You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Not too keen on the tracking code you added at #934.
I understand wanting more insight on your users - who doesn't? But a library should not be getting that information from the browsers the code is installed to. If you want to know more about your users, I suggest adding tracking code to your own docs site, looking at the interactions you have with users here, and looking at npm usage data.
A library that silently installs tracking code to send user data to some outside domain (even a more trusted domain, like google analytics) is two steps away from becoming malware - you could easily manipulate that tracking code to look for & record password fields, or turn on full keylogging, and send it all to google analytics.
With all that said, I'd argue that the tracking code should be removed in its entirety. I'd be curious to hear the case for why you need to keep it, but I think if you intend to you should at the very least make it opt-in, instead of letting it be enabled by default.
The text was updated successfully, but these errors were encountered:
Hi @dpraul, thanks posting and showing the concerns. I really appreciate on this.
Adding stats was a long hesitation, because I didn't wanted to hurt or give any negative impact to users.
Of course, I did some research very carefully on other libraries before adding this.
But, on the other hand, in a long perspective of the library sustainability, it needed an indicator to prove the growth and its usability. Because nobody was actively saying that "I'm using the library".
The only indicator I'm getting was the download or CDN hit numbers, which I can't get any insights from that.
Well, I totally understand your concerns(which was my concerns also). I'll take one of these steps and will be release as patch as soon as possible.
Remove stats related code completely.
Disable by default
I think this is useless, because nobody will turn on despite getting nothing beneficial from
OpenSource is basically is for users and it should be carefully listening their voices at all.
Thanks again for expressing your opinion and hope hear more 😃
Thank you very much, I really appreciate the understanding and the quick turnaround. This is a great library and I'm glad we can continue to utilize it at our organization!
Hey there!
Not too keen on the tracking code you added at #934.
I understand wanting more insight on your users - who doesn't? But a library should not be getting that information from the browsers the code is installed to. If you want to know more about your users, I suggest adding tracking code to your own docs site, looking at the interactions you have with users here, and looking at
npm
usage data.A library that silently installs tracking code to send user data to some outside domain (even a more trusted domain, like google analytics) is two steps away from becoming malware - you could easily manipulate that tracking code to look for & record password fields, or turn on full keylogging, and send it all to google analytics.
With all that said, I'd argue that the tracking code should be removed in its entirety. I'd be curious to hear the case for why you need to keep it, but I think if you intend to you should at the very least make it opt-in, instead of letting it be enabled by default.
The text was updated successfully, but these errors were encountered: