A powerful JavaScript code obfuscator for production builds with irreversible transformations. This package helps protect your JavaScript code by making it extremely difficult to reverse engineer while maintaining full functionality.
đź”— GitHub Repository: https://github.com/ashrithsathu/code-obfuscater
- Irreversible Obfuscation: Multiple layers of obfuscation that make code extremely difficult to reverse
- Multiple Presets: Choose from low, medium, or high obfuscation levels
- Flexible Input: Support for single files, directories, or glob patterns
- CLI & API: Use as a command-line tool or import as a library
- Production Ready: Obfuscated code maintains full functionality
- Configurable: Customize obfuscation via CLI flags or config files
Install as a development dependency:
# Using pnpm (recommended)
pnpm add -D code-obfuscater
# Using npm
npm install --save-dev code-obfuscater
# Using yarn
yarn add -D code-obfuscaterYou can use the package directly without installing it:
# Obfuscate a single file
npx code-obfuscater obfuscate dist/bundle.js -o dist/bundle.obfuscated.js
# Obfuscate with high security preset
npx code-obfuscater obfuscate dist/bundle.js -p high -o dist/bundle.obfuscated.jsAfter installation, you can use it in your package.json scripts:
{
"scripts": {
"build": "webpack",
"obfuscate": "code-obfuscater obfuscate dist/**/*.js -o dist-obfuscated",
"build:prod": "npm run build && npm run obfuscate"
}
}Then run:
npm run obfuscateImport and use in your code:
const { obfuscate } = require("code-obfuscater");
// or
import { obfuscate } from "code-obfuscater";Obfuscate a single file:
# Using npx (recommended for one-time use)
npx code-obfuscater obfuscate dist/bundle.js
# Or if installed locally
code-obfuscater obfuscate dist/bundle.jsObfuscate multiple files with glob pattern:
npx code-obfuscater obfuscate "dist/**/*.js" -o dist-obfuscated-o, --output <path>: Output directory or file path-p, --preset <preset>: Obfuscation preset (low,medium,high) - default:medium-c, --config <path>: Path to configuration file (JSON)--in-place: Replace input files in place--exclude <pattern>: Glob pattern to exclude files
Obfuscate with high preset:
npx code-obfuscater obfuscate dist/bundle.js -p high -o dist/bundle.obfuscated.jsObfuscate entire directory:
npx code-obfuscater obfuscate "dist/**/*.js" -o dist-obfuscatedObfuscate in place:
npx code-obfuscater obfuscate dist/bundle.js --in-placeUsing a config file:
npx code-obfuscater obfuscate dist/bundle.js -c obfuscator.config.jsonimport { obfuscate, obfuscateFile } from "code-obfuscater";
// Obfuscate code string
const code = `
function add(a, b) {
return a + b;
}
`;
const result = obfuscate(code, { preset: "high" });
console.log(result.obfuscatedCode);
// Obfuscate file
const fileResult = await obfuscateFile("./dist/bundle.js", {
preset: "medium",
});- low: Basic obfuscation with minimal performance impact
- medium: Balanced obfuscation (default) - good protection with reasonable performance
- high: Maximum obfuscation - strongest protection, may impact performance
Create a JSON config file (obfuscator.config.json):
{
"preset": "high",
"compact": true,
"controlFlowFlattening": true,
"controlFlowFlatteningThreshold": 0.75,
"deadCodeInjection": true,
"deadCodeInjectionThreshold": 0.6,
"debugProtection": true,
"debugProtectionInterval": 2000,
"disableConsoleOutput": true,
"stringArray": true,
"stringArrayEncoding": ["base64", "rc4"],
"stringArrayThreshold": 0.75,
"transformObjectKeys": true,
"unicodeEscapeSequence": true
}The package uses multiple obfuscation techniques:
- Variable/Function Name Mangling: Replaces meaningful names with random identifiers
- String Encoding: Encodes strings using base64, rc4, or other methods
- Control Flow Flattening: Restructures control flow to make it harder to follow
- Dead Code Injection: Adds non-functional code to confuse reverse engineers
- Self-Defending Code: Protects against debugging and tampering
- Object Key Transformation: Obfuscates object property names
- Array/String Shuffling: Randomizes array and string order
After building your app, obfuscate the production bundle:
# Build your app first
npm run build
# Then obfuscate the output
npx code-obfuscater obfuscate "dist/**/*.js" -p high -o dist-obfuscated
# Or replace in place
npx code-obfuscater obfuscate "dist/**/*.js" --in-place# Obfuscate all JS files in your server directory
npx code-obfuscater obfuscate "server/**/*.js" -o server-obfuscated
# Exclude test files
npx code-obfuscater obfuscate "server/**/*.js" --exclude "**/*.test.js" -o server-obfuscatedAdd to your package.json:
{
"scripts": {
"build": "webpack --mode production",
"obfuscate": "code-obfuscater obfuscate dist/**/*.js -p high -o dist",
"build:prod": "npm run build && npm run obfuscate"
}
}Then run:
npm run build:prod# .github/workflows/deploy.yml
- name: Build application
run: npm run build
- name: Obfuscate code
run: npx code-obfuscater obfuscate dist/**/*.js -p high -o dist
- name: Deploy
run: # your deployment commandCreate scripts/obfuscate.js:
const { obfuscateFile } = require("code-obfuscater");
const fs = require("fs").promises;
const path = require("path");
async function obfuscateBuild() {
const buildDir = path.join(__dirname, "../dist");
const files = await fs.readdir(buildDir);
for (const file of files) {
if (file.endsWith(".js")) {
const filePath = path.join(buildDir, file);
const result = await obfuscateFile(filePath, { preset: "high" });
await fs.writeFile(filePath, result.obfuscatedCode);
console.log(`Obfuscated ${file}`);
}
}
}
obfuscateBuild().catch(console.error);Run it:
node scripts/obfuscate.js// webpack.config.js
const { obfuscate } = require("code-obfuscater");
module.exports = {
// ... your config
plugins: [
// ... other plugins
{
apply: (compiler) => {
compiler.hooks.afterEmit.tap("ObfuscatePlugin", async (compilation) => {
// Obfuscate output files
});
},
},
],
};code-obfuscater is built on top of javascript-obfuscator and provides a simplified, production-focused wrapper with better developer experience:
1. Built-in CLI Tool
javascript-obfuscator: Library only, requires custom CLI setupcode-obfuscater: Includes ready-to-use CLI with intuitive commands
2. Preset Configurations
javascript-obfuscator: Manual configuration of all optionscode-obfuscater: Pre-configured presets (low/medium/high) for quick setup
3. File Handling
javascript-obfuscator: Works with code strings, requires manual file I/Ocode-obfuscater: Built-in support for files, directories, and glob patterns
4. Production Defaults
javascript-obfuscator: Source maps enabled by defaultcode-obfuscater: Source maps disabled by default for irreversible obfuscation
5. Developer Experience
javascript-obfuscator: More configuration options, steeper learning curvecode-obfuscater: Simpler API, faster to get started, better for build pipelines
Use code-obfuscater if:
- You want a simple CLI tool for production builds
- You prefer preset configurations over manual setup
- You need to obfuscate multiple files or directories
- You want production-ready defaults out of the box
Use javascript-obfuscator directly if:
- You need fine-grained control over every obfuscation option
- You're building a custom obfuscation tool
- You need source maps for debugging
- You want to integrate with specific build tools that have plugins
- Node.js >= 16.0.0
- pnpm (recommended) or npm/yarn
MIT
Contributions are welcome! Please feel free to submit a Pull Request.
While this package provides strong obfuscation, no obfuscation is 100% secure. Determined attackers with enough time and resources may still be able to reverse engineer obfuscated code. Use obfuscation as one layer of your security strategy, not the only one.