Dependency manifest uses unpinned versions

Marinade Finance's assessment for RD-F-133 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Cargo.lock pins all dependencies to exact versions: anchor-lang 0.27.0, anchor-spl 0.27.0, solana-program 1.15.2, spl-token 3.5.0, borsh 0.9.3, solana-security-txt 1.1.1. Rust Cargo.lock is a deterministic lockfile that pins all transitive dependencies to exact content-hashed versions — stronger than npm or foundry pinning. No ^ or ~ version ranges apply in the deployed lockfile. All security-critical libraries are exactly pinned.

Sources #

GitHub
Marinade programs/marinade-finance/Cargo.tomlprograms/marinade-finance/Cargo.toml — dependency declarations Rust 2021 editionretrieved 2026-05-16
GitHub
Marinade liquid-staking-program Cargo.lockCargo.lock via GitHub API — exact pinned versions for all dependenciesretrieved 2026-05-16

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol marinade factor RD-F-133 score green collected_at 2026-05-16 08:48:35