tqcq/cpp-project-template
0
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Activity
Files
3216dd58c679c79f9469291caee58cd89cdbf711
cpp-project-template/3rd
T
History

README.md

Third-Party Dependencies

This directory contains vendored third-party artifacts for offline-first builds.

Directory Layout

3rd/
├── archives/        # CPM local archive files (.tar.gz)
│   ├── spdlog-1.15.3.tar.gz
│   ├── fmt-11.0.2.tar.gz
│   ├── nlohmann-json-3.11.3.tar.gz
│   ├── ...  (23 total; see table below)
│   └── fuzztest-2026-02-19.tar.gz
├── patches/         # Per-dependency patch files
│   └── fuzztest/    # FuzzTest patchset
│       └── 2026-02-19/
└── README.md        # This file

Archive Policy

  • All archives are committed to the repository for true offline fresh-clone builds.
  • Archives are the source of truth for CPM URL inputs.
  • SHA256 hashes are recorded in cmake/deps/versions.cmake.
  • CPM URL_HASH SHA256=... provides build-time integrity enforcement.
  • Do not add archives for dependencies not in the v1 inventory.

v1 Inventory

The complete v1 dependency inventory is defined in cmake/deps/versions.cmake and summarized in docs/template-design.md.

Archived (v1 inventory complete)

Archive Dependency Version SHA256
spdlog-1.15.3.tar.gz spdlog 1.15.3 15a04e69c222eb6c01094b5c7ff8a249b36bb22788d72519646fb85feb267e67
fmt-11.0.2.tar.gz fmt 11.0.2 6cb1e6d37bdcb756dbbe59be438790db409cdb4868c66e888d5df9f13f7c027f
nlohmann-json-3.11.3.tar.gz nlohmann/json 3.11.3 0d8ef5af7f9794e3263480193c491549b2ba6cc74bb018906202ada498a79406
toml11-4.4.0.tar.gz toml11 4.4.0 815bfe6792aa11a13a133b86e7f0f45edc5d71eb78f5fb6686c49c7f792b9049
CLI11-2.4.2.tar.gz CLI11 2.4.2 f2d893a65c3b1324c50d4e682c0cdc021dd0477ae2c048544f39eed6654b699a
asio-1.30.2.tar.gz asio 1.30.2 755bd7f85a4b269c67ae0ea254907c078d408cce8e1a352ad2ed664d233780e8
concurrentqueue-1.0.4.tar.gz concurrentqueue 1.0.4 87fbc9884d60d0d4bf3462c18f4c0ee0a9311d0519341cac7cbd361c885e5281
ghc-filesystem-1.5.14.tar.gz ghc::filesystem 1.5.14 e783f672e49de7c5a237a0cea905ed51012da55c04fbacab397161976efc8472
expected-lite-0.8.0.tar.gz expected-lite 0.8.0 27649f30bd9d4fe7b193ab3eb6f78c64d0f585c24c085f340b4722b3d0b5e701
cpp-httplib-0.18.3.tar.gz cpp-httplib 0.18.3 a0567bcd6c3fe5cef1b329b96245119047f876b49e06cc129a36a7a8dffe173e
googletest-1.16.0.tar.gz GoogleTest 1.16.0 78c676fc63881529bf97bf9d45948d905a66833fbfa5318ea2cd7478cb98f399
benchmark-1.7.1.tar.gz Google Benchmark 1.7.1 6430e4092653380d9dc4ccb45a1e2dc9259d581f4866dc0759713126056bc1d7
googletest-1.17.0.tar.gz GoogleTest (fuzz lane) 1.17.0 65fab701d9829d38cb77c14acdc431d2108bfdbf8979e40eb8ae567edf10b27c
abseil-cpp-20260107.1.tar.gz Abseil 20260107.1 4314e2a7cbac89cac25a2f2322870f343d81579756ceff7f431803c2c9090195
re2-2025-11-05.tar.gz RE2 2025-11-05 87f6029d2f6de8aa023654240a03ada90e876ce9a4676e258dd01ea4c26ffd67
antlr4-4.13.2.tar.gz ANTLR4 4.13.2 9f18272a9b32b622835a3365f850dd1063d60f5045fb1e12ce475ae6e18a35bb
fuzztest-2026-02-19.tar.gz FuzzTest 2026-02-19 1c6e04065eb988e2c99613369db8294aa58429d392bf479740b237f1255204ef
sigslot-1.2.0.tar.gz sigslot 1.2.0 751852bcb1871aa2ca9f30b34614d028bc44379bbd6f91327744724c652e7ce8
ByteBuffer-master.tar.gz ByteBuffer master 07ab9ff7b253eb64f7eb220ad3158f72b9ee1baf8158890d98f9ee69a6c83e73
eigen-3.4.0.tar.gz Eigen3 3.4.0 8586084f71f9bde545ee7fa6d00288b264a2b7ac3607b974e54d13e7162c1c72
hash-library-v8.tar.gz hash-library v8 ddf9d398166e08482af1225aed968ac4c370f99648b5359b0a20c9ed56f7b1c7
CRCpp-1.2.1.0.tar.gz CRCpp 1.2.1.0 e2019ed95300f865fe0c1ea326e5502e1ba538bfbc2e31d175a5ee313b31510d
optional-1.1.0.tar.gz tl::optional 1.1.0 88ece79f3de5ccaec4191951a222f95cc80c4381dafd3163bdb1ff87cedf3118

All 23 v1 dependencies have concrete SHA256 hashes and archived tarballs. Use python3 scripts/fetch_deps.py --check to verify local archive integrity.

Patch Policy

  • Patches live under 3rd/patches/<dependency>/<version>/.
  • Each patchset includes a README with upstream baseline, patched files, rationale, and rebase checklist.
  • Patches must not introduce remote fetch behavior or forbidden transitive dependencies.

No-Network Guarantee

The default and fuzz build lanes resolve all dependencies from committed local archives. CPM uses URL pointing at 3rd/archives/*.tar.gz with URL_HASH SHA256=... for integrity. There is no implicit remote fallback: if an archive is missing or its hash does not match, the build fails at configure time.

This guarantee is verified by the no-network-default and no-network-fuzztest-lane checks in scripts/dev_check.py, which run CMake under invalid HTTP/HTTPS proxies with an isolated CPM cache.

Scope:

  • Covered: debug, release, asan, fuzz presets.
  • Not covered: there is no global offline mode. The build system does not set CMAKE_DISABLE_FIND_PACKAGE or similar flags. Offline behavior comes from CPM archive mode, not from suppressing network access at the CMake level.

Updating Archives

To refresh or add a dependency archive:

  1. Run python3 scripts/fetch_deps.py --fetch <name> to download the archive into 3rd/archives/.
  2. Run python3 scripts/fetch_deps.py --update-hashes to write computed SHA256 values into cmake/deps/versions.cmake (replaces PENDING_T12 tokens).
  3. Run python3 scripts/fetch_deps.py --check to verify all archives match their recorded hashes.
  4. Commit the archive and the updated versions.cmake.

The --check flag is offline: it only compares local files against known hashes. The --fetch flag downloads from the URLs recorded in versions.cmake.

Troubleshooting

Hash mismatch

CMake Error: hash mismatch for ...

The archive in 3rd/archives/ does not match the SHA256 in cmake/deps/versions.cmake. Either the archive is corrupted, or someone updated the hash without updating the file (or vice versa). Fix by re-downloading:

python3 scripts/fetch_deps.py --fetch --force <name>

Missing archive

Could not find archive: 3rd/archives/<name>.tar.gz

The tarball was not committed or was deleted. Download it:

python3 scripts/fetch_deps.py --fetch <name>

Unsupported compiler

The default build lanes require a C++14 compiler. The fuzz preset requires C++17 and Clang (clang++). GCC will not work for the fuzz lane.

FuzzTest unavailable

The fuzz lane (--preset fuzz) requires Clang and the C++17 standard. If you don't have Clang installed, or you're on a platform where Clang is unavailable, skip the fuzz preset. All other presets (debug, release, asan) work with any C++14-capable compiler.

Reference in New Issue View Git Blame Copy Permalink