Dependency manifest uses unpinned versions

Sanctum's assessment for RD-F-133 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

igneous-labs/S Cargo.toml uses >=1 range specifiers for solana-program, solana-sdk, spl-token, spl-stake-pool with a code comment stating 'lock to 1.17.6 for deploy' — relying on Cargo.lock discipline rather than manifest pinning. Cargo.lock resolves solana-program 1.14.20 and anchor-lang 0.28.0. Unstake-program pins Rust toolchain to 1.70.0. This flexible-manifest, lockfile-discipline approach is yellow (not best practice but mitigated by lockfile).

Sources #

GitHub
sanctum-unstake-program Cargo.locksanctum-unstake-program Cargo.lock resolves anchor-lang 0.28.0, solana-program 1.14.20retrieved 2026-05-04
GitHub
igneous-labs/S Cargo.tomligneous-labs/S Cargo.toml — >=1 range specifiers with deploy-lock commentretrieved 2026-05-04

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sanctum factor RD-F-133 score yellow collected_at 2026-05-04 18:49:23