Moq – Privacy issues with SponsorLink, starting from version 4.20
github.comAs a long time user of Moq, I’m horrified by this. I think the author has now reverted this but I’ll be moving away from this library anyway.
I’ll also be reevaluating all my Nuget dependencies and their potential security risks (so indirectly, one good thing I guess).
Reading all the comments on GitHub though, I’ve got to feel for the dev a bit - he has half the .NET community all piling on after years of his hard work likely being under appreciated (as is often the case with OSS developers).
He’s made a big misstep with this, and broken a lot of trust, but it genuinely doesn’t look like malice - rather just (really) terrible judgement.
Not excusing his mistake, but wow, I wouldn’t want to be on the receiving end of all that anger.
Personally I feel there is a limit to how angry I’m entitled to be after years of benefitting from this guys work without paying him a penny.
It’s really just a sad situation all round.
Edit: more info on the dev’s reasoning behind this change in his original blog post from January:
Yeah I've been following the thread but feeling a bit queasy because there's a real person on the end of all this vitriol.
I think a lot of people's anger and waving the GDPR stuff around is excessive. It's understandably annoying but at the end of the day this is just the implicit cost you pay for not having a commercial agreement in place. Maintainers can go rogue, make stupid decisions and disappear and frankly your comeback is 'fork it and do it yourself'. Not bombard the maintainer with invective and legal threats.
I wouldn't use Moq (or other libraries by this maintainer) again in light of their current behavior but the fork button is literally right there at the top of the page. If I want to use the code going forward I'd have to take ownership.
I think this also shows how nonsense the default security posture is for a lot of places. Dependabot has atrophied organisation's security sense. You almost never want to upgrade and sit at the bleeding edge, that's asking for zero days, supply chain attacks and bugs. Number goes up is not a sensible way of managing software. There's nothing wrong with a 2 year old dependency running in your solution if there are no reported security issues.
Tbf the gdpr calls are justified. It is one thing to print a warning message on build but another thing to read dotfiles and mess with the filesystem of a user and send data from it to some server. No data privacy officer in Europe would allow the usage of the library.
Library author decisions aside, the implications for the .NET ecosystem are insane.
.NET Analyzers spawning processes, especially in an elevated environment. Pausing builds for 100ms for non-paying users. Silently leaking millions of user emails.
That all seems much dirtier than core-js drama.