Telemetry
The Dependency Guardian CLI sends anonymous crash reports on by default — nothing else. There are no usage analytics, no per-command counters, no feature-flag pings, and no Sentry / PostHog / Google Analytics SDK in the binary. A crash report is a tiny, fixed payload (a classified error type, the CLI/Node versions, your OS and architecture, and which subcommand you ran) that helps us catch what breaks first for early users. It never contains your source code, file paths, error messages, stack traces, or the names of packages you scanned. Opt out any time with DG_TELEMETRY=0 or the industry-standard DO_NOT_TRACK=1.
Crash reports
When the CLI hits an unhandled error it sends a single, anonymous event to api.westbayberry.com/v1/cli/error. The whole payload is:
- A classified error type (for example
network_timeoutorparse_error) — never the raw error message. - The CLI version and Node version.
- Your OS and architecture (for example
darwin arm64). - The subcommand you ran (for example
scan), truncated.
That's the entire report. It carries no identifier, no source code, no file paths, no package names, and no stack trace — the full error and stack are only ever printed locally on your terminal. To turn crash reporting off, set DG_TELEMETRY=0 or DO_NOT_TRACK=1 in your environment; both also suppress the “file an issue” link the CLI offers after a crash.
Scan data
Scanning sends package names and pinned versions so we can match them against our threat database and return a verdict. We pull the actual package artifacts straight from the public registry (npm or PyPI) on our side, never from your machine. We never receive your source code — only names and versions read from your lockfiles.
When you're signed in
dg login links this machine to your account. While signed in, your scans are recorded server-side (package name, version, and verdict) to power your dashboard, quota, and audit log — that's the same scan request that produces the verdict, not a separate analytics event. The CLI also checks your auth status on an interactive scan to show your plan tier and remaining quota.
dg logout (and dg uninstall) ask the server to invalidate your token and stop all of the above. The anonymous free tier still works without an account.
Version check
The CLI checks the public npm registry for a newer version of @westbayberry/dg. That request goes to npm, not to us — we never see it. Set CI=1 to skip it.
What we never send
- Your source code.
- File paths from your working directory.
- Error messages or stack traces — a crash report carries only a classified error type; the full message and stack are shown locally on stderr only.
- The names of packages you scanned (those go to the scan API to produce a verdict, never to the crash endpoint).
- Per-command counters, feature-flag pings, funnel pixels, or any other usage analytics — there is no analytics SDK in the CLI, only the anonymous crash report described above.
- Anything from outside your lockfiles.
See also
- Privacy policy — account data, retention, third-party processors
- CLI reference — every command, the binary exit codes, and the public env vars
- Getting started — install, login, first scan