Recently, some members within the the node.js community expressed concern about StrongLoop’s use of sl-blip to collect data. We’ve heard and understand these concerns and want to explain what data we collect, how we use it, and how we plan on addressing the concerns that were raised.
The StrongLoop team uses sl-blip to collect download metrics to see which modules were most popular and most frequently upgraded. The information collected is the same information that npm and many other download sites capture using the same time honored method: parsing http request logs. Every time the npm client downloads a package it sends a User-Agent header that includes the OS, architecture, version of node, and version of npm. The Referrer header is used to indicate which npm script phase is being executed (install or update). The path portion of the request includes, for obvious reasons, the name and version of the package being downloaded. You can see an example of this on npm’s privacy page. The raw logs are processed to give us anonymized stats at a package version level, very similar to the stats npm provides at the package level. This data provides insights into how the StrongLoop and LoopBack releases are downloaded and adopted around the world. Since we can introduce updates quite frequently, the data was useful for improving our product as well as giving us an indication when we needed to remind community members to upgrade to the latest modules.
Community feedback is important to us and has helped us shape our product. Based on the concerns brought forward, we are working on removing sl-blip in our next release while we find a more elegant and non-intrusive alternative with clearer opt-out options.
We will provide updates as we move forward. We appreciate the community providing its thoughts and providing an opportunity for us to address them.