Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Rethink Scarf usage

See original GitHub issue

Expected Behavior

I expect this dependency to not collect any of my (personal) data by default.

Actual Behavior

This package is using scarf with an opt-out functionality - not opt-in. Thereby collecting the following information on each install:

installed packages (except @org scoped)
IP address (to track which company I am from)
operating system

Possible Solution

Make scarf opt-in.
Or Disable IP Tracking and disable reporting of other packages installed

It should at least be explained in the readme. There should be a note saying how to disable it before installation - as currently there is no way to opt-out of the first installation because the installing person simply does not know about the package.

Context

Even Google has made its usage statistics optional. I understand that information like: “Which versions are currently used?” are of particular interested for package managers and I would let you track this kind of data (also with opt-out) - no problem.

But as you are also collecting information about the installed packages (Wherefore? Github already has a way less invasive function with “Used by”) and part of who I am (IP Adress and Company info) - I don’t quite get it. Please also be aware that this is likely putting you into the reach of GDPR laws because IP addresses and company affiliation are both likely to uniquely identify a person.

I love your work and I am using this package for years now. But still, I think before collecting data the reasons behind it and what they are used for should be explained. Also, the amount of data should be minimized.

Your Environment

Version used: 8.0.2
Browser Name and version: Chrome 81

Issue Analytics

State:
Created 3 years ago
Reactions:5
Comments:11 (9 by maintainers)

Top GitHub Comments

6reactions

aviaviavicommented, Jul 1, 2020

Hi, author of scarf-js here 👋 . I just wanted to clear up a few things brought up here:

Scarf isn’t actually storing IP addresses. We look up any business information associated with the IP address and then delete it the IP itself. All in all, Scarf is not storing any personally identifying information collected from package analytics.
The Github “used by” section doesn’t quite do the job of informing you who your commercial users are, but yes it does help. Most corporate repositories are not publicly hosted on Github, so this section misses the most important category - large companies using a project, who would be more likely to pay maintainers for support. Scarf fills in those gaps and offers additional around it in order to help maintainers financially support their work.
Keep in mind, npm does collect quite a bit more already https://www.npmjs.com/policies/privacy#data. We’re collecting a whole lot less (you can set SCARF_VERBOSE=true to see the exact payload we’re sending, it’s very small), and actually sharing that with the maintainers, which will ultimately lead to better-maintained software for everyone.

1reaction

simon-jouetcommented, Sep 8, 2020

Hi,

Thanks for the great work on ngx-infinite-scroll.

I would like to add to this issue regarding the use of scarf, I’m currently running into problem installing my dependencies because scarf is failing with SyntaxError: Unexpected end of JSON input when installing ngx-infinite-scroll

It’s a bit frustrating that, a dependency of a dependency is causing issues project-wide while it is itself not necessary. I tried to opt-out using the environment variable and modifying the package.json but it’s still failing for now (need to keep looking into it).

EDIT: looks like SCARF_ANALYTICS=false npm install --scripts-prepend-node-path is allowing me to install the dependencies

Additionally to this, I’m not 100% convinced that the current behaviour is compliant with GDPR (for all European users) as consent should be explicitly given which isn’t the case here. I’m personally not too fussed about it but I know some people are, and knowing that information are being sent would have been nice to know before running into troubles.