"Where a package wishes to make use of a library not written solely for
the package, the package installation should first look to see if it is
already installed and if so is of a suitable version. In case not, it is
desirable to include the library sources in the package and compile them
as part of package installation. If the sources are too large, it is
acceptable to download them as part of installation, but do ensure that
the download is of a fixed version rather than the latest. Only as a
last resort and with the agreement of the CRAN team should a package
download pre-compiled software."
and we have recently seen an instance of a rust-using package whose
check output changed because what it downloaded had changed. CRAN
checking is not set up for that (for example, macOS checks are done once
only for each version).
Whilst investigating, the Windows' maintainers found that binary libs
were being downloaded. And subsequently I found that salso, string2path
and ymd are downloading compiled code on Intel macOS.
Also. make sure that the authorship and copyright of code you download
(and hence include in the package) is clear from the DESCRIPTION file.
as required by the CRAN policy.