Basically just around the "implicit contract" I mentioned in the article. It feels "dirty" or "shady" or "creepy" to have a library force your computer to upload information about you (minimal as it may be) to anyone. The irony, of course, is that you're trusting NPM with this knowledge...basically as a requirement, since they have a monopoly in this space (No wonder Microsoft liked them! 🤣). Also, nothing about the npm install build process is secure. There's nothing stopping a library from adding a postinstall script that uploads ~/**/* to a server somewhere, and now you have no privacy. None of us are running our npm install commands from some permissions-restricted account, aside from the CI vendors.
I acted as point person for pushing to get scarf dropped from libraries, so I'm an explicitly biased source. However, I did drop this for some review in the discussion channel on Reactiflux where a lot of conversation about this happened.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
what were the arguments against using scarf?
Basically just around the "implicit contract" I mentioned in the article. It feels "dirty" or "shady" or "creepy" to have a library force your computer to upload information about you (minimal as it may be) to anyone. The irony, of course, is that you're trusting NPM with this knowledge...basically as a requirement, since they have a monopoly in this space (No wonder Microsoft liked them! 🤣). Also, nothing about the
npm installbuild process is secure. There's nothing stopping a library from adding apostinstallscript that uploads~/**/*to a server somewhere, and now you have no privacy. None of us are running ournpm installcommands from some permissions-restricted account, aside from the CI vendors.whats your opinion on? are either of those deal-breakers?
and what would an acceptable opt-out mechanism?
Hey Kevin, here's a write up of the main issues. gist.github.com/samsch/c38f3109701...
I acted as point person for pushing to get scarf dropped from libraries, so I'm an explicitly biased source. However, I did drop this for some review in the discussion channel on Reactiflux where a lot of conversation about this happened.