Reconsider use of scarf
See original GitHub issueHey @erikras
First off I want to say I really appreciate the work you’ve put into react-final-form. It’s apparent this is the premier form library for React atm and I’m hoping to use it professionally in a large existing codebase that needs some forms tlc.
Adding final form as a dep seemed easy enough and it made feature development a breeze but during code review I came across this new dependency @scarf/scarf
. Their README does a good job explaining my concern right off the bat:
Scarf is like Google Analytics for your npm packages. By sending some basic details after installation, this package can help you can gain insights into how your packages are used and by which companies. Scarf aims to help support open-source developers fund their work when used commercially.
Even if Scarf is completely harmless and honest in their mission its presence immediately makes this a hard sale. Even disabling it via the package.json
is not enough for me to avoid a “fun” chat with our CTO about scarf if I want to stay the course with react-final-form
.
Further, there is no discussion in the PR https://github.com/final-form/react-final-form/pull/790. Were these authors or packages telemetry code vetted?
I’m a concerned dev who would love to use this library but unless scarf is removed I will probably opt to use Formik which is comparable if not quite as feature complete. Please reconsider!
Issue Analytics
- State:
- Created 3 years ago
- Reactions:14
- Comments:22 (8 by maintainers)
Top GitHub Comments
At the end of the day you are installing third party telemetry code on package install. This means it not only goes on my computer but every single developer who works on the codebase. To me, and I’m guessing any CTO or manager I’ve worked with, this is unacceptable. Scarf is not opted into by developers, so it feels like malware. It’s hidden away as a sub dep that I only caught during the diff of the package lock file.
To use RFF professionally I’ll need to discuss it and scarf with my supervisor which pretty much means it’s dead on arrival. What engineering manager is going to let telemetry code from an untrusted vendor on their dev machines? I’ll just pick a package that doesn’t feel the need to opt me and my team into data collection
@samsch Are you proud of how pushy you’re being? How many dollars have you donated to Open Source this month?