Dependency manifest uses unpinned versions
SUNSwap (sun.io)'s assessment for RD-F-133 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
V3: OZ 3.4.1-solc-0.7-2 pinned exact; V4: OZ 5.5.0 pinned via postinstall, solmate pinned to specific commit SHA (89365b8...), forge-std v1.12.0 tagged. Security-critical libs are pinned. Hardhat uses caret ranges but is a dev tool.
Sources #
- GitHubSUNSwap V4 package.jsonsunswap-v4-core package.json — OZ 5.5.0, solmate at commit 89365b880c4f3c786bdd453d4b8e8fe410344a69, forge-std v1.12.0retrieved 2026-05-17
- SUNSwap V3 package.jsonsunswap-v3-contracts package.json — OZ 3.4.1-solc-0.7-2 pinned exactretrieved 2026-05-17
Methodology #
Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol sunswap factor RD-F-133 score green collected_at 2026-05-17 14:37:31