Rename the Fingerprint icon to prevent issues with ad blockers

[warrenbhw]

Package

• [X] lucide
• [ ] lucide-angular
• [ ] lucide-flutter
• [ ] lucide-preact
• [ ] lucide-react
• [ ] lucide-react-native
• [ ] lucide-solid
• [ ] lucide-svelte
• [ ] lucide-vue
• [ ] lucide-vue-next
• [ ] Figma plugin
• [X] all JS packages
• [ ] site

Description

TL;DR: Popular ad blockers such as uBlock, uBlock Origin, and AdBlock try to prevent the loading of tracking scripts, which may include a "fingerprinting" module such as https://fingerprint.com/.

In some cases, the Fingerprint icon in Lucide is served as /fingerprint.js, which triggers ad blockers to block requests from the same origin or disable javascript on the page, breaking applications.

My proposal is to rename the Fingerprint icon to something like Thumbprint (note: this one runs some risk of being flagged as well, but probably safe), Fingermark, Fingerpad, Thumbmark, Blot, Blotch, or Smudge.

Longer explanation

see previous discussion of this issue here: https://github.com/lucide-icons/lucide/issues/1675

In some frameworks (ex. the standard Vite setup for SolidJS), the Fingerprint icon will be served to the browser as /fingerprint*.

Ad blockers see the keyword "fingerprint", which in this case is simply a reference the lucide Fingerprint icon, and assume that this is a fingerprinting script, rather than a literal SVG in the shape of a human fingerprint. As a result, blockers may attempt to disable Javascript on the page or block requests sent to that fingerprint script origin, which causes the app to fail.

Not all application frameworks or environments will have this issue, because they do one of these things:

• Mangle/obfuscate module names when doing incremental javascript loading, so that the Fingerprint icon isn't
• Perform tree-shaking, so an app that doesn't import the Fingerprint icon won't even have the Fingerprint icon in the bundle that it serves

Because of these mitigating factors, the primary case where this has been observed is when running a SolidJS/SolidStart app in dev mode, as there is likely no tree shaking. However (pending validation), I think there are cases in which this could impact production Solid apps and perhaps other frameworks.

Assuming that I have the correct diagnosis, here are some possible solutions:

• Lucide could use a name other than "Fingerprint" for the fingerprint icon, to prevent this footgun. This would be ideal, because it doesn't require users to be aware of the issue and implement a workaround
• Lucide could rename of get rid of the Fingerprint icon only for the lucide-solid distribution.
• Consumers of Lucide icons who are using a vulnerable framework such as Solid could set some kind of bundler/server configuration that works around this issue. Lucide could note this issue in docs and add a recommended vite config.

Use cases

Avoid breaking my SolidJS app in dev (or in prod if I actually use the Fingerprint icon).

Checklist

• [X] I have searched the existing issues to make sure this bug has not already been reported.

[warrenbhw]

cc @ericfennis - created this thread as follow-up on discussion in the other issue thread here.

[davidzetterdahl]

Just had this issue as well, became quite worried that this package had included a data logger. So yeah we can resolve this issue by disabling adblock on our machines for localhost, but to ask our customers to do it..

So might just end up not using this package :/