Change Log
- Update supported Node.js versions up to
node@22
. Fixes javascript-obfuscator#1100 - Update
class-validator
version. Fixes javascript-obfuscator#1247 - Fixed CI
- Add target
service-worker
- Add support for
node@18
- Update dependencies
- Update
class-validator
dependency javascript-obfuscator#1146
- Breaking change:
debugProtectionInterval
option now accepts value in milliseconds instead ofboolean
value. Fixed javascript-obfuscator#1031
- Fixed cases when dead code is added to the inner code of
eval
expressions. Fixed javascript-obfuscator#1053
- Improved integration between
renameProperties
andcontrolFlowFlattening
options. Fixed javascript-obfuscator#1053
- Fixed missing transformation of string array calls in some cases
- Fixed generation of reserved identifier names like
Map
orSet
formangled
andmangled-shuffled
identifier names generators
- Updated copyright
- New options:
stringArrayCallsTransform
andstringArrayCallsTransformThreshold
- Fixed javascript-obfuscator#1046
- Added support of
es2022
features: class static block
- Dependencies update
- Fixed performance for Apple M1 chip
- Breaking change:
ignoreRequireImports
option renamed toignoreImports
- Breaking change:
rotateStringArray
option renamed tostringArrayRotate
- Breaking change:
shuffleStringArray
option renamed tostringArrayShuffle
ignoreImports
now ignoresdynamic
imports in addition torequire
imports
- Updated
@javascript-obfuscator/escodegen
with fixed parenthesis ofdefault export
IIFE
- Fixed very rare cases when
rotateStringArray
couldn't rotate array properly - Improved
selfDefending
option - Installed
npm
package now hastypes
directory and doesn't havesrc
directory - Fixed javascript-obfuscator#959
- Updated
@javascript-obfuscator/escodegen
with fixed generation of private property names
- Added support of
es2022
features: private identifiers and class properties - Dropped support for
node@15
- Increased minimum supported
node
versions:^12.22.0 || ^14.17.0 || >=16.0.0
- New option:
sourceMapSourcesMode
allows to controlsources
andsourcesContent
fields of the source map inputFileName
option now required when using NodeJS API andsourceMapSourcesMode
option hassources
value`- Fixed some cases with wrong source map file name generation when
sourceMapFileName
option is set
stringArrayWrappersType: 'function'
now generates different indexes between each wrapper inside the same lexical scopestringArrayWrappersType: 'function'
now generates different parameters order between each wrapper inside the same lexical scopestringArrayWrappersType: 'function'
now appendsFunctionDeclaration
functions instead ofFunctionExpression
functions. This allows to append these wrappers at random positions inside each scoperenameProperties
option now won't generate duplicated property names in some cases
- To increase performance and prevent possible runtime errors
transformObjectKeys
option now completely ignores objects withCallExpression
orNewExpression
nodes. Fixed javascript-obfuscator#948
- Improved
stringArray
calls wrapper decode code
- Improved
stringArray
calls wrapper code
- Slightly improved integration between
deadCodeInjection
andstringArrayWrappersChainedCalls
options
- Fixed invalid behaviour of
transformObjectKeys
option when object values containsthis
references. Fixed javascript-obfuscator#937
- Hotfix:
domainDest
=>domainLockRedirectUrl
option rename
- Added
domainDest
option that option allows the browser to be redirected to a passed domain if the source code isn't run on the domains or URL specified bydomainLock
. Thank you https://github.com/erikdubbelboer! ObfuscationResult
object now containsgetOptions
method to get options that were used during obfuscation
- Added
identifierNamesCache
option for reading and writing identifier names cache. SeeREADME.md
. - CLI: Added
--identifier-names-cache-path
option for reading and writing identifier names cache. SeeREADME.md
.
- Fixed invalid code generation for start/middle rest arguments when
controlFlowFlattenig
option is enabled. Fixed javascript-obfuscator#920 - Internal: Added support of
node@16
and dropped support ofnode@10
. This should not affect obfuscated code
stringArray
calls wrappers now inserted asFunctionDeclaration
nodes at random indexes
- CLI: now it's possible to specify the path to the input file after specifying the obfuscator options. Fixed javascript-obfuscator#904
- Added option
renamePropertiesMode
to switch between newsafe
and oldunsafe
modes ofrenameProperties
option. Fixed javascript-obfuscator#878 renameProperties
option now works insafe
way by default
- Fixed CVE-2019-18413. Fixed javascript-obfuscator#880
- Added support of
top-level await
. Fixed javascript-obfuscator#884
- Fixed invalid code generation for rest arguments when
controlFlowFlattening
option is enabled. Fixed javascript-obfuscator#887
- Fixed invalid behaviour of
numbersToExpressions
option for float numbers. Fixed javascript-obfuscator#882
- Fixed
simplify
option regression after2.10.2
. Fixed javascript-obfuscator#864
- Fixed behavior of
simplify
options when a node with a single-statementbody
is inside simplifiedIfStatement
node. Fixed javascript-obfuscator#860
- Removed padding characters from all base64 encoded strings. Removed RegExp that trims padding characters from
base64
encoded strings fromatob
code helper to prevent mutation ofRegExp.$1
value during calls to thestringArray
. Fixed javascript-obfuscator#829
- Improved
rotateStringArray
option
- Preventing move of
"use strict";
directive during obfuscation
- Fixed runtime errors in large obfuscated code when both
rc4
andbase64
encodings are enabled - Some internal refactoring related to node append events
- Fixed missing prefix of root identifiers added by
stringArrayWrappersCount
option whenidentifiersPrefix
option is set
- CLI: Fixed wrong name of obfuscated files when input directory path is the
.
symbol. javascript-obfuscator#816
- Ignore object expressions as body of arrow function expression when
transformObjectKeys
option is enabled. Fixed javascript-obfuscator#813
- Fixed wrong
stringArrayWrappersParametersMaxCount
CLI option name
- New option:
stringArrayIndexesType
accepts an array of types of string array call indexes - Changed default type of all string array call indexes from
hexadecimal-numeric-string
tohexadecimal-number
- New option:
stringArrayIndexShift
enables additional index shift for all string array calls - New option:
stringArrayWrappersParametersMaxCount
allows to control the maximum number of string array wrappers parameters stringArrayWrappersType: 'function'
option value moved fromhigh-obfuscation
tomedium-obfuscation
options preset
- Fixed incorrect rename of the identifiers of the added helpers in some rare cases. Fixed javascript-obfuscator#804
- New option
ignoreRequireImports
prevents obfuscation ofrequire
imports. Fixed javascript-obfuscator#801
- Updated
@javascript-obfuscator/escodegen
to2.1.1
- Switched form
escodegen
to@javascript-obfuscator/escodegen
- Full support of
nullish-coalescing
. Fixed javascript-obfuscator#604 - Support for
exported
field ofExportAllDeclaration
node. Fixed javascript-obfuscator#710
- Added ignoring of all object members previous to
SpreadElement
whentransformObjectKeys
option is enabled. Fixed javascript-obfuscator#797
- Added
ExportSpecifierTransformer
. Fixed javascript-obfuscator#791
- Fixed installation in
PowerShell
. Fixed javascript-obfuscator#783 - Tested under
Node.js@15
- Fixed missing rename of object pattern properties in some cases. Fixed javascript-obfuscator#781
- Migration to
webpack@5
- Optimized performance of
ExpressionStatementsMergeTransformer
whensimplify
option is enabled. Fixed javascript-obfuscator#777 - Fixed broken
identifierNamesGenerator: 'mangled-shuffled'
after2.2.0
. Fixed javascript-obfuscator#778
- Improved hierarchy of generated directories when
--output
is a directory path - Fixed wrong path generation for obfuscated files for
win32
environment. Fixed javascript-obfuscator#576 - Fixed wrong path generation under for source map for
win32
environment. Fixed javascript-obfuscator#760 javascript-obfuscator
now can be built underwin32
environment
- Fixed
URI-malformed
whensplitStrings
andstringArrayEncoding
options are enabled. javascript-obfuscator#530
- Small release with some README.md improvements that allow to use it on obfuscator.io
- New option:
forceTransformStrings
allows force transform strings even if bystringArrayThreshold
(or possible other thresholds in the future) they shouldn't be transformed. Implemented javascript-obfuscator#657
- Fixed a rare bug with
identifierNamesGenerator: 'mangled'
option that causes wrong identifier names generation
- New option:
stringArrayWrappersType
allows to select a type of the wrappers that are appending by thestringArrayWrappersCount
option - Add force convert of unicode control characters to the unicode escape sequence. Fixed javascript-obfuscator#747
- New option (enabled by default):
stringArrayWrappersCount
sets the count of wrappers for thestring array
inside each root or function scope - New option (enabled by default):
stringArrayWrappersChainedCalls
enables the chained calls betweenstring array
wrappers
- New API:
getOptionsByPreset
allows to get options for the passed options preset name
- Breaking change:
stringArrayEncoding
option now accepts an array of encodings. Each string will be randomly encoded with passed encoding
- Fixed regression bug with combination of
splitStrings
andrenameProperties
option. javascript-obfuscator#729
- New option:
optionsPreset
allows to set options preset
- Improved rename of
deadCodeInjection
dead code identifiers. Fixed javascript-obfuscator#708 - Reverted
TaggedTemplateLiteral
obfuscation. javascript-obfuscator#716
- Fixed obfuscation of literals of
ExportNamedDeclaration
andExportAllDeclaration
nodes
- Feature: Optional chaining support!
- Added
TaggedTemplateLiteral
obfuscation. javascript-obfuscator#696 - Improved
disableConsoleOutput
template. javascript-obfuscator#691
- Improved obfuscation of destructured variables. javascript-obfuscator#688
- Fixed runtime error
Uncaught SyntaxError: yield is a reserved identifier
whendeadCodeInjection
is enabled
domainLock
option patterns with leading dot character (.example.com
) now cover root domains (example.com
) in addition to all sub-domains (sub.example.com
). javascript-obfuscator#640
simplify
option now affects all block statements. Improved variable declarations merging.
- New option:
numbersToExpressions
enables numbers conversion to expressions
- Prevented mutation of the name sequences of
mangled
identifier name generators
- Fixed runtime error when
IfStatement
contains only singlelet
orconst
variable declaration whensimlify
option enabled. javascript-obfuscator#661 - Fixed wrong
source-map: 'inline'
encoding after1.3.0
- New
mangled-shuffled
identifier names generator based onmangled
identifier names generator
- New option:
simplify
enables additional code obfuscation through simplification
- Improvements of
stringArrayEncoding
:base64
andrc4
- CLI: added config file extension validation (it still supports
.js
and.json
extensions) - Fixed javascript-obfuscator#499
- Fixed performance regression of
Initializing
stage after1.2.0
- Support of old browsers when
selfDefending
is enabled. javascript-obfuscator#615
- Conditional comments will be removed from the code after obfuscation. javascript-obfuscator#641
- New option:
renameProperties
enables renaming of property names
- Fixed .d.ts typings. javascript-obfuscator#623
- Looks like obfuscator is ready for the first stable release
- Fixed error during code generation for
ObjectPattern
with singleRestElement
. javascript-obfuscator#607
- Added correct
self-defending
code fortarget: 'browser-no-eval'
. javascript-obfuscator#610
- Removed memory leak with
identifierNamesGenerator: 'mangled'
- Fixed change of kinds of variables for dead code with
deadCodeInjection
option
- Removed
acorn-import-meta
package
- Added BigInt support. javascript-obfuscator#588
- Fixed javascript-obfuscator#554
- Fixed identifiers prefix generation for
obfuscateMultiple
method
- Dependencies update, fixed https://www.npmjs.com/advisories/1488
- Feature: new method
obfuscateMultiple
to obfuscation of multiple source codes
- Internal: new code transformers mechanism
- Supported obfuscation of files with hashbang operator, javascript-obfuscator#471
- Additional fixes of javascript-obfuscator#550
- Improved
mangled
identifier names generator logic - Improved
selfDefending
helper logic - Fixed a bunch of conflicts between generated identifier names. Fixed javascript-obfuscator#550. Fixed javascript-obfuscator#549
- Prevented transformation of object keys in sequence expression that has
super
call - Support of output directory paths with a dot symbol
- Changed
--output
logic. Now--output
value can describe if it's a file or a directory path. Check README.md for more info
- Fixed support of exponentiation operator. Fixed javascript-obfuscator#534
- Added file path to the error message during directory obfuscation. Fixed javascript-obfuscator#513
- Fixed rc4 encoded value collision: javascript-obfuscator#538
- Reverted validation errors under
node
target forsourceMap*
options
- Internal refactoring: completely new mechanism to rename variable names
- Dynamic import and
import.meta
support. Fixed javascript-obfuscator#505 - Now usage of some browser-related options with
target: 'node'
will cause a validation error - Increased
identifierNamesGenerator: 'mangled
speed - CLI: a file path will be displayed on obfuscation error. Fixed javascript-obfuscator#513
- Fixed many
transformObjectKeys
runtime errors - Fixed
Maximum call stack size exceeded
error on large strings whensplitString
option is enabled - Fixed javascript-obfuscator#516
- Fixed javascript-obfuscator#512
- Fixed javascript-obfuscator#496
- Internal: switched from
awesome-typescript-loader
onts-loader
- Fixed javascript-obfuscator#475
- Fixed javascript-obfuscator#326
- New option:
shuffleStringArray
randomly shuffles string array items - Fixed javascript-obfuscator#494
- Internal change: switched AST parser from
espree
onacorn
- Internal refactoring: refactoring of string array storage and related things
- Fixed
TypeError: Assignment to constant variable
when auto-detection of kind of variables is insertedconst
variables forcontrolFlowStorage
nodes
- Breaking: auto-detection of kind of variables of inserted nodes, based on most prevailing kind of variables of source code
- Fixed javascript-obfuscator#486
- Fixed conditional comments in some rare cases
- Improved
transformObjectKeys
transformation to cover more cases - Fixed javascript-obfuscator#406
- Fixed javascript-obfuscator#387
- Fixed javascript-obfuscator#333
- Fixed javascript-obfuscator#328
- Fixed typings. Now string values correctly assignable to enum-like options
- Fixed
for-await-of
statement: javascript-obfuscator#419
- Fixed javascript-obfuscator#442
- Fixed javascript-obfuscator#468
- Added funding button
- Internal dependencies update, Happy New Year 2020!
- Fixed identifier names generations for
mangled
anddictionary
identifier names generators - Fixed combination of
identifierNamesGenerator: dictionary
anddebugProtection
options seed
option now acceptsstring
andnumber
values
- Breaking: dropped support of Node 8 because of end of maintenance support
- New option value:
identifierNamesGenerator
now allows to set newdictionary
identifier names generator - New option:
identifiersDictionary
sets identifiers dictionary foridentifierNamesGenerator: dictionary
option
Thanks to our contributors!
- Fixed
reservedNames
option
Thanks to our contributors!
- The
splitStrings
option now correctly works withtransformObjectKeys
option - Internal
TransformersRunner
rework to support topological sort of node transformers
- The
splitStrings
option now correctly splits strings inside objects
- The
splitStrings
option now affects template literal strings
- New option:
splitStrings
splits literal strings into chunks with length ofsplitStringsChunkLength
option value - New option:
splitStringsChunkLength
sets chunk length ofsplitStrings
option
Thanks to our contributors!
- Breaking: require Node.js 8 after dependencies update
- Fixed javascript-obfuscator#321
Thanks to our contributors!
Thanks to our contributors!
Thanks to our contributors!
- Fixed javascript-obfuscator#320
- Fixed javascript-obfuscator#319
- New option:
reservedStrings
disables transformation of string literals, which being matched by passed RegExp patterns - Fixed javascript-obfuscator#313
- Fixed javascript-obfuscator#309
- Fixed javascript-obfuscator#307
- Fixed javascript-obfuscator#303
- Fixed javascript-obfuscator#302
- Fixed javascript-obfuscator#293
- Fixed javascript-obfuscator#289
- Fixed javascript-obfuscator#288
- Browser version: Added browser version dist
- New Node API option:
inputFileName
allows to set name of the input file with source code. This name will used internally, for example, for source map generation. - #274
domainLock
now will work in SVG.
Fixed javascript-obfuscator#273 - Fixed javascript-obfuscator#271
- Fixed javascript-obfuscator#264
- Fixed javascript-obfuscator#260
- Fixed javascript-obfuscator#252
- Fixed javascript-obfuscator#247
- Correct obfuscation of object rest and spread properties
- Fixed javascript-obfuscator#243
- Internal change: switched AST parser from
esprima
onespree
- Breaking change: dropped
node@4
andnode@5
support. - Breaking change: renamed
extension
value oftarget
option onbrowser-no-eval
. - Breaking change: disabled generation of identifiers, which being matched by
reservedName
option. Fixed javascript-obfuscator#216 - New CLI option:
exclude
allows to exclude specific files or directories from obfuscation. - Correct obfuscation of
import
andexport
declarations. - Fixed javascript-obfuscator#231
- Fixed javascript-obfuscator#217
- Fixed javascript-obfuscator#210
- Internal: refactoring of many things.
- Fixed javascript-obfuscator#195
- Added code preview to
esprima
error messages.
- Temporary fixed javascript-obfuscator#181
- New option:
identifiersPrefix
sets prefix for all global identifiers. - New option:
transformObjectKeys
enables object keys transformation and obfuscation. - New feature:
eval
expressions obfuscation. - Breaking change: Now CLI obfuscating directory recursively. Fixed javascript-obfuscator#157
- Fixed runtime errors when
deadCodeInjection
is enabled andidentifierNamesGenerator
is set tomangled
. - Fixed javascript-obfuscator#171
- Fixed javascript-obfuscator#166
- Fixed javascript-obfuscator#156
- Fixed javascript-obfuscator#159
- Breaking change:
mangle
option was removed. - New option:
identifierNamesGenerator
allows to set identifier names generator (hexadecimal
ormangled
). - Breaking change: all CLI options were renamed to
kebab-case
format (--disableConsoleOutout
->--disable-console-output
). - Implemented custom
mangle
option algorithm withoutesmangle
; fixed javascript-obfuscator#110 - Comments with
@license
and@preserve
words won't be removed from obfuscated code. - Fixed javascript-obfuscator#147
- Fixed javascript-obfuscator#149
- Fixed javascript-obfuscator#129
- Fixed javascript-obfuscator#125 (dead code injection and await expression)
- Fixed javascript-obfuscator#123
- Fixed javascript-obfuscator#121
- Fixed javascript-obfuscator#119
- New option:
target
allows to set target environment for obfuscated code. - Added ability to disable and enable obfuscation for specific parts of the code by adding conditional comments.
- Added obfuscation of
es2015
class names. - CLI: added directory obfuscation.
- Fixed javascript-obfuscator#98
- Fixed javascript-obfuscator#94
- New option:
log
enables logging of the information to the console. - New option:
renameGlobals
allows to enable obfuscation of global variable and function names with declaration.
- Fixed javascript-obfuscator#78
- Fixed javascript-obfuscator#76
- New option:
deadCodeInjection
. With this option random blocks of dead code will add to the obfuscated code. - New option:
deadCodeInjectionThreshold
allows to set percentage of nodes that will affected bydeadCodeInjection
. - New option:
mangle
enables mangling of variable names. - New CLI option:
--config
allows to set config file with obfuscator options. - Breaking change:
disableConsoleOutput
option now disabled by default. - Breaking change:
escapeUnicodeSequence
option now disabled by default. controlFlowFlattening
now affects string literal nodes.- Increased runtime performance with
rc4
stringArrayEncoding
. - Added support for async functions
- Fixed javascript-obfuscator#71
- Fixed javascript-obfuscator#65
- Fixed javascript-obfuscator#60
- Fixed javascript-obfuscator#59
- Fixed javascript-obfuscator#54
- Fixed javascript-obfuscator#57
- Fixed javascript-obfuscator#58
- Fixed javascript-obfuscator#58
- Switched from
escodegen
toescodegen-wallaby
, fixed javascript-obfuscator#50
- Removed coverage dir from npm package
- Fixed javascript-obfuscator#37
- Breaking change: dropped
[email protected]
and[email protected]
support. - New option:
controlFlowFlattening
allows to enable/disable Control Flow flattening. Control flow flattening is a structure transformation of the source code that hinders program comprehension. - New option:
controlFlowFlatteningThreshold
allows to set percentage of nodes that will affected bycontrolFlowFlattening
. - Significantly increased obfuscation performance.
- Huge internal refactoring.
- Better
es2015
support: correct obfuscation ofTemplateLiteral
,ArrayPattern
,AssignmentPattern
nodes. - Switched from
npm
toyarn
internally. - Various bug fixes.
- Increased performance
- Fixed very rare
Cannot read property 'type' of undefined
error, whenRandomGeneratorUtils.getMathRandom()
returned incorrect value1
.
- Increased performance
- Breaking change: dropped
[email protected]
and[email protected]
support. - Switched from
npm
toyarn
internally.
- Transformers refactoring
- New option:
controlFlowFlattening
allows to enable/disable Control Flow flattening. Control flow flattening is a structure transformation of the source code that hinders program comprehension. - New option:
controlFlowFlatteningThreshold
allows to set percentage of nodes that will affected bycontrolFlowFlattening
. - Better
es2015
support: correct obfuscation ofTemplateLiteral
,ArrayPattern
,AssignmentPattern
nodes. - Obfuscation performance boost.
- Huge internal refactoring.
- Various bug fixes.
- Additional fixes for javascript-obfuscator#29
- Fixed javascript-obfuscator#29
selfDefending
option now disabled by default.
- New option
seed
sets seed for random generator. This is useful for creating repeatable results. - IE8 runtime error fix.
disableConsoleOutput
option now replacesconsole.xxx
functions on empty function instead of infinity loop.
- Breaking options change:
unicodeArray
option has been renamed tostringArray
. - Breaking options change:
unicodeArrayThreshold
option has been renamed tostringArrayThreshold
. - Breaking options change:
encodeUnicodeArray
option has been renamed tostringArrayEncoding
and now accepts following values:true|false|'base64'|'rc4'
. - Breaking change: option
wrapUnicodeArrayCalls
was removed and now all calls tostringArray
are always wrapped by special wrapper function. - New option
unicodeEscapeSequence
allows to enable/disable strings conversion to unicode escape sequence. - New option
domainLock
locks the obfuscated source code so it only runs on specific domains and/or sub-domains. - New option
sourceMapBaseUrl
sets base url to the source map import url whensourceMapMode: 'separate'
. - Custom nodes like
selfDefendingNode
orconsoleOutputNode
now inserted into deepest stack trace function call. - Fixed obfuscation of global variables and function names in some cases.
- Fixed wrong obfuscation of labels.
- Rewrite of many custom nodes.
- CLI missing polyfill fix #17
- IE error fix #14
- Obfuscator now returns an empty string instead of obfuscated code if source code is empty
- Fix of incorrect
Utils.decToHex
method
- Breaking API change: now
obfuscate(sourceCode, options)
returnsObfuscationResult
object insteadstring
.ObfuscationResult
object contains two public methods:getObfuscatedCode()
andgetSourceMap()
. - CLI. Now any code can be obfuscated through CLI
javascript-obfuscator
command. SeeREADME.md
for available options. - New option
sourceMap
enables source map generation for obfuscated code. - New option
sourceMapMode
specifies source map generation mode.