GitHub malicious-dependency incident touching protocol deps
Chainlink CCIP's assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Applicable — CCIP has Go offchain dependencies (smartcontractkit/chainlink-ccip) and Solidity onchain dependencies. No active GHSA advisory affecting CCIP dependencies found via public OSINT as of 2026-05-16. Chainlink is an established organization with mature dependency management processes (ISO 27001 certification). Active repo development (last commit 2026-05-16) suggests maintained dependency tracking. No malicious-release incident in trailing 90 days matching CCIP's dependency tree reported.
Sources #
- URLChainlink Security CertificationsChainlink security certifications — ISO 27001 covering development practices including dependency managementretrieved 2026-05-16
- smartcontractkit/chainlink-ccip GitHubsmartcontractkit/chainlink-ccip — active development (last commit 2026-05-16); no GHSA advisory flagged for dependenciesretrieved 2026-05-16
Methodology #
Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.
See the full factor methodology and distribution across all protocols →