node.js code protection

Question

I was checking to see if it is possible to distribute a node.js application closed source. Not the client-side Javascript files but the server-side files as a commercial product. I suppose code obfuscation/uglification will not provide real privacy. Maybe something like packaging/compiling the source code into binary could help. Is this possible?

Answer 1

I did some searching around the NodeJS and v8 code.

First on NodeJS repository I found where the source code is first loaded executing on src/node.cc, line 1128:

Local<Value> ExecuteString(Handle<String> source, Handle<Value> filename)

Which first compiles the string, (and later executes), using:

Local<v8::Script> script = v8::Script::Compile(source, filename);

Taking a look at the v8 source code at deps/v8/include/v8.h, line 639, the Compile function returns:

Compiled script object, bound to the context that was active
  when this function was called.  When run it will always use this
  context.

I am not sure what the script being bound to the context implies, but I would argue that it is not just a binary object that you can save and transfer to another machine without having to transfer the whole context.

EDIT: Taking a deeper look at v8.h, there is also a ScriptData class, that pre-compiles a script to make the compilation faster, and that can be used with the Script class, but the Script class still requires the original source when loading the script. (Maybe for when printing errors, it knows where the error origin.)

In summary, I do not think it is possible without much work.

Answer 2

V8 is known to compile JavaScript internally and execute it. EncloseJS uses this feature to make a compiled executable out of node.js project. EncloseJS is a compiler for node/io.js - it gives you same privacy as classic compiler.