Could you please disable by default scarf/scarf or remove at all

[Mavrin]

Thank you for great project.

I have some concern with using your project by privacy reason.

1. You are using "@scarf/scarf": "^1.0.0", with not exact version. What is happen if library was compromised.
2. I understand, that you want to collect usage statistics, but it looks dangerous. I can't be sure what information has been sent. And I don't accept agreement send some statistics. For example bower asked me explicit: Do you want send statistics?

[tannerlinsley]

I’ll loop in @aviaviavi here to answer any questions you might have 👍

[aviaviavi]

Hi @Mavrin, author of @scarf/scarf here!

You are using "@scarf/scarf": "^1.0.0", with not exact version. What is happen if library was compromised.

This is true that react-query is not pinning to exact versions here, but that's the case for all of its dependencies and is also common practice for libraries. This allows upstream dependencies to make backward-compatible changes, especially those that could fix security issues if they are found. The concern you're raising is fair - It's always a good idea to know about your transitive dependencies and be aware of their risk profiles. The question of "what if a package is compromised?" applies to all dependencies and ultimately is a call that developers have to make for their own projects. It's a fair reason to always fully pin down your dependencies, but the tradeoff is a lot of manual work to keep things updated as security patches are released from your various dependencies. This why is React query does include a yarn.lock file, so yarn users do actually use the exact same version as whatever the lockfile specifies.

I understand, that you want to collect usage statistics, but it looks dangerous. I can't be sure what information has been sent. And I don't accept agreement send some statistics. For example bower asked me explicit: Do you want send statistics?

It's understandable that you don't agree to send stats, and if that's the case, they can easily be disabled according to the instructions in the README of this project. Please let me know if you need any help with that.

If you'd like to see exactly what data is being sent, you can set the environment variable SCARF_VERBOSE=true, and the full analytics payload will be printed to the console so you can inspect yourself. It's small. The source code of @scarf/scarf itself is also available on Github (https://github.com/scarf-sh/scarf-js) and I encourage you to verify my claims yourself. If you find any security issues, please open an issue and it will be fixed promptly.

Let me know if there are any concerns here that haven't been properly addressed.

[Mavrin]

I read documentation and I understand how to disable @scarf/scarf. But I can build my project on developer machine or ci. How I can be sure that I disable scarf in all environment? Of course I can add config in package.json but it will be implicit.
I think tool should ask user about collect anonymous stats. It is easy don't notice message in install logs. I recommend to look how it did bower. Some related issue

[aviaviavi]

Hmm, can you elaborate on what you mean about it being "implicit" when you opt out via package.json? I'd say that this explicitly disables Scarf across all of your environments, locally and on CI. Is there is another way you'd prefer to opt-out? We can certainly implement it to make that easier for you.

I think tool should ask user about collect anonymous stats

scarf-js itself already behaves this way when a package depends on it with the opt-out by default setting. In React Query, it's opt-in by default, which is why you don't see this prompt.

[Mavrin]

I mean "implicit" that my project does't doesn't have direct dependency on Scarf but I should add to my package.json

"scarfSettings": {
    "defaultOptIn": false
  }

I understand your reasons. But I can’t agree with them 😞. Thank you for your time. I think we can close this discussion.

[aviaviavi]

Got it, I totally understand where you're coming from too. We'll be thinking of ways to make the opt out less implicit per your view. Thanks for your time and for bringing this up, the feedback is really appreciated.

[weyert]

I am wondering if this compliant with the GDPR here in the European Union. As personal identifiers like IP addresses is considered personal data hence fall under the GDPR.

[aviaviavi]

Yes, scarf-js is GDPR compliant. The only relevant personally-identifying information here is indeed the IP address, which Scarf immediately deletes after looking up any business information related to the IP.