search

styled-components / polished

A lightweight toolset for writing styles in JavaScript ✨
https://polished.js.org/
MIT License
7.6k stars 209 forks source link

chore(scarf): add scarf package analytics dependency #559

Closed bhough closed 3 years ago

bhough commented 3 years ago

Adds scarf.sh dependency to track library and documentation usage.

codecov[bot] commented 3 years ago

Codecov Report

Merging #559 (561ab43) into version-4-1 (8cfe69d) will not change coverage. The diff coverage is n/a.

Impacted file tree graph

@@              Coverage Diff              @@
##           version-4-1      #559   +/-   ##
=============================================
  Coverage       100.00%   100.00%           
=============================================
  Files               88        88           
  Lines              831       831           
  Branches           305       305           
=============================================
  Hits               831       831
Flag Coverage Δ
unittests 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 8cfe69d...1eae526. Read the comment docs.

Turbo87 commented 3 years ago

@bhough AFAICT using scarf is not GDPR-compliant because the users did not give their explicit approval to be tracked and opt-out is not enough to be compliant. I would strongly recommend to revert this PR.

aviaviavi commented 3 years ago

:wave: Hi @Turbo87 and @bhough, author of the scarf-js package here and I'd like to respond to this claim. The @scarf/scarf package and associated data practices have been extensively reviewed by Scarf's legal team. The telemetry provided by this package is GDPR compliant.

We are not actually storing personally identifying information, which is a key factor here. IP address metadata is looked up to understand associated company information, but IP's themselves are not being stored. If PII was being stored and/or exposed to Scarf users, you'd be absolutely correct that opt-out wouldn't be enough to be compliant. The opt-out mechanisms we offer are not GDPR considerations, but rather a consideration for how we think OSS analytics like this should behave. There's more info about this on the README of scarf-js if it's helpful.

I see that this PR has already been reverted, but just want to chime in on the legality of this telemetry. It is our hope that this lets the polished contributors better understand how their work is being used, so they can deliver the best software they can to their users. 😄