I was checking to see if it is possible to distribute a node.js application closed source. Not the client-side Javascript files but the server-side files as a commercial product. I suppose code obfuscation/uglification will not provide real privacy. Maybe something like packaging/compiling the source code into binary could help. Is this possible?
-
2node.js is hard coupled to v8. This means you need to use v8 to interpret your source code at run-time. I don't think it's possible to do closed source.Raynos– Raynos2011年11月07日 18:12:27 +00:00Commented Nov 7, 2011 at 18:12
-
Raynos is right, and besides that would slow down the application, because of the compiling overhead.alessioalex– alessioalex2011年11月07日 18:18:04 +00:00Commented Nov 7, 2011 at 18:18
-
Yes, look here for a way to precompile your code.Thiago Padilha– Thiago Padilha2012年09月28日 13:32:19 +00:00Commented Sep 28, 2012 at 13:32
-
2YES You can! answered here: stackoverflow.com/questions/5951302/node-js-code-protection/…Nuray Altin– Nuray Altin2014年02月01日 02:29:25 +00:00Commented Feb 1, 2014 at 2:29
-
Possible duplicate of node.js - Code Protection?Félix Brunet– Félix Brunet2019年02月21日 17:07:52 +00:00Commented Feb 21, 2019 at 17:07
3 Answers 3
I did some searching around the NodeJS and v8 code.
First on NodeJS repository I found where the source code is first loaded executing on src/node.cc, line 1128:
Local<Value> ExecuteString(Handle<String> source, Handle<Value> filename)
Which first compiles the string, (and later executes), using:
Local<v8::Script> script = v8::Script::Compile(source, filename);
Taking a look at the v8 source code at deps/v8/include/v8.h, line 639, the Compile function returns:
Compiled script object, bound to the context that was active
when this function was called. When run it will always use this
context.
I am not sure what the script being bound to the context implies, but I would argue that it is not just a binary object that you can save and transfer to another machine without having to transfer the whole context.
EDIT: Taking a deeper look at v8.h, there is also a ScriptData class, that pre-compiles a script to make the compilation faster, and that can be used with the Script class, but the Script class still requires the original source when loading the script. (Maybe for when printing errors, it knows where the error origin.)
In summary, I do not think it is possible without much work.
Comments
V8 is known to compile JavaScript internally and execute it. EncloseJS uses this feature to make a compiled executable out of node.js project. EncloseJS is a compiler for node/io.js - it gives you same privacy as classic compiler.
1 Comment
There is a good method you can try -- Recompile the NodeJS source code.
Open the nodejs src folder(nodejs-v0.xxx/lib/module.js),you will find this:
// Native extension for .js
Module._extensions['.js'] = function(module, filename) {
var content = NativeModule.require('fs').readFileSync(filename, 'utf8');
module._compile(stripBOM(content), filename);
};
Add new extension to suite your needs. For example:
// Native extension for .jse (encrypted js)
Module._extensions['.jse'] = function (module, filename) {
var content = stripBOM(NativeModule.require('fs').readFileSync(filename, 'utf8')).split('').reverse().join('');
module._compile(content, filename);
};
Then recompile nodejs, and encrypt your code and rename your code file extension from xxx.js to xxx.jse.