Dependency had malicious-release incident (last 90d)

Chainlink CCIP's assessment for RD-F-134 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ v4.9.2 (commit e50c24f, released 2023-06-16) and forge-std have no active malicious-release advisory in trailing 90 days as of 2026-05-16. No GHSA advisory found for these packages.

Sources #

GitHub
OpenZeppelin v4.9.2 release commit — no malicious release advisoryOZ v4.9.2 commit e50c24f — release confirmed, no malicious advisoryretrieved 2026-05-16

Methodology #

Determine whether any npm/PyPI/crates.io dependency of this protocol had a flagged malicious release in the trailing 90 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-134 score green collected_at 2026-05-16 01:55:09