Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove 'npm-monitoring' analytics. #982

Closed
blopker opened this issue Jan 23, 2024 · 2 comments
Closed

Remove 'npm-monitoring' analytics. #982

blopker opened this issue Jan 23, 2024 · 2 comments

Comments

@blopker
Copy link

blopker commented Jan 23, 2024

Scenario

  • What's the scenario, what happens and what did you expect to happen?

I noticed that the npm version of fingerprintjs phones home to https://m1.openfpcdn.io/, with a %0.1 sampling. The right behavior is that this library would not do that. It seems like this was configurable at one point (#950), but that was removed along with all references to this behavior.

It looks like developers can set window.__fpjs_d_m = true to disable this, but it feels invasive not to even mention it in the README. I've disabled it for now, but including this in such a sneaky way breaks trust in a big way.

Link to code:

fingerprintjs/src/agent.ts

Line 179 in c411aff

function monitor() {

Please do the right thing and remove this, or at least tell people about it.

  • What device and browser are you using?

Desktop Firefox

  • What version of FingerprintJS are you using? (Bug reports not applicable to FingerprintJS master are subject to be closed without comment.)

Current version
@Valve
Copy link
Member

Valve commented Jan 23, 2024
edited

Hello @blopker
Thanks for creating this issue.
You're right, we did remove mentions from the documentation how to disable the NPM monitoring.
This happened when we released a v4 of the library and changed its license to BSL.
You can read the details about this change here: https://fingerprint.com/blog/fingerprintjs-license-change

If you use v3 of the library, this capability is still documented, and the library version is available under a more permissive MIT license.

If you use the fourth version of the library (v4), public documentation no longer includes the description of how to remove the monitoring.
This is done because the BSL license does not permit to use the library in production unless you purchased a commercial license.
If you want to disable the monitoring w/out using the library in production, please email oss@fingerprint.com and we'll help you with this request.

Please do the right thing and remove this, or at least tell people about it.

This behavior is documented in the public API documentation here:
https://github.com/fingerprintjs/fingerprintjs/blob/master/docs/api.md
There are no plans to add to the documentation of the v4 how to disable the monitoring at this point.

Hope this is helpful.

I'm going to close this issue, please feel free to reopen with additional questions or concerns.

@Valve Valve closed this as completed Jan 23, 2024
@blopker
Copy link
Author

blopker commented Jan 23, 2024

Thanks for the reply and confirming this will not be fixed.

I've gone ahead and removed this from our dependencies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Valve @blopker