Dependency manifest uses unpinned versions
Orca's assessment for RD-F-133 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
All dependencies in programs/whirlpool/Cargo.toml use strict = version pinning with no ^ or ~ prefixes on any dependency, including security-critical ones: anchor-lang = "=0.32.1", anchor-spl = "=0.32.1", solana-program = "=2.2.1", pinocchio = "=0.9.2", borsh = "=0.10.4", bytemuck = "=1.22.0". This is the strongest possible dependency pinning. Cargo workspace uses resolver = "2" with exact version enforcement.
Sources #
- GitHubprograms/whirlpool/Cargo.toml (all deps use = pinning)https://github.com/orca-so/whirlpools/blob/main/programs/whirlpool/Cargo.tomlretrieved 2026-05-16
Methodology #
Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).
See the full factor methodology and distribution across all protocols →