Shared-library version with known-vuln status

Jupiter's assessment for RD-F-135 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Open-source jup-ag/distributor uses Anchor 0.28.0 and Solana 1.16.25 — both significantly behind current versions (Anchor 1.0.0 released April 2026, Solana 2.x available). No specific critical CVE/GHSA targeting Anchor 0.28.0 identified in searches. Core program library versions are opaque (closed-source). Yellow: older pinned versions in inspectable open repos, no identified active critical CVE, but core program library recency unknown.

Sources #

URL
Anchor Version Context — Balakhonoff SubstackAnchor 1.0.0 release context — confirms 0.28.x is significantly older than currentretrieved 2026-04-29
GitHub
Jupiter Distributor — GitHubjup-ag/distributor — Anchor 0.28.0, Solana 1.16.25 (older versions, no critical CVE identified)retrieved 2026-04-29

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol jupiter factor RD-F-135 score yellow collected_at 2026-04-29 11:51:25