Dependency manifest uses unpinned versions

QuickSwap's assessment for RD-F-133 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

V2 (quickswap-core): package.json has `dotenv` (^8.2.0) and `truffle-hdwallet-provider` (^1.0.17) as deps but these are deployment tooling only — no OZ or Solady Solidity library imports (V2 core is self-contained Uniswap V2 style). V3 Algebra (cryptoalgebra/Algebra): uses Hardhat monorepo. Deployed V3 contracts are immutable — dependency pinning at deploy time cannot be changed. For the immutable deployed bytecode, unpinned dependencies are only a build-time concern, not a live risk. No finding of unpinned OZ/Solady for security-critical deployed contracts.

Sources #

GitHub
QuickSwap V2 Core package.jsonV2 package.json — tooling deps only, no Solidity library importsretrieved 2026-05-16

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol quickswap factor RD-F-133 score green collected_at 2026-05-16 08:48:31