Increase priority of libraries mentioned explicitly as dependencies #2409
Labels
topic: build-process
Related to the sketch build process
topic: code
Related to content of the project itself
type: enhancement
Proposed improvement
Describe the request
This proposal includes two distinct changes:
depends=
field of library.properties filelibraries
field of sketch.yaml fileSuch changes are independent one from each other. At the moment, the first one would be more useful than the second one.
Describe the current behavior
As of now, the dependency resolution algorithm does not take into account whether a candidate library was specified as an explicit dependency for the current library/sketch.
This has the following effects:
Arduino CLI version
0.34.2
Operating system
N/A
Operating system version
Any
Additional context
Some further considerations:
Retrocompatibility. Changing the prioritization rules may of course be a breaking change for users relying on the current set of rules as a different library may be picked up. These scenarios would be affected:
depends=
AND such header file name does not match the library name AND another library mentioned independs=
provides a header file with same name which would then take priority. This scenario appears very unlikely and shall be addressed by fixing the affected libraries, if any.depends=
AND the header file name doesn't match any of the names of those libraries AND the intended library is the one selected by the current probabilistic algorithm. This scenario appears marginal since it's slightly randomic, but still possible.Security. This proposal increases the security level of the library selection algorithm by reducing the risk of supply chain attacks exploiting priority squatting. It also increases the build reproducibility level by letting users pin the library to be used for a given include.
Issue checklist
The text was updated successfully, but these errors were encountered: