Dependency manifest uses unpinned versions

crvUSD (Curve Stablecoin)'s assessment for RD-F-133 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

pyproject.toml pins vyper==0.4.3 (exact — good). snekmate (a security-relevant Vyper library) is specified as snekmate>=0.1.1 (minimum version, not pinned exact). No Foundry .gitmodules found (Vyper project uses Python pip rather than Foundry submodules for production dependencies). Unpinned snekmate allows unexpected minor-version pulls. Threshold: green = all critical libraries pinned exact; yellow = minor libs unpinned but core pinned.

Sources #

GitHub
curve-stablecoin pyproject.toml — GitHubpyproject.toml — vyper==0.4.3 pinned, snekmate>=0.1.1 unpinned minimumretrieved 2026-05-16

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-133 score yellow collected_at 2026-05-16 19:09:40