Version: 2.3.6
Check: compiled code
Result: WARN
    File ‘yaml/libs/yaml.so’:
Found ‘__sprintf_chk’, possibly from ‘sprintf’ (C)
Object: ‘dumper.o’
    
    Compiled code should not call entry points which might terminate R nor
    write to stdout/stderr instead of to the console, nor use Fortran I/O
    nor system RNGs nor [v]sprintf.
    
    See ‘Writing portable packages’ in the ‘Writing R Extensions’ manual.
Flavors: r-devel-linux-x86_64-debian-clang, r-devel-linux-x86_64-debian-gcc, r-devel-linux-x86_64-fedora-gcc

Version: 2.3.6
Check: compiled code
Result: WARN
    File ‘yaml/libs/yaml.so’:
Found ‘sprintf’, possibly from ‘sprintf’ (C)
Object: ‘dumper.o’
    
    Compiled code should not call entry points which might terminate R nor
    write to stdout/stderr instead of to the console, nor use Fortran I/O
    nor system RNGs nor [v]sprintf.
    
    See ‘Writing portable packages’ in the ‘Writing R Extensions’ manual.
Flavor: r-devel-linux-x86_64-fedora-clang

macOS 13 has depreceted sprintf and vsprintf. For most (but not all) uses from C/C++ there is a compiler warning warning: 'sprintf' is deprecated: This function is provided for compatibility reasons only. Due to security concerns inherent in the design of sprintf(3), it is highly recommended that you use snprintf(3) instead. [-Wdeprecated-declarations] 'man sprintf' ends Always use the proper secure idiom: snprintf(buffer, sizeof(buffer), "%s", string); but note that may not work if the first argument is a pointer into a buffer. Some compilers (at least gcc 13) will warn if the 'size' in an snprintf call exceeds the size of the buffer. Once the declaration is hidden or removed, compilation will fail as C++ always requires a declaration and Apple clang also requires one for C. R-devel reports these issues on all platforms: - The use of sprintf and vsprintf from C/C++ has been deprecated in macOS 13 and is a known security risk. R CMD check now reports (on all platforms) if their use is found in the compiled code: replace by snprintf or vsnprintf. [NB: whether such calls get compiled into the package is platform-dependent.] This reports some uses on macOS which do not currently give compilation warnings: there have been a very few packages with calls which get optimized out on Linux but not macOS. Normally calls to [v]sprintf are not reported if they are in a library to which the package is linked. (There can be exceptions for packages with src/Makefile's and static libraries.) However, there will be reports from non-system headers (including those LinkedTo in other packages) included by C and C++ code: do report those to the authors of such headers and consider including a modified version of the header in your own package.