[ https://issues.apache.org/jira/browse/TINKERPOP-2984?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Florian Hockmann closed TINKERPOP-2984. --------------------------------------- Fix Version/s: 3.5.8 3.6.6 3.7.1 4.0.0 Resolution: Fixed > Replace Moq mocking library in .NET tests > ----------------------------------------- > > Key: TINKERPOP-2984 > URL: https://issues.apache.org/jira/browse/TINKERPOP-2984 > Project: TinkerPop > Issue Type: Improvement > Components: dotnet > Affects Versions: 3.7.0, 3.5.7, 3.6.5 > Reporter: Florian Hockmann > Assignee: Florian Hockmann > Priority: Major > Fix For: 3.5.8, 3.6.6, 3.7.1, 4.0.0 > > > There has been some controversy around the .NET mocking library that we are > also using in some of our .NET unit tests: Moq. > In short, a project called "SponsorLink" has been added as a DLL to the NuGet > package which sends a hash of the email address of the developer building the > project (meaning our unit test projects) to their server. The email address > is obtained from the git config. This was done to check whether the developer > is already sponsoring the Moq project and nag them otherwise to become a > sponsor. > This is of course a privacy issue and probably in violation of the GDPR. > [This > article|https://www.bleepingcomputer.com/news/security/popular-open-source-project-moq-criticized-for-quietly-collecting-data/] > contains a longer explanation. > While SponsorLink has already been removed again, the main author stated the > intent to bring it back at a later point after finding another way without > needing to send hashed email addresses. So, I think we should better switch > to a different mocking library, especially since the introduction of > SponsorLink was done without much (/any?) advance notification or warning. > We have by the way not been affected by this as we haven't updated Moq in our > repository to a version that included SponsorLink. > I suggest that we migrate to [NSubstitute|https://nsubstitute.github.io/] > which is another big mocking library with an even easier to use API (at least > in my opinion) and very similar capabilities. -- This message was sent by Atlassian Jira (v8.20.10#820010)