It uses "@vercel/analytics": "^1.5.0", as a dependency and shares data to vercel without consent which is a big security concern #3
Description
🚨 Privacy & Security Concern: @vercel/analytics Included by Default (Sends Data Without Consent)
Description
This library includes @vercel/analytics as a dependency and initializes its analytics component automatically.
This causes the widget to send client data to Vercel without the application’s explicit consent mechanism.
This is a major security and privacy issue, especially for production apps that require:
- GDPR compliance
- DPDP (India) compliance
- CCPA compliance
- Explicit user consent before enabling analytics
- Multi-tenant data protection
Why This Is a Problem
-
Analytics should never be bundled directly inside a UI component library.
UI components must be privacy-neutral and must not track anything by default. -
@vercel/analyticssends data automatically once imported, even if the consuming app does not intend to use analytics. -
This behavior leads to:
- Unintended data sharing with Vercel
- Broken consent flows
- Unsuitability for enterprise & regulated environments
- Violations of “Privacy by Design” principles
Expected Behavior
- Remove
@vercel/analyticsfrom dependencies. - Analytics should be opt-in, never opt-out.
- The consuming application should have full control over analytics.
- If analytics is needed, provide a separate plugin or optional integration.
Actual Behavior
- The library injects analytics implicitly.
- Data is sent to Vercel as soon as components are mounted.
- There is no configuration to disable this behavior.
Request
Please:
- Remove the analytics dependency or
- Provide a configuration flag to fully disable analytics and prevent all outgoing analytics network requests.
This issue prevents using the library in:
- Multi-tenant applications
- Enterprise systems
- Compliance-heavy environments
- Apps with mandatory user consent requirements
I can contribute a PR if needed.