[jira] [Closed] (TINKERPOP-2984) Replace Moq mocking library in .NET tests

[Florian Hockmann (Jira)]

     [ 
https://issues.apache.org/jira/browse/TINKERPOP-2984?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Florian Hockmann closed TINKERPOP-2984.
---------------------------------------
    Fix Version/s: 3.5.8
                   3.6.6
                   3.7.1
                   4.0.0
       Resolution: Fixed

> Replace Moq mocking library in .NET tests
> -----------------------------------------
>
>                 Key: TINKERPOP-2984
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2984
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: dotnet
>    Affects Versions: 3.7.0, 3.5.7, 3.6.5
>            Reporter: Florian Hockmann
>            Assignee: Florian Hockmann
>            Priority: Major
>             Fix For: 3.5.8, 3.6.6, 3.7.1, 4.0.0
>
>
> There has been some controversy around the .NET mocking library that we are 
> also using in some of our .NET unit tests: Moq.
> In short, a project called "SponsorLink" has been added as a DLL to the NuGet 
> package which sends a hash of the email address of the developer building the 
> project (meaning our unit test projects) to their server. The email address 
> is obtained from the git config. This was done to check whether the developer 
> is already sponsoring the Moq project and nag them otherwise to become a 
> sponsor.
> This is of course a privacy issue and probably in violation of the GDPR.
> [This 
> article|https://www.bleepingcomputer.com/news/security/popular-open-source-project-moq-criticized-for-quietly-collecting-data/]
>  contains a longer explanation.
> While SponsorLink has already been removed again, the main author stated the 
> intent to bring it back at a later point after finding another way without 
> needing to send hashed email addresses. So, I think we should better switch 
> to a different mocking library, especially since the introduction of 
> SponsorLink was done without much (/any?) advance notification or warning.
> We have by the way not been affected by this as we haven't updated Moq in our 
> repository to a version that included SponsorLink.
> I suggest that we migrate to [NSubstitute|https://nsubstitute.github.io/] 
> which is another big mocking library with an even easier to use API (at least 
> in my opinion) and very similar capabilities.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)