Plans for obfuscation of Lightning Component source when delivered in a managed package?

This Enable Debug Mode for Lightning Components documentation says:

By default, the Lightning Component framework runs in production mode.
This mode is optimized for performance. It uses the Google Closure
Compiler to optimize and minimize the size of the JavaScript code. The
method names and code are heavily obfuscated.

I’ve just installed one of our managed packages that now includes Lightning Components in a customer’s sandbox. While the Developer Console presents “(hidden)” in place of the managed package component XML or JavaScript, using e.g. Chrome’s “Developer Tools” it is easy to locate a single JavaScript file per component that contains the component JavaScript (minus the comments) and probably the other component artefacts in JSON encoded form. No obfuscation is applied (irrespective of the debug mode setting).

Apex code in managed packages is not visible in the org a managed package is installed into. This is a good thing to keep the software a “black box”, hiding ugly code and ensuring the source can’t be copied. So I’m surprised (given that the platform includes tooling that can obfuscate) that my code is not being obfuscated.

Any indication of if/when obfuscation of managed package Lightning Components will happen?

Answer

I believe in the next release we will minify and mangle the content of managed packages so it will make the reverse engineering very difficult.

Not sure if we will do it by default, or it will be an option, given that it will also limit the debugability from a developer point of view.

I will try confirm and post the final answer.

Attribution
Source : Link , Question Author : Keith C , Answer Author : Diego

Leave a Comment