Dependency manifest uses unpinned versions
Meteora's assessment for RD-F-133 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
All programs use exact version pins in Cargo.toml: anchor-lang = '0.31.0', anchor-spl = '0.31.0', solana-sdk = '2.1.0', bytemuck = '1.20.0' (damm-v2), bytemuck = '1.13.1' (dlmm-sdk). No semver range operators (^, ~) found for security-critical libraries. Cargo.lock pins all transitive dependencies by hash.
Sources #
- GitHubDBC Cargo.toml - Dependency PinsMeteoraAg/dynamic-bonding-curve Cargo.toml - anchor-lang = 0.31 exactretrieved 2026-05-16
- DLMM SDK Cargo.toml - Dependency PinsMeteoraAg/dlmm-sdk Cargo.toml - anchor-lang 0.31.0, solana-sdk 2.1.0retrieved 2026-05-16
- DAMM v2 Cargo.toml - Dependency PinsMeteoraAg/damm-v2 Cargo.toml - anchor-lang = 0.31.0 exact pinretrieved 2026-05-16
Methodology #
Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol meteora factor RD-F-133 score green collected_at 2026-05-16 10:03:05