JavaScript Obfuscator

5.4.1 · active · verified Sun Apr 19

JavaScript Obfuscator is a powerful, free-to-use library for transforming JavaScript and Node.js source code to make it harder to reverse engineer. The current stable version is 5.4.1. The project demonstrates an active release cadence with frequent minor and patch updates, indicating ongoing development and maintenance. Key features include VM-based bytecode obfuscation (available via the integrated Obfuscator.io Pro API), variable renaming, string extraction and encryption, dead code injection, control flow flattening, and various other code transformations. Its primary differentiator is the breadth of its obfuscation techniques, including advanced VM-based protection, making it a comprehensive solution for source code protection against tampering and intellectual property theft.

Common errors

```
ReferenceError: require is not defined
```
cause Attempting to use `javascript-obfuscator` in a browser environment with versions prior to 5.4.1, which had a bug related to `Utils.nodeRequire`.

fix Upgrade to `javascript-obfuscator@5.4.1` or newer. If running in a non-Node.js environment, ensure your build process correctly shims or polyfills Node.js-specific globals if necessary.
```
SyntaxError: Unexpected token
```
cause Malformation of obfuscated code, often caused by specific combinations of obfuscation options interacting incorrectly with certain JavaScript syntax, or bugs in the obfuscator itself.

fix First, upgrade to the latest patch version (e.g., 5.4.1) as many such bugs are fixed in patch releases. If the issue persists, try isolating the problem by incrementally enabling obfuscation options to identify the problematic setting. Report the bug to the library's GitHub issues with a minimal reproducible example.
```
Error: The 'javascript-obfuscator' package requires Node.js version 18.0.0 or higher. You are currently running Node.js version X.Y.Z.
```
cause Attempting to install or run `javascript-obfuscator` on an unsupported Node.js version.

fix Upgrade your Node.js runtime to version 18.0.0 or newer. Use a tool like `nvm` (Node Version Manager) or `n` to manage Node.js versions: `nvm install 18 && nvm use 18` or `npm install -g n && n 18`.

Warnings

breaking Version 4.2.0 dropped support for Node.js versions 17 and below. Projects running on older Node.js versions must upgrade their environment or stick to an earlier `javascript-obfuscator` version.
Fix: Upgrade your Node.js runtime to version 18.0.0 or higher. For npm, run `npm install -g n` then `n stable` or `n 18`.
gotcha Prior to version 5.4.1, using `javascript-obfuscator` in browser environments could lead to `ReferenceError: require is not defined` due to a non-lazy `Utils.nodeRequire` call.
Fix: Upgrade to `javascript-obfuscator@5.4.1` or newer. If you must use an older version in a browser, ensure `Utils.nodeRequire` is not invoked or use a bundler that correctly shims `require`.
gotcha Versions prior to 5.4.1 had a case-sensitive `domainLock` option. Domains provided would only match if the casing was exact, leading to unexpected bypasses.
Fix: Upgrade to `javascript-obfuscator@5.4.1` or newer. If staying on an older version, ensure all `domainLock` entries match the exact case of the target domains.
breaking Version 5.0.0 introduced support for JavaScript Obfuscator PRO via its API. While the core free obfuscation remains, advanced VM-based bytecode obfuscation and other PRO features require calling the external API, potentially changing workflow for users seeking the highest protection.
Fix: Review the documentation for `Obfuscator.io` and the `apiConfig` option if you intend to use the advanced PRO features. This may involve obtaining an API key and managing API calls.
gotcha Before version 5.4.0, the `reservedNames` option might not have correctly preserved class method and property names when `stringArray` or `deadCodeInjection` obfuscation features were enabled, leading to broken code.
Fix: Upgrade to `javascript-obfuscator@5.4.0` or newer. If using an older version, carefully test code using classes with `reservedNames` and these obfuscation features enabled, and consider alternative preservation strategies if issues arise.

Install

npm install javascript-obfuscator npm
yarn add javascript-obfuscator yarn
pnpm add javascript-obfuscator pnpm

Imports

JavaScriptObfuscator
wrong:
```
const JavaScriptObfuscator = require('javascript-obfuscator');
```
correct:
```
import JavaScriptObfuscator from 'javascript-obfuscator';
```
While CommonJS `require` might work in some contexts, the library primarily targets modern Node.js environments (>=18.0.0) which favor ESM imports.
ObfuscatorOptions
```
import type { ObfuscatorOptions } from 'javascript-obfuscator';
```
Importing types explicitly using `import type` is best practice for TypeScript to avoid bundling unnecessary runtime code.
obfuscate
wrong:
```
import { obfuscate } from 'javascript-obfuscator';
```
correct:
```
const result = JavaScriptObfuscator.obfuscate(code, options);
```
The `obfuscate` method is a static method on the default export, not a named export directly from the package.

Quickstart

This quickstart demonstrates how to import and use `javascript-obfuscator` to obfuscate a sample JavaScript code string with a comprehensive set of options.

import JavaScriptObfuscator from 'javascript-obfuscator';

const sourceCode = `
function greet(name) {
  const message = 'Hello, ' + name + '! Welcome to the obfuscated world.';
  console.log(message);
}

greet('Developer');

const secretData = {
  apiKey: 'super-secret-key-123',
  database: 'production-db'
};

function getSecret(key) {
  return secretData[key];
}

console.log(getSecret('apiKey'));
`;

const obfuscationOptions = {
  compact: true,
  controlFlowFlattening: true,
  controlFlowFlatteningThreshold: 0.75,
  deadCodeInjection: true,
  deadCodeInjectionThreshold: 0.4,
  debugProtection: false,
  debugProtectionInterval: 0,
  disableConsoleOutput: true,
  identifierNamesGenerator: 'hexadecimal',
  log: false,
  numbersToExpressions: true,
  renameGlobals: false,
  selfDefending: true,
  simplify: true,
  splitStrings: true,
  splitStringsChunkLength: 10,
  stringArray: true,
  stringArrayEncoding: ['base64'],
  stringArrayIndexShift: true,
  stringArrayRotate: true,
  stringArrayShuffle: true,
  stringArrayWrappersCount: 2,
  stringArrayWrappersType: 'variable',
  stringArrayThreshold: 0.75,
  transformObjectKeys: true,
  unicodeEscapeSequence: false,
  domainLock: [
    'example.com',
    process.env.DOMAIN_LOCK_TEST ?? '' // Example for environment variable usage
  ]
};

try {
  const obfuscatedResult = JavaScriptObfuscator.obfuscate(sourceCode, obfuscationOptions);
  console.log('Obfuscated Code:\n', obfuscatedResult.getObfuscatedCode());
  // You can also get the source map if enabled in options
  // console.log('Source Map:\n', obfuscatedResult.getSourceMap());
} catch (error) {
  console.error('Obfuscation failed:', error);
}

view raw JSON →