By the end of this chapter, you will be able to:
Prototyping is building rough, working versions of your IoT device to test ideas quickly and cheaply. Think of it like building a model airplane before constructing the real thing – a prototype reveals problems when they are still easy and inexpensive to fix. Modern prototyping tools make it possible to go from idea to working device in days rather than months.
“Libraries are pre-written code that saves you weeks of work!” said Max the Microcontroller enthusiastically. “Instead of writing 200 lines of code to talk to a temperature sensor, you install the Adafruit DHT library and it is just three lines. Someone already solved that problem for you.”
Sammy the Sensor appreciated libraries most of all. “The Adafruit Unified Sensor library gives every sensor the same interface. Whether I am a temperature sensor, a humidity sensor, or an accelerometer, the code to read me looks the same. It is like having a universal remote for sensors!”
Lila the LED added, “And communication libraries handle the hard networking stuff. The PubSubClient library manages MQTT connections, WiFiManager handles Wi-Fi setup with a nice configuration portal, and ArduinoJson parses JSON data. You do not need to understand every protocol detail – the library handles it.” Bella the Battery brought up version control. “Always use Git to track your code changes! If a library update breaks something, you can roll back to the working version. And lock your library versions in platformio.ini so your project builds the same way every time. There is nothing worse than a build that worked yesterday but fails today because a library silently updated.”
Before diving into this chapter, you should be familiar with:
This chapter covers libraries & version control, explaining the core concepts, practical design decisions, and common pitfalls that IoT practitioners need to build effective, reliable connected systems.
Adafruit Unified Sensor Library: Standardized interface for various sensors.
Example:
#include <Adafruit_Sensor.h>
#include <DHT.h>
#include <DHT_U.h>
DHT_Unified dht(DHTPIN, DHT22);
void setup() {
dht.begin();
sensor_t sensor;
dht.temperature().getSensor(&sensor);
}
void loop() {
sensors_event_t event;
dht.temperature().getEvent(&event);
Serial.print("Temp: ");
Serial.println(event.temperature);
}Benefits:
Popular Sensor Libraries:
| Sensor Type | Library | Sensors Supported |
|---|---|---|
| Environmental | Adafruit BME280 | Temperature, humidity, pressure |
| Motion | Adafruit MPU6050 | Accelerometer, gyroscope |
| Light | Adafruit TSL2591 | Lux measurement |
| Distance | NewPing | Ultrasonic sensors |
| GPS | TinyGPS++ | NMEA parsing |
Explore how the Adafruit Unified Sensor Library provides a consistent API across different sensor types. Select a sensor to see how each one implements the same standardized interface.
viewof selected_sensor = Inputs.select(
["DHT22 (Temperature)", "BME280 (Pressure)", "MPU6050 (Accelerometer)", "TSL2591 (Light)", "NewPing (Distance)"],
{label: "Select Sensor", value: "DHT22 (Temperature)"}
)
viewof show_raw_api = Inputs.checkbox(["Show raw (non-unified) API comparison"], {label: "Comparison"})sensor_data = {
const sensors = {
"DHT22 (Temperature)": {
lib: "Adafruit DHT Unified",
include: '#include <DHT_U.h>',
init: 'DHT_Unified dht(pin, DHT22);\ndht.begin();',
read: 'sensors_event_t event;\ndht.temperature().getEvent(&event);\nfloat temp = event.temperature;',
raw_read: 'DHT dht(pin, DHT22);\nfloat temp = dht.readTemperature();',
unit: "°C",
range: "-40 to 80",
color: "#E67E22",
ram: "~120 bytes"
},
"BME280 (Pressure)": {
lib: "Adafruit BME280 Unified",
include: '#include <Adafruit_BME280.h>',
init: 'Adafruit_BME280 bme;\nbme.begin(0x76);',
read: 'sensors_event_t event;\nbme.getEvent(&event, Adafruit_BME280::PRESSURE);\nfloat pressure = event.pressure;',
raw_read: 'Adafruit_BME280 bme;\nfloat pressure = bme.readPressure() / 100.0F;',
unit: "hPa",
range: "300 to 1100",
color: "#3498DB",
ram: "~180 bytes"
},
"MPU6050 (Accelerometer)": {
lib: "Adafruit MPU6050 Unified",
include: '#include <Adafruit_MPU6050.h>',
init: 'Adafruit_MPU6050 mpu;\nmpu.begin();',
read: 'sensors_event_t event;\nmpu.getAccelerometerSensor()->getEvent(&event);\nfloat ax = event.acceleration.x;',
raw_read: 'MPU6050 mpu;\nint16_t ax, ay, az;\nmpu.getAcceleration(&ax, &ay, &az);',
unit: "m/s²",
range: "±2g to ±16g",
color: "#9B59B6",
ram: "~240 bytes"
},
"TSL2591 (Light)": {
lib: "Adafruit TSL2591 Unified",
include: '#include <Adafruit_TSL2591.h>',
init: 'Adafruit_TSL2591 tsl(2591);\ntsl.begin();',
read: 'sensors_event_t event;\ntsl.getEvent(&event);\nfloat lux = event.light;',
raw_read: 'Adafruit_TSL2591 tsl(2591);\nuint32_t lum = tsl.getFullLuminosity();\nuint16_t ir = lum >> 16;\nfloat lux = tsl.calculateLux(lum & 0xFFFF, ir);',
unit: "lux",
range: "0 to 88,000",
color: "#16A085",
ram: "~160 bytes"
},
"NewPing (Distance)": {
lib: "NewPing (non-unified)",
include: '#include <NewPing.h>',
init: 'NewPing sonar(TRIG, ECHO, MAX_DIST);',
read: '// No unified API for NewPing\n// Must use library-specific call:\nunsigned int dist = sonar.ping_cm();',
raw_read: 'NewPing sonar(TRIG, ECHO, 200);\nunsigned int dist = sonar.ping_cm();',
unit: "cm",
range: "2 to 400",
color: "#E74C3C",
ram: "~80 bytes"
}
};
return sensors[selected_sensor];
}html`<div style="background: var(--bs-light, #f8f9fa); padding: 1rem; border-radius: 8px; border-left: 4px solid ${sensor_data.color}; margin-top: 0.5rem;">
<h4 style="margin-top: 0; color: ${sensor_data.color};">${selected_sensor}</h4>
<div style="display: grid; grid-template-columns: 1fr 1fr 1fr; gap: 0.5rem; margin-bottom: 1rem; font-size: 0.85em;">
<div><strong>Library:</strong> ${sensor_data.lib}</div>
<div><strong>Range:</strong> ${sensor_data.range} ${sensor_data.unit}</div>
<div><strong>RAM Usage:</strong> ${sensor_data.ram}</div>
</div>
<div style="margin-bottom: 0.75rem;">
<strong style="color: #2C3E50;">Unified API Pattern (sensors_event_t):</strong>
<pre style="background: #2C3E50; color: #ecf0f1; padding: 0.75rem; border-radius: 4px; font-size: 0.82em; overflow-x: auto; white-space: pre-wrap;">${sensor_data.include}\n\n// Initialize\n${sensor_data.init}\n\n// Read using unified event structure\n${sensor_data.read}</pre>
</div>
${show_raw_api.length > 0 ? html`<div>
<strong style="color: #7F8C8D;">Raw (non-unified) API:</strong>
<pre style="background: #7F8C8D; color: #ecf0f1; padding: 0.75rem; border-radius: 4px; font-size: 0.82em; overflow-x: auto; white-space: pre-wrap;">${sensor_data.raw_read}</pre>
<p style="font-size: 0.85em; color: #E74C3C; margin-top: 0.25rem;">Notice: Without the unified API, each sensor has a different read pattern. Swapping sensors requires rewriting application code.</p>
</div>` : ''}
<p style="font-size: 0.85em; color: #7F8C8D; margin-bottom: 0;">The unified <code>sensors_event_t</code> structure means your application code stays the same regardless of which sensor you plug in -- only the initialization changes.</p>
</div>`#include <PubSubClient.h>
WiFiClient espClient;
PubSubClient client(espClient);
void callback(char* topic, byte* payload, unsigned int length) {
// Handle incoming messages
}
void setup() {
client.setServer(mqtt_server, 1883);
client.setCallback(callback);
}
void loop() {
if (!client.connected()) {
reconnect();
}
client.loop();
// Publish data
client.publish("sensors/temperature", "25.5");
}Library Selection Impact on Flash Budget: ESP32 with 4MB flash partitioned as 1.5MB app, 1.5MB OTA, 1MB file system:
Baseline firmware (no libraries): 180KB Available for app logic: \(1,500KB - 180KB = 1,320KB\)
Adding MQTT library options:
Adding TLS/SSL:
Total with secure AWS IoT: \(180 + 420 + 280 = 880KB\) (59% flash used)
Heavy libraries leave less room for app features and future OTA updates (which need space for both old and new firmware). Choose minimal libraries for memory-constrained devices.
viewof mqtt_lib = Inputs.select(["None", "PubSubClient (12KB)", "Mosquitto-ESP32 (187KB)", "AWS IoT SDK (420KB)"], {label: "MQTT Library", value: "None"})
viewof tls_enabled = Inputs.checkbox(["Enable TLS/SSL (mbedTLS, +280KB)"], {label: "Security"})
viewof display_lib = Inputs.select(["None", "Adafruit SSD1306 (18KB)", "TFT_eSPI (45KB)"], {label: "Display Library", value: "None"})
viewof http_lib = Inputs.select(["None", "HTTPClient (8KB)", "ArduinoHttpClient (14KB)"], {label: "HTTP Library", value: "None"})flash_calc = {
const baseline = 180;
let mqtt_size = 0;
if (mqtt_lib === "PubSubClient (12KB)") mqtt_size = 12;
else if (mqtt_lib === "Mosquitto-ESP32 (187KB)") mqtt_size = 187;
else if (mqtt_lib === "AWS IoT SDK (420KB)") mqtt_size = 420;
const tls_size = tls_enabled.length > 0 ? 280 : 0;
let display_size = 0;
if (display_lib === "Adafruit SSD1306 (18KB)") display_size = 18;
else if (display_lib === "TFT_eSPI (45KB)") display_size = 45;
let http_size = 0;
if (http_lib === "HTTPClient (8KB)") http_size = 8;
else if (http_lib === "ArduinoHttpClient (14KB)") http_size = 14;
const total = baseline + mqtt_size + tls_size + display_size + http_size;
const available = 1500;
const remaining = available - total;
const percent_used = (total / available * 100).toFixed(1);
const percent_free = (remaining / available * 100).toFixed(0);
return {baseline, mqtt_size, tls_size, display_size, http_size, total, remaining, percent_used, percent_free};
}html`<div style="background: var(--bs-light, #f8f9fa); padding: 1rem; border-radius: 8px; border-left: 4px solid #3498DB; margin-top: 0.5rem;">
<table style="width:100%; border-collapse:collapse;">
<tr><td style="padding:4px; border-bottom:1px solid #ddd;"><strong>Component</strong></td>
<td style="padding:4px; border-bottom:1px solid #ddd; text-align:right;"><strong>Size (KB)</strong></td></tr>
<tr><td style="padding:4px;">Baseline Firmware</td>
<td style="padding:4px; text-align:right;">${flash_calc.baseline}</td></tr>
${flash_calc.mqtt_size > 0 ? `<tr><td style="padding:4px;">MQTT Library</td>
<td style="padding:4px; text-align:right;">${flash_calc.mqtt_size}</td></tr>` : ''}
${flash_calc.tls_size > 0 ? `<tr><td style="padding:4px;">TLS/SSL (mbedTLS)</td>
<td style="padding:4px; text-align:right;">${flash_calc.tls_size}</td></tr>` : ''}
${flash_calc.display_size > 0 ? `<tr><td style="padding:4px;">Display Library</td>
<td style="padding:4px; text-align:right;">${flash_calc.display_size}</td></tr>` : ''}
${flash_calc.http_size > 0 ? `<tr><td style="padding:4px;">HTTP Library</td>
<td style="padding:4px; text-align:right;">${flash_calc.http_size}</td></tr>` : ''}
<tr style="border-top:2px solid #ddd;"><td style="padding:4px;"><strong>Total Flash Used</strong></td>
<td style="padding:4px; text-align:right;"><strong>${flash_calc.total} KB (${flash_calc.percent_used}%)</strong></td></tr>
<tr><td style="padding:4px;"><strong>Remaining for App</strong></td>
<td style="padding:4px; text-align:right;"><strong>${flash_calc.remaining} KB (${flash_calc.percent_free}% free)</strong></td></tr>
</table>
<p style="margin-top:0.5rem; font-size:0.9em; color: ${flash_calc.percent_used > 70 ? '#E67E22' : '#16A085'};">
${flash_calc.percent_used > 70 ? '⚠️ High flash usage may limit OTA updates' : '✓ Good flash budget for app features and OTA'}
</p>
</div>`#include <HTTPClient.h>
void sendData() {
HTTPClient http;
http.begin("http://api.example.com/data");
http.addHeader("Content-Type", "application/json");
int httpCode = http.POST("{\"sensor\":\"temp\",\"value\":25.5}");
if (httpCode > 0) {
String response = http.getString();
Serial.println(response);
}
http.end();
}#include <WebSocketsClient.h>
WebSocketsClient webSocket;
void webSocketEvent(WStype_t type, uint8_t* payload, size_t length) {
switch(type) {
case WStype_CONNECTED:
webSocket.sendTXT("Hello Server");
break;
case WStype_TEXT:
Serial.printf("Received: %s\n", payload);
break;
}
}
void setup() {
webSocket.begin("server.com", 80, "/ws");
webSocket.onEvent(webSocketEvent);
}
void loop() {
webSocket.loop();
}Compare IoT communication protocols across key dimensions. Adjust the importance weights to see which protocol best fits your project requirements.
viewof weight_latency = Inputs.range([0, 10], {label: "Latency importance", step: 1, value: 5})
viewof weight_bandwidth = Inputs.range([0, 10], {label: "Bandwidth importance", step: 1, value: 5})
viewof weight_reliability = Inputs.range([0, 10], {label: "Reliability importance", step: 1, value: 5})
viewof weight_power = Inputs.range([0, 10], {label: "Power efficiency importance", step: 1, value: 5})
viewof weight_simplicity = Inputs.range([0, 10], {label: "Code simplicity importance", step: 1, value: 5})proto_scores = {
const protocols = [
{name: "MQTT (PubSubClient)", latency: 8, bandwidth: 6, reliability: 9, power: 8, simplicity: 8, color: "#16A085", lib_size: "12 KB"},
{name: "HTTP/REST (HTTPClient)", latency: 5, bandwidth: 8, reliability: 7, power: 4, simplicity: 9, color: "#3498DB", lib_size: "8 KB"},
{name: "WebSocket", latency: 9, bandwidth: 9, reliability: 7, power: 5, simplicity: 6, color: "#E67E22", lib_size: "22 KB"},
{name: "CoAP (microcoap)", latency: 8, bandwidth: 5, reliability: 8, power: 9, simplicity: 5, color: "#9B59B6", lib_size: "6 KB"}
];
const total_weight = weight_latency + weight_bandwidth + weight_reliability + weight_power + weight_simplicity || 1;
return protocols.map(p => {
const score = (
p.latency * weight_latency +
p.bandwidth * weight_bandwidth +
p.reliability * weight_reliability +
p.power * weight_power +
p.simplicity * weight_simplicity
) / total_weight;
return {...p, score: score.toFixed(1)};
}).sort((a, b) => b.score - a.score);
}html`<div style="background: var(--bs-light, #f8f9fa); padding: 1rem; border-radius: 8px; border-left: 4px solid #2C3E50; margin-top: 0.5rem;">
<h4 style="margin-top: 0; color: #2C3E50;">Protocol Ranking (based on your weights)</h4>
${proto_scores.map((p, i) => {
const bar_width = (p.score / 10 * 100).toFixed(0);
return html`<div style="margin-bottom: 0.75rem;">
<div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 0.25rem;">
<strong style="color: ${p.color};">${i === 0 ? "★ " : ""}${p.name}</strong>
<span style="font-size: 0.85em; color: #7F8C8D;">Score: ${p.score}/10 | Library: ${p.lib_size}</span>
</div>
<div style="background: #ddd; border-radius: 4px; height: 20px; overflow: hidden;">
<div style="background: ${p.color}; width: ${bar_width}%; height: 100%; border-radius: 4px; transition: width 0.3s;"></div>
</div>
<div style="display: grid; grid-template-columns: repeat(5, 1fr); gap: 0.25rem; font-size: 0.75em; color: #7F8C8D; margin-top: 0.2rem;">
<span>Latency: ${p.latency}/10</span>
<span>Bandwidth: ${p.bandwidth}/10</span>
<span>Reliability: ${p.reliability}/10</span>
<span>Power: ${p.power}/10</span>
<span>Simplicity: ${p.simplicity}/10</span>
</div>
</div>`;
})}
<p style="font-size: 0.85em; color: #7F8C8D; margin-bottom: 0;">Adjust the sliders to match your project needs. Battery-powered devices should prioritize power efficiency; real-time dashboards should prioritize latency and bandwidth.</p>
</div>`OLED Displays:
#include <Adafruit_SSD1306.h>
Adafruit_SSD1306 display(SCREEN_WIDTH, SCREEN_HEIGHT, &Wire);
void setup() {
display.begin(SSD1306_SWITCHCAPVCC, 0x3C);
display.clearDisplay();
display.setTextSize(1);
display.setTextColor(SSD1306_WHITE);
display.setCursor(0,0);
display.println("Hello IoT!");
display.display();
}TFT Displays:
AWS IoT:
#include <AWS_IOT.h>
AWS_IOT aws;
void setup() {
aws.connect(HOST, CLIENT_ID);
}
void loop() {
if (aws.publish(TOPIC, "{\"temp\":25.5}")) {
Serial.println("Published");
}
}Azure IoT Hub:
#include <AzureIoTHub.h>
#include <AzureIoTProtocol_MQTT.h>
void sendMessage() {
IOTHUB_MESSAGE_HANDLE messageHandle =
IoTHubMessage_CreateFromString(message);
IoTHubClient_SendEventAsync(iotHubClientHandle,
messageHandle, sendCallback, NULL);
}Firebase:
Repository Structure:
iot-project/
├── firmware/
│ ├── src/
│ ├── lib/
│ ├── test/
│ └── platformio.ini
├── hardware/
│ ├── schematics/
│ └── pcb/
├── docs/
├── .gitignore
└── README.md.gitignore for IoT:
# Build artifacts
.pio/
build/
*.hex
*.bin
*.elf
# IDE files
.vscode/
.idea/
*.swp
# Environment-specific
secrets.h
credentials.json
# OS files
.DS_Store
Thumbs.dbBranching Strategy:
main: Production-ready codedevelop: Integration branchfeature/*: New featuresbugfix/*: Bug fixesrelease/*: Release preparationCommit Best Practices:
# Good commit messages
git commit -m "Add BME280 sensor support with I2C interface"
git commit -m "Fix deep sleep wake-up issue on ESP32"
git commit -m "Optimize Wi-Fi reconnection logic to reduce power"
# Poor commit messages
git commit -m "Update"
git commit -m "Fix bug"
git commit -m "Changes"Practice writing good IoT firmware commit messages. Enter a message to get instant feedback on quality and adherence to best practices.
commit_analysis = {
const msg = commit_msg.trim();
if (!msg) return {score: 0, issues: [], good: [], empty: true};
let score = 0;
const issues = [];
const good = [];
// Length check
if (msg.length >= 10 && msg.length <= 72) {
score += 2;
good.push("Good length (" + msg.length + " chars, ideal is 10-72)");
} else if (msg.length < 10) {
issues.push("Too short (" + msg.length + " chars) -- be more descriptive");
} else {
issues.push("Too long (" + msg.length + " chars) -- keep subject under 72");
score += 1;
}
// Starts with capital
if (/^[A-Z]/.test(msg)) {
score += 1;
good.push("Starts with a capital letter");
} else {
issues.push("Should start with a capital letter");
}
// Imperative mood (starts with verb)
const imperative_verbs = /^(Add|Fix|Update|Remove|Refactor|Implement|Optimize|Configure|Enable|Disable|Migrate|Replace|Improve|Handle|Support|Set|Change|Move|Rename|Extract|Merge|Revert|Integrate|Reduce|Increase)/i;
if (imperative_verbs.test(msg)) {
score += 2;
good.push("Uses imperative mood (good verb choice)");
} else {
issues.push("Start with an imperative verb (Add, Fix, Update, Implement...)");
}
// No period at end
if (!msg.endsWith(".")) {
score += 1;
good.push("No trailing period (correct style)");
} else {
issues.push("Remove trailing period from subject line");
}
// IoT-specific context
const iot_keywords = /sensor|mqtt|wifi|ble|ota|esp32|i2c|spi|gpio|sleep|power|firmware|lora|zigbee|thread|coap|http|tls|ssl|interrupt|watchdog|rtc|adc|dac|pwm|uart|deep.sleep|wake.up|reconnect|buffer|timeout|payload/i;
if (iot_keywords.test(msg)) {
score += 2;
good.push("Includes IoT-specific technical context");
} else {
issues.push("Consider adding IoT/hardware context (sensor, protocol, etc.)");
}
// Vague message check
const vague_patterns = /^(update|fix|change|stuff|things|misc|wip|test|debug|done|modified|edited|tmp|asdf|works now)$/i;
if (vague_patterns.test(msg)) {
score = Math.max(0, score - 3);
issues.push("Message is too vague -- describe WHAT changed and WHY");
}
// Describes what, not just where
if (msg.includes(" ") && msg.split(" ").length >= 3) {
score += 1;
good.push("Descriptive (multiple words explaining the change)");
} else {
issues.push("Add more detail about what was changed");
}
const max_score = 9;
return {score: Math.min(score, max_score), max_score, issues, good, empty: false};
}html`<div style="background: var(--bs-light, #f8f9fa); padding: 1rem; border-radius: 8px; border-left: 4px solid ${commit_analysis.empty ? '#7F8C8D' : commit_analysis.score >= 7 ? '#16A085' : commit_analysis.score >= 4 ? '#E67E22' : '#E74C3C'}; margin-top: 0.5rem;">
${commit_analysis.empty ? html`<p style="color: #7F8C8D; margin: 0;">Type a commit message above to get instant feedback.</p>` : html`
<div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 0.75rem;">
<strong style="color: #2C3E50;">Quality Score: ${commit_analysis.score}/${commit_analysis.max_score}</strong>
<span style="padding: 0.2rem 0.75rem; border-radius: 12px; font-size: 0.85em; color: white; background: ${commit_analysis.score >= 7 ? '#16A085' : commit_analysis.score >= 4 ? '#E67E22' : '#E74C3C'};">
${commit_analysis.score >= 7 ? 'Excellent' : commit_analysis.score >= 4 ? 'Acceptable' : 'Needs Work'}
</span>
</div>
<div style="background: #ddd; border-radius: 4px; height: 8px; margin-bottom: 0.75rem;">
<div style="background: ${commit_analysis.score >= 7 ? '#16A085' : commit_analysis.score >= 4 ? '#E67E22' : '#E74C3C'}; width: ${(commit_analysis.score / commit_analysis.max_score * 100).toFixed(0)}%; height: 100%; border-radius: 4px; transition: width 0.3s;"></div>
</div>
${commit_analysis.good.length > 0 ? html`<div style="margin-bottom: 0.5rem;">
${commit_analysis.good.map(g => html`<div style="color: #16A085; font-size: 0.85em; padding: 0.15rem 0;">✓ ${g}</div>`)}
</div>` : ''}
${commit_analysis.issues.length > 0 ? html`<div>
${commit_analysis.issues.map(i => html`<div style="color: #E74C3C; font-size: 0.85em; padding: 0.15rem 0;">✗ ${i}</div>`)}
</div>` : ''}
`}
</div>`Pull Request Workflow:
Code Review Checklist:
PlatformIO lib_deps:
[env:esp32dev]
lib_deps =
# Exact version
knolleary/PubSubClient@2.8
# Version range (semver)
adafruit/Adafruit BME280 Library@^2.2.2
# Git repository
https://github.com/me/mylib.git
# Local library
lib/custom_sensorVersion Pinning Best Practices:
| Approach | Syntax | Use Case |
|---|---|---|
| Exact version | @2.8.0 |
Production builds |
| Compatible updates | @^2.8.0 |
Accept patches |
| Any version | (no version) | Only for prototyping |
Simulate what happens when you use different version pinning strategies over time. See how exact pinning, semver ranges, and unpinned dependencies behave as libraries release updates.
viewof pinning_strategy = Inputs.select(
["Exact (@2.8.0)", "Compatible range (@^2.8.0)", "Unpinned (latest)"],
{label: "Pinning Strategy", value: "Exact (@2.8.0)"}
)
viewof months_elapsed = Inputs.range([0, 24], {label: "Months in production", step: 1, value: 0})
viewof lib_releases_breaking = Inputs.range([0, 5], {label: "Breaking releases in period", step: 1, value: 1})
viewof lib_releases_patch = Inputs.range([0, 10], {label: "Patch/fix releases in period", step: 1, value: 3})dep_sim = {
const strategy = pinning_strategy;
const months = months_elapsed;
const breaking = lib_releases_breaking;
const patches = lib_releases_patch;
let build_stable = true;
let security_patched = false;
let features_current = false;
let risk_level = "Low";
let risk_color = "#16A085";
let explanation = "";
let recommendation = "";
if (strategy === "Exact (@2.8.0)") {
build_stable = true;
security_patched = false;
features_current = false;
if (months > 6 && patches > 0) {
risk_level = "Medium";
risk_color = "#E67E22";
explanation = "Build is stable and reproducible, but you are " + patches + " patches behind. " + (breaking > 0 ? "You safely avoided " + breaking + " breaking change(s). " : "") + "After " + months + " months, security patches may be missing.";
recommendation = "Audit quarterly. Update exact pin to latest patch version after testing.";
} else if (months > 12) {
risk_level = "Medium-High";
risk_color = "#E67E22";
explanation = "After " + months + " months with exact pinning, the locked version may have known CVEs. The library ecosystem has moved on.";
recommendation = "Schedule a dependency update sprint. Test thoroughly before deploying.";
} else {
risk_level = "Low";
risk_color = "#16A085";
explanation = "Build is stable and reproducible. Exact version pinning prevents surprise breakages. " + (patches > 0 ? patches + " patch(es) available but not auto-applied." : "No patches missed yet.");
recommendation = "Good practice for production. Monitor for security advisories.";
}
} else if (strategy === "Compatible range (@^2.8.0)") {
security_patched = patches > 0;
features_current = patches > 0;
if (breaking > 0) {
build_stable = false;
risk_level = "High";
risk_color = "#E74C3C";
explanation = "Semver range auto-applied " + patches + " patch(es) (good), but a breaking major release (v3.0) is available. If semver rules are violated by the library author, builds may silently break. " + breaking + " breaking release(s) could be pulled in.";
recommendation = "Add upper bound constraints. Test in CI before deploying updates.";
} else {
build_stable = true;
risk_level = months > 12 ? "Medium" : "Low";
risk_color = months > 12 ? "#E67E22" : "#16A085";
explanation = "Semver range auto-applied " + patches + " compatible patch(es). No breaking changes in the period. Build remains stable.";
recommendation = "Good balance of stability and updates for active development.";
}
} else {
security_patched = true;
features_current = true;
if (breaking > 0) {
build_stable = false;
risk_level = "Critical";
risk_color = "#E74C3C";
explanation = "Unpinned dependency pulled " + breaking + " breaking major release(s). Build likely FAILS with compile errors. All " + patches + " patches also applied, but the breaking API changes dominate. This is the ArduinoJson v6-to-v7 scenario.";
recommendation = "NEVER use unpinned versions in production. Pin immediately.";
} else if (patches > 2) {
build_stable = true;
risk_level = "Medium";
risk_color = "#E67E22";
explanation = "Auto-applied " + patches + " patches. No breaking changes yet, but you have no control over what gets installed. A future pio lib update could pull anything.";
recommendation = "Pin to at least a semver range for predictable builds.";
} else {
build_stable = true;
risk_level = "Low-Medium";
risk_color = "#E67E22";
explanation = "Few changes so far, but unpinned dependencies are a ticking time bomb. Works fine during early prototyping.";
recommendation = "Acceptable for initial prototyping only. Pin before shipping.";
}
}
return {build_stable, security_patched, features_current, risk_level, risk_color, explanation, recommendation, strategy, months};
}html`<div style="background: var(--bs-light, #f8f9fa); padding: 1rem; border-radius: 8px; border-left: 4px solid ${dep_sim.risk_color}; margin-top: 0.5rem;">
<div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 0.75rem;">
<h4 style="margin: 0; color: #2C3E50;">After ${dep_sim.months} months with ${dep_sim.strategy}</h4>
<span style="padding: 0.2rem 0.75rem; border-radius: 12px; font-size: 0.85em; color: white; background: ${dep_sim.risk_color};">Risk: ${dep_sim.risk_level}</span>
</div>
<div style="display: grid; grid-template-columns: repeat(3, 1fr); gap: 0.5rem; margin-bottom: 0.75rem;">
<div style="text-align: center; padding: 0.5rem; background: ${dep_sim.build_stable ? '#16A085' : '#E74C3C'}22; border-radius: 4px;">
<div style="font-size: 1.5em;">${dep_sim.build_stable ? '✓' : '✗'}</div>
<div style="font-size: 0.8em; color: #2C3E50;"><strong>Build Stable</strong></div>
</div>
<div style="text-align: center; padding: 0.5rem; background: ${dep_sim.security_patched ? '#16A085' : '#E67E22'}22; border-radius: 4px;">
<div style="font-size: 1.5em;">${dep_sim.security_patched ? '✓' : '✗'}</div>
<div style="font-size: 0.8em; color: #2C3E50;"><strong>Security Patched</strong></div>
</div>
<div style="text-align: center; padding: 0.5rem; background: ${dep_sim.features_current ? '#16A085' : '#7F8C8D'}22; border-radius: 4px;">
<div style="font-size: 1.5em;">${dep_sim.features_current ? '✓' : '—'}</div>
<div style="font-size: 0.8em; color: #2C3E50;"><strong>Features Current</strong></div>
</div>
</div>
<p style="font-size: 0.9em; color: #2C3E50; margin-bottom: 0.5rem;">${dep_sim.explanation}</p>
<p style="font-size: 0.85em; color: ${dep_sim.risk_color}; margin-bottom: 0;"><strong>Recommendation:</strong> ${dep_sim.recommendation}</p>
</div>`Scenario: A startup ships 500 outdoor air quality monitors to cities across Europe. Each device runs an ESP32 with PlatformIO firmware using 8 libraries. After 6 months in production, a critical vulnerability is found in the MQTT library (PubSubClient), and a sensor library update breaks compatibility with their hardware revision. The team must audit, patch, and deploy updates to all 500 devices.
Initial dependency state (from platformio.ini):
| Library | Pinned Version | Current Latest | Issue |
|---|---|---|---|
PubSubClient |
@^2.8 (range) |
2.9.0 | v2.9 fixes buffer overflow CVE-2023-XXXX but changes callback signature |
Adafruit BME680 |
@2.0.1 (exact) |
2.0.4 | v2.0.4 adds support for new sensor revision (BME688) |
ArduinoJson |
(no version) | 7.0.0 | v7 is a breaking rewrite; v6 API completely different |
WiFiManager |
@^2.0.15 |
2.0.17 | Minor patches, safe to update |
NTPClient |
@3.2.1 |
3.2.1 | No change |
SPIFFS |
Built-in | - | No change |
TinyGPS++ |
@1.0.3 |
1.0.3 | No change |
AsyncTCP |
Git URL | Latest commit | Unknown; no version pinning |
Audit findings:
pio lib update would pull v7.0, which renames StaticJsonDocument to JsonDocument and changes 14 API calls in the firmware. The build would fail with 14 compile errors.Resolution steps:
| Step | Action | Rationale |
|---|---|---|
| 1 | Pin ALL libraries to exact versions: @2.8.0, @6.21.3, etc. |
Prevent silent breaking changes |
| 2 | Create feature/mqtt-security-patch branch |
Isolate changes from main |
| 3 | Update PubSubClient to @2.9.0, fix callback signature change (1 line: add unsigned int → size_t) |
Patch CVE while minimizing code changes |
| 4 | Pin ArduinoJson to @6.21.3 (latest v6) |
Avoid v7 breaking changes until planned migration |
| 5 | Fork AsyncTCP to company GitHub, pin to fork with tag v1.1.4-pinned |
Eliminate supply chain dependency on external repo |
| 6 | Run full test suite on hardware | Verify no regressions |
| 7 | Deploy via OTA to 10 devices (canary group) | Catch field issues before fleet-wide rollout |
| 8 | Monitor for 48 hours, then deploy to remaining 490 devices | Staged rollout reduces blast radius |
Cost of NOT auditing dependencies:
Key takeaway: Pin exact versions (@2.8.0) in production, use semantic ranges (@^2.8) only during active development. Audit dependencies quarterly. Fork critical libraries that lack stable release practices.
Symptom: Code compiles fine, then fails after pio lib update
Cause: Library update introduced breaking change
Prevention:
lib@2.8.0Recovery:
Adding too many features before validating core user needs wastes weeks of effort on a direction that user testing reveals is wrong. IoT projects frequently discover that users want simpler interactions than engineers assumed. Define and test a minimum viable version first, then add complexity only in response to validated user requirements.
Treating security as a phase-2 concern results in architectures (hardcoded credentials, unencrypted channels, no firmware signing) that are expensive to remediate after deployment. Include security requirements in the initial design review, even for prototypes, because prototype patterns become production patterns.
Designing only for the happy path leaves a system that cannot recover gracefully from sensor failures, connectivity outages, or cloud unavailability. Explicitly design and test the behaviour for each failure mode and ensure devices fall back to a safe, locally functional state during outages.
| If you want to… | Read this |
|---|---|
| Explore application domains for this technology | Application Domains Overview |
| Learn about UX design for connected devices | UX Design for IoT |
| Start prototyping with the concepts covered | Prototyping Essentials |