Scarf does not store any personally identifiable information (PII) from SDK telemetry data. Scarf collects information that’s helpful for:
• Package maintenance.
• Identifying which companies are using a particular package, in order to enable communication and support agreements between developers and commercial entities.Specifically, scarf-js sends:
• The operating system in use when the package is downloaded.
• The end user’s IP address is used to look up available company information. Scarf does not store the IP address.
• Limited dependency tree information. Scarf sends the name and version of the package(s) that directly depend on scarf-js.
• Additionally, scarf-js sends SHA256-hashed name and version for packages in the dependency tree that meet these requirements:
- It depends on a package that depends on scarf-js.
- Scarf also shares the root package of the dependency tree. In this way, we provide maintainers with information about the public packages using their code, without exposing identifying details of non-public packages.