcard for minor versions)retrieved 2026-05-17
GitHub
Cap Contracts .gitmodules — Submodule Pinning.gitmodules — submodules (forge-std, layerzero-devtools, layerzero-v2, etc.) without explicit commit pinsretrieved 2026-05-17

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol cap factor RD-F-133 score yellow collected_at 2026-05-17 10:56:24