Last week, Moq released version v4.20.0 that included a variety of changes to the mocking framework made for .NET developers. This version was available for free on NuGet. The hit changes, according to the release sheet, include, but are not limited to:
- Added the setup.Verifiable(Times times, [string failMessage]) method
- Added Mock<T>.RaiseAsync
- Added ThrowsAsync for non-generic ValueTask
Users who wanted to take advantage of these features could upgrade Moq to this version using the NuGet package manager. However, there is a major disdain as there is one person who complained about a recent change introduced in this version.
The Outcry
It all started when one user updated one of their projects to use the latest version of Moq. In the bug report (#1370), when they ran the build process, they saw this message:
In case you can’t read the message because it’s so small, here’s the message in the quote:
Moq uses SponsorLink to properly attribute your sponsorship with devlooped. Please install the GitHub app at https://github.com/apps/sponsorlink. Build paused for 1229ms. This happens only once per IDE/editor session.
Installing the SponsorLink GitHub app ensures that your sponsorship is properly attributed to you.
MOQ101 warning from SponsorLink, Moq v4.20.0
Things got worse when another person who was experiencing the same warning message tried to suppress this warning code, MOQ101, using the following codeblock:
<NoWarn>$(NoWarn);MOQ101</NoWarn>
To their test, this yielded an empty warning each time the build was run, with (No message specified) written, which is a strange behavior. Note that this was tested on Microsoft’s Visual Studio.
The plot thickens…
The same person who reported this empty warning resulting from the suppression of the SponsorLink warning message have admitted that “our company GDPR rules won’t allow leaking all developer internal email addresses, meaning we will be forced to switch an alternative mocking framework.”
This causes Moq to be unusable for commercial and business setups where every single package needs to be thoroughly evaluated for any possible downs and ups before applying it to their projects. Moreover, it causes every company that is compliant with the GDPR rules to be unable to use this framework due to these strict measures.
One person even dismissed this change as “raises privacy concerns,” which made this situation even more worrying for business setups.
Some people went too far and called SponsorLink a “virus” because “it gets its config from a remote location and hides itself for the first few days.”
The Climax
More and more people were furious about this change, with people making claims that it sends local computer configuration to the remote server to check to see if the developer building their project is a sponsor of a dependency. SponsorLink was a closed-source library at the time using some sort of .NET assembly obfuscation tool to hide the source code. Unfortunately, this means that a stream of people is deeming it to be untrustworthy, and it is “introducing a whole new attack vector by allowing SponsorLink outside communication during build times.”
Moreover, a lot of business environments where quality assurance is strict have warnings set as errors, and SponsorLink currently uses warning messages to nag the developers to sponsor for a dependency’s developer for the warning to turn into a message thanking them for their sponsorship. This causes a lot of these environments to report build failures due to this warning message, effectively putting these developers on the verge of switching to another mocking framework.
The “Error List” in your Visual Studio installation was meant as a list of code and compilation problems within your projects. This means a lot of compile-time code errors, such as the inability to implicitly cast one type to another type, the argument count, the usage of incorrect syntax, and so on. However, SponsorLink’s warning message was considered to be an advertisement telling people to sponsor the project.
In strict business environments where warnings were treated as errors, forcing people to sponsor the dependencies’ owners to allow the build to continue with no errors is unacceptable, seemingly as it blocks the build process.
As a result, a lot of people were either downgrading Moq to a version that didn’t introduce this advertisement banner on the “Error List,” or replacing Moq with more viable mocking frameworks, like NSubstitute, Rhino, and so on.
- NexusMods have replaced Moq with NSubstitute.
The Response
First, SponsorLink’s developers have opened the project as a response to this outcry. Their project can now be found at GitHub.
The bug report that we’ve linked above was closed with a message telling all the developers who were suffering from this issue to go to Issue #32 on the SponsorLink’s project.
However, Issue #16 brought even more concerns from the user, classifying it as malware. One user has even made a nice comment about this situation, saying:
This project appears to be in violation of GDPR by sending hashed email addresses to a foreign server, allowing for user tracking. The use of obfuscated code further raises concerns about the project’s transparency and intentions. Therefore, we classify this package as malware.
@dmsch, GitHub
More and more issues were open to protest against this change:
- https://github.com/devlooped/SponsorLink/issues/33
- https://github.com/moq/moq/issues/1372
- https://github.com/devlooped/SponsorLink/issues/10
One user even took the matter to Reddit to ask C# developers about their opinion of this change, and they all have expressed their outcry against this change.
The Solution
The author of Moq has released a new version that fully removed SponsorLink, which allows the developers to build their projects seamlessly without any “Please sponsor” warnings coming. It was released under version v4.20.69.
For reference, here’s the source code of SponsorLink, in case you want to run an investigation about how it tells the developers to sponsor the projects and their developers.
It’s advisable for people to either upgrade to the abovementioned version that doesn’t include SponsorLink messages or to switch to NSubstitute or another viable mocking frameworks available on NuGet. We’ll provide you updates about this matter, especially if the Moq devs have started to include SourceLink again, which is unlikely to happen.
Enjoy!
Aptivi 
Thoughts?