Hi @aviaviavi scarf is an awesome package, i hope it will be soon widely adapted by os libs.

I am having some questions related to scarf, mainly in context of disabling it for projects :) due to security policies :-

1. I have gone through docs and saw scarf can be disabled through packages json, but is there any way to switch off the same for multiple projects like monoreps etc..

2. Is it possible to have switch based on apps, for eg. say i have lib LibA that uses scarf, and this lib is used in AppA and AppB, can i switch it off for one of them ?

3. Say this the deps tree, LibD -> LibC -> LibB -> LibA -> scarf , and scarf is disabled through package.json in LibC will it be disabled for any application which uses LibD

I use react-table in a secure build environment. API requests from the build gets blocked. So when scarfJS tried to send same, it got blocked. I tried adding disable package.json config but didn't work. Following is the error observed

16:26:52 
16:26:52 SyntaxError: Unexpected end of JSON input
16:26:52     at JSON.parse (<anonymous>)
16:26:52     at /local/apps/test/frontend/node_modules/@scarf/scarf/report.js:65:27
16:26:52 npm ERR! code ELIFECYCLE
16:26:52 npm ERR! errno 1
16:26:52 npm ERR! @scarf/[email protected] postinstall: `node ./report.js`
16:26:52 npm ERR! Exit status 1
16:26:52 npm ERR! 
16:26:52 npm ERR! Failed at the @scarf/[email protected] postinstall script.
16:26:52 npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
16:26:52 

Right now Scarf uses npm ls output to determine dependency info for finding scarfSettings in a package.json. We'll need parity for users that are using yarn.

Raised in TanStack/table#2215

If a package has a dependency that depends on Scarf, it should be able to control whether Scarf is enabled for its users / its own dependent packages.

As suggested in TanStack/table#2012, it would be good to have a more fluid way of opting into analytics for a package that is opt-out by default. If configured to do so, scarf should be able to print a request for analytics and wait a very short amount of time for user input

Scarf should send runtime information, including when the runtime is not node. We have only tested Scarf-js with node so far. I'm not sure how it will behave with Deno, and I believe Bun currently surpresses postInstall hooks altogether if you're not in the top N packages.

Looks like the dev dependencies had an update that dependabot can't make on its own: https://github.com/scarf-sh/scarf-js/security/dependabot/package-lock.json/node-notifier/closed. This isn't a big deal here since the dev dependencies only affect those developing Scarf directly, but we still should get this fixed up.

Background

When scarf-js runs, it needs to figure out where in the dependency tree it lives. IE, which package is importing Scarf?

In order to achieve this, we run a shell command in order to find the path to Scarf in the current project dependency tree:

npm ls @scarf/scarf --json --long

However, on a project with lots and lots of dependencies, this command is quite slow:

~/d/f/s/superset-frontend ❯❯❯ time npm ls @scarf/scarf --json --long

npm ls @scarf/scarf --json --long  7.00s user 1.62s system 130% cpu 6.585 total

7 seconds on my mac! 😱

The runtime of this single command is way beyond the 3-second timeout scarf-js gives itself to run before quitting, in order to never block npm install.

The proposed solution below is what we decided to do with the Superset team, as other options (eg, bumping the timeout) all had significant drawbacks.

Why?

"Your IP address will be used to look up any available company information"

But it's the lie =)

Pls, explain me, how is it works technically.
How are you to grab a company info with the ip's knowledge?

This package was installed without my Consent.
I'd like to ask that you warn users prior to collecting any Analytics on them.

Furthermore, could you please provide me with your analytics endpoint server?
I wish to permanently prevent my computer from sending any further unsolicited Data to you.

TL;DR: I created a gist which can patch Scarf Analytics (@scarf/scarf on npm) with this Gist that replaces this lib on postinstall because NPM/Yarn gives you an ability to install any gist or repository like any package to node_modules folder.

Before you install it, delete @scarf/scarf folder in your local project node_modules folder if present (probably you are using some of this packages) or if you are going to install any of those packages in your current project.

Install mock version from Gist instead of local project version which sends your data with this commands depending of what package manager you use:

npm install --save-dev gist:bd5c18861b76eb34f068bf2ed7de903e
yarn add gist:bd5c18861b76eb34f068bf2ed7de903e --dev
pnpm install --save-dev gist:bd5c18861b76eb34f068bf2ed7de903e

It will install mocked version of Scarf Analytics in devDependencies.
The mock just gives you clear vision on what is running on postinstall. It just console.logs that scarf was mocked.

You can opt out from running postinstall scripts using npm install --ignore-scripts, yarn install --ignore-scripts or, if you use pnpm, pnpm install --ignore-scripts but be careful because some your packages will not work, like node-sass because they require compiling it or they just ask you to fund them which is good because you support good open-source developers and their works like the main JS polyfill on which works babel - core-js. Better support its developer for his job for JS ecosystem.
You probably can manually run postinstall hooks for each package you need by running it in node_modules/dependency_that_needs_building_or_compiling

npm/yarn/pnpm run postinstall

You are abke to globally disable running postinstall hooks via npm/yarn/pnpm config to be more secure.
https://blog.npmjs.org/post/141702881055/package-install-scripts-vulnerability
Don't forget about vulnerabilities like:
https://www.zdnet.com/article/microsoft-spots-malicious-npm-package-stealing-data-from-unix-systems/
https://www.zdnet.com/article/cryptocurrency-startup-hacks-itself-before-hacker-gets-a-chance-to-steal-users-funds/
https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/
https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
https://blog.npmjs.org/post/173526807575/reported-malicious-module-getcookies
https://twitter.com/o_cee/status/892306836199800836)
https://medium.com/@jsoverson/how-two-malicious-npm-packages-targeted-sabotaged-one-other-fed7199099c8
https://blog.sonatype.com/sonatype-2020-0003-npm-malicious-package-1337qq-js

I am working on scarf patcher which will on library blacklist patch your package.json with this gist instead of running scarf:
https://www.npmjs.com/package/itssummernoscarfs

Well, let me explain a bit why it is bad idea.
So, you say this is "Google Analytics-like" for OSS libs, but NPM gives you ability to see how much users installed per week.
BTW, this package has ~300k downloads per week only because of redux-form, final-form, react-table.
Why do you need to see which OS users install lib?
There is 3 main OS: Windows (+Windows Subsystem for Linux), Linux, MacOS.
Look at the most popular from StackOverflow Survey 2020:
https://insights.stackoverflow.com/survey/2020#technology-platforms
Also, users when create issue tell you what OS they use.
Next, the OS architecture. Are you sure that architecture value will break lib? There is 3 most popular architectures: x64, x32 (x86) and ARM.
Library users can talk via issues if anybody has some problems even without scarfjs.
Also as I heard library sends IP adresses, what means also country and city to your server and, maybe, deletes it or not, but we don't know yet, we don't see the server code.
Also you are not protected from hacking your database, server or other and leaking data.
Somebody mentioned later that this library not GDPR-friendly and don't forget about NDA, because it's can be private or etc.
There is variant of creating issue like "Who uses *?" and there is a choice to say about company or no. What if my project is private and I doesn't want to leak any data about it?
Why this library gets data about my dependency list? You tell that is gets info about most used lib combo with those who has @scarf/scarf in their dependencies but then you say "Limited dependency tree information. Scarf sends the name and version of the package(s) that directly depend on scarf-js". What I think as lib user I mentioned above.
It sends data on EACH install and doesn't opt-out by default and there is already 300k download and it is used in ~1300 repos on GitHub regarding with "Used by" section on https://github.com/scarf-sh/scarf-js.
Also it takes some time to run every time it's postinstall script and can take up to minute depending on project.
Also, I forget it WILL run on CI every time on build!

I think this is spyware/rootkit/trojan which cannot be predicted in future, it looks like cancer of JS ecosystem and like any disease has to be cure at the very start/has to be deleted by antivirus before it could be worse.

Per https://consoledonottrack.com/, we should respect this standard in addition to our current environment variables