A popular open source mocking framework for .NET is under fire from developers, following the inclusion of SponsorLink, a closed-source library which sends a hash of the user’s email to its servers without specific consent.

“This is a nightmare. I’m going to have to swap out Moq everywhere. I’m more than happy for Open Source maintainers to get financial support, but harvesting my details underhandedly is completely unacceptable,” was the reaction of one developer.

Moq creator Daniel Cazzulino responded, saying: “I gave a shot at a comprehensive revamp of Moq, but it’s just a shit-ton of work. Couldn’t continue working on that for free … tried quite hard for SponsorLink to not be privacy-leaking (added a note to the project’s readme), and hopefully that’s an acceptable compromise.”

Cazzulino removed SponsorLink from Moq after strong feedback from developers, but the reason given was that it “breaks MacOS restore,” rather than privacy considerations.

Mocking is a testing technique whereby some application dependencies are simulated in order to test features effectively. It is typically used as part of a DevOps CI (continuous integration) automated process. The Moq library has been downloaded 476 million times, according to its Nuget page, and averages over 100,00 downloads a day.

SponsorLink, also developed by Cazzulino, was introduced in January under the headline “trying something new-ish for OSS sustainability.” The library pauses a build with a message such as “please consider supporting Moq ongoing development by sponsoring”, with a link to add a payment via GitHub Sponsors. The link only appears when using an IDE. “SponsorLink will never interfere with a CI/CLI build,” said Cazzulino’s post. The part that is now contentious though: the code reads the configured git email address, hashes it with SHA256, and sends it to a relative URL on Azure Blob storage to discover whether or not the developer is a sponsor and to show messages accordingly.

Developers have some sympathy but the consensus so far is that this is not the best approach. “The problem isn’t about not being willing to pay developers for their hard work. No one is denying that hard work went into this. It’s about the way this ‘sponsorship’ is implemented, what it does and the fact that it’s closed source and obfuscated,” said one.

Others hastened to remove Moq from their build process, looking at alternatives such as NSubstitute.

A further issue is that the SponsorLink library did in fact cause some build failures, despite Cazzulino’s intentions. “ SponsorLink is blocked in our dependency scanning software, so this won’t build on our CI servers,” said another comment.

Some devs protested with comments like: “Many people would be more than happy to sponsor the project, but this was absolutely not the way to go.” The reality though is that even a package as popular as Moq can struggle to get enough sponsorship to fund its development, leaving open source maintainers like Cazzulino in a difficult spot.

It is notable that despite Cazzulino flagging his intentions more than six months ago, users of the library hardly noticed until SponsorLink went live.

Another issue is the fact that commonly used packages like Moq can change in ways that some consider unacceptable, without detection until they are running on an organization’s infrastructure. “NuGet has a problem – it’s dangerous. Code we download from it doesn’t run in a sandbox (unless we build one around the whole dev environment) and has the capability to do much worse than phoning home with a hash of the email,” said a developer.