[Feature Request] Long-term Moq strategy
codeofdusk opened this issue · 3 comments
This applies to both Accessibility Insights for Windows and Axe.Windows, filing here for tracking of both.
Is your feature request related to a problem? Please describe.
Since 4.20.x, Moq has introduced a privacy vulnerability that improperly handles user data, see moq/moq#1372. In #1677 and microsoft/axe-windows#963, @madalynrose pinned our Moq version to 4.18.4.
Describe the solution you'd like
We should consider switching to an alternative unit testing library such as NSubstitute or a community backed Moq fork when or if one emerges. If we choose NSubstitute, we might be able to automate part of the migration. It might make sense to do such a migration in stages, similar to microsoft/accessibility-insights-web#2869.
Describe alternatives you've considered
Continue to use Moq 4.18 indefinitely, with an understanding that we will likely be unable to take any updates to the library going forward.
This issue has been marked as ready for team triage; we will triage it in our weekly review and update the issue. Thank you for contributing to Accessibility Insights!
We want to wait and see what happens with the broader community on this
I have worked with Moq, NSubstitute and FakeItEasy over the years and I have to say that I prefer FakeItEasy by far.
Also, not only was the Moq fiasco legally dubious, but they even used their versions for memeing (v4.20 instead of v4.19, v4.20.69).
Such things are not a great look when you have to provide SBOMs to regulatory bodies and customers.