I am starting to develop webapps in React, and I have found out that the Chrome extension react-devtools is almost a defacto requirement for coding react applications.
The tool (and react) is made by Facebook, a company infamously known for their complete lack of moral when it comes to data gathering and creepy surveilance of us all. And it requires the ability to access everything you are browsing (which is probably needed to work it's magic), in order to be installed.
react-devtools have almost 1,5 million users (and they are probably all developers). Am I supposed to believe that Facebook will not exploit this obvious opportunity to follow every single thing we developers do in Chrome?
Does anybody in here know anything about react-devtools, and have anybody tried to analyse what data react-devtools sends in what directions? Because frankly I don't have this amount of trust for Facebook anymore, but is seems like react-devtools is inevitable, if I want to make React apps? :-(
Facebook isn't open-source tool but React devtools are. They have the same chances to contain malicious code that infringes on user's privacy as React itself. The probability for such code to exist is negligible due to the attention from open-source community but it exists.
You can audit the code if you have no trust in OS community, https://github.com/facebook/react-devtools .
There are existing cases like AngularJS error reporting, an error is given as URL and supposed to be viewed on official website, e.g. https://code.angularjs.org/1.6.9/docs/error/$injector/modulerr?p0=myApp&p1=Error:%20%5B$injector:nomod%5D%20Module%20 . It allows a company (Google) to collect anonymous data about application implementation details. Errors don't necessarily contain sensitive or usable data that affect privacy in any way but they potentially can.