I created a gist which can patch Scarf Analytics (@scarf/scarf on npm) with this Gist that replaces this lib on postinstall because NPM/Yarn gives you an ability to install any gist or repository like any package to node_modules folder.
Before you install it, delete @scarf/scarf folder in your local project node_modules folder if present (probably you are using some of this packages) or if you are going to install any of those packages in your current project.
Install mock version from Gist instead of local project version which sends your data with this commands depending of what package manager you use:
npm install --save-dev gist:bd5c18861b76eb34f068bf2ed7de903e yarn add gist:bd5c18861b76eb34f068bf2ed7de903e --dev pnpm install --save-dev gist:bd5c18861b76eb34f068bf2ed7de903e
It will install mocked version of Scarf Analytics in devDependencies. The mock just gives you clear vision on what is running on postinstall. It just console.logs that scarf was mocked.
You are able to globally disable running postinstall hooks via npm/yarn/pnpm config to be more secure: https://blog.npmjs.org/post/141702881055/package-install-scripts-vulnerability