Tidelift ✨

Discussion on: Scarf.sh

jab profile image
Joshua Bronson Author

Documentation Insights

E.g. If a maintainer adds this to their docs site, will they have to add an annoying cookie banner to their site?

I found docs.scarf.sh/web-traffic/, which says "Scarf does not store the IP address itself, so no personally identifiable information is collected." I guess this means no cookie banner required?

SDKs for package authors

Quoting docs.scarf.sh/package-analytics/:

Fully transparent to the user. Scarf will log its behavior to the console during installation. It will never silently report analytics for someone that hasn't explicitly given permission to do so.

So that answers my UI question. But then I scrolled down and saw...

How does it work?

scarf-js registers a postInstall hook that sends telemetry information. This library has no runtime footprint, it only runs at installation time, when a developer runs npm install

...and yet there's no mention that this relies on the security vulnerability reported at blog.npmjs.org/post/141702881055/p... and more recently publicized in youtu.be/24tQRwIRP_w?t=923 (since which many users have disabled npm install scripts, corporate users especially).