Dependency manifest uses unpinned versions

Veda (BoringVault)'s assessment for RD-F-133 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

.gitmodules uses floating branch tracking for all 5 submodules: solmate (transmissions11/solmate), openzeppelin-contracts (openzeppelin/openzeppelin-contracts), ccip (smartcontractkit/ccip), OAppAuth (Se7en-Seas/OAppAuth), forge-std (foundry-rs/forge-std). None are pinned to specific commits. In practice, Foundry builds are reproducible from the cloned repo's recorded submodule commit, but the manifest does not enforce pinning. Security-critical libraries (solmate, openzeppelin-contracts) are floating — this is a yellow finding.

Sources #

GitHub
boring-vault .gitmodules — floating submodule versions.gitmodules — 5 submodules, all floating (no commit pins): solmate, openzeppelin-contracts, ccip, OAppAuth, forge-stdretrieved 2026-05-17

Methodology #

Determine whether `package.json`, `Cargo.toml`, or `foundry.toml` uses `^` or `~` version ranges for security-critical libraries (OpenZeppelin, Solady, etc.).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol veda factor RD-F-133 score yellow collected_at 2026-05-17 12:41:22