Want to package my newly developed plugin and Dev Tool simply Zips all the contents of the folder and changes extension. Even .vscode and other unrelated content gets packaged. Also JS isn’t obfuscated in any way, so anyone can extract a plugin and use your code.
So my question would be as title says. What’s the best way to protect a plugin before sharing it? I know I can use some JS obfuscator probably, but maybe some recommendations?
Also, what should go to package.json? Is it needed at all? If it is, what license would fit best? Or is it not necessary and some copyright stuff should be added?
You can add .vscode to things like .gitignore or .npmignore, and the packager should ignore those files. Or, you can zip the files up yourself if you have specific files you don’t want to include.
JavaScript is JavaScript – meaning that there’s no foolproof way to protect the code. If you have secrets that cannot be shared, you need to keep those on a server.
Most bundlers (Webpack, Parcel, etc.) will allow you to “minify” your JS code to reduce the size, and also to help with obfuscation. But that code has to be run somehow, and you’ll quickly run into diminishing returns when it comes to trying to protect the code.,
We are working on some entitlement checking that will present an obstacle to casual copying, but if a malicious user who is technological wants to investigate the innards of your plugin, there’s not a whole lot you can do to stop them.
For package.json – All the marketplace cares about is the bundle ready for distribution. package.json is not part of this. You can include it, but UXP doesn’t do anything with it. (Note that if any step requires npm install to run your plugin, you’ll need to build your plugin with a bundler so that you can create a distribution version instead. UXP will not install npm packages on your behalf.)
There is a “self defending” option on this obfuscator site. It seems to do a good job to prevent the user from trying to “beautify” it and then run it. I think it would be more difficult than it would be worth for soemones time to try to make any sense out of the code after ran through this tool.
I was unaware of that issue. I didn’t see that in my testing. Were you using the debug protection and the self defending options? I only tried self defending because of the warnings with the debug protection in the website instructions. I didn’t see any issues when testing with only the self defending option.
However, I’m not actually using it now. I just went with the default obfuscator and just rename globals is all to at least renames the vars. I just can’t imagine many people wanting to steal a plugin javascript that badly to endure the pain of beautifying and then trying to figure out what the programmer did in the code.
Removed everything not needed and it looks like it’s fine