JSDefender is distributed as TypeScript npm packages and supports all platform where Node.js runs. Currently, JSDefender requires Node.js version 8.0.0 or higher.

Supported Inputs

Multi-file protection (browser): You can specify an ordered list of JavaScript files, matching the order they will be loaded by a browser. JSDefender protects them one-by-one, while resolving declaration dependencies among them.
Multi-file protection (Node.js): You can specify a list of JavaScript modules. JSDefender protects them one-by-one.
Bundles: JSDefender recognizes bundles. As bundles are composed of modules, JSDefender can use its protection techniques in a sophisticated way that leverages the special traits of JavaScript modules and bundles.
Single-file protection: Protect a single JavaScript file.

No Support for eval()

JSDefender cannot correctly protect the expression passed as a string to the JavaScript eval() function.

Partial protection

JavaScript source code protection comes with a price. Your protected code may be longer than the original, and it also can have performance degradation. The JSDefender team invests heavily in research to find those techniques that mitigate these phenomena.

When you have an application using JavaScript, in many cases, you should not protect the entire source code. If you use a web UI framework (such as React, Angular, Vue, Svelte, or others), protecting the framework code might cause a general performance degradation.

JSDefender allows partial protection. You can add inline protection directives to the source code that specify fine-grained protection options for a particular partition of the source. With these directives combined with external configuration, you can easily implement these scenarios:

Exclusive protection: you protect all the code, except a few parts where you turn the protection off.
Inclusive protection: you do not protect the source code by default. Instead, you mark the pieces that contain the essence of your IP for protection.
Fine-grained protection: you apply different protection techniques to particular sections of the source code according to your intention and knowledge about those section's behavior and characteristics.

Installation

There are five different installable packages:

@preemptive/jsdefender-core: The core protection logic and public API of JSDefender. This is a dependency of all the other packages.
@preemptive/jsdefender-cli: A wrapper for JSDefender which allows you to run it from the command line.
@preemptive/jsdefender-webpack-plugin: A webpack plugin which allows you to hook into the webpack pipeline and protect the output chunks.
@preemptive/jsdefender-metro-plugin: A Metro plugin which hooks into the bundling process to protect the output bundle.
@preemptive/jsdefender-rollup-plugin: A Rollup plugin for running JSDefender on all chunks in a Rollup session. It uses a number of hooks to integrate JSDefender into the Rollup build process.

Each package has a README file where you can find more information.

Download the preemptive-jsdefender-*-{version}.tgz (e.g. preemptive-jsdefender-core-2.0.0.tgz) packages you want to install (where 'version' is the actual version you want) and put them outside of your project's directory (the best way is to place them next to your project's directory). After that install via your package manager:

npm install <package-directory>/preemptive-jsdefender-*-{version}.tgz --save-dev

yarn add file:<package-directory>/preemptive-jsdefender-*-{version}.tgz --dev

Note: If you are working in a team environment, the downloaded packages should be in the same place on every developer's machine in order to make it work.

Note: You must install @preemptive/jsdefender-core manually in order to use most of the other packages because it is a peer dependency of those packages.

Updating

To install a new version of preemptive-jsdefender-* in the form of a preemptive-jsdefender-*-{newVersion}.tgz file, place it outside of your project's directory and run the install script again with the new package:

npm install <package-directory>/preemptive-jsdefender-*-{newVersion}.tgz --save-dev

yarn add file:<package-directory>/preemptive-jsdefender-*-{newVersion}.tgz --dev

Installing from a Url

You can upload a JSDefender package to an online file store (e.g. Blob Storage) or to your own package registry.

Note: Do not upload JSDefender to a public package registry. It is for private use only.

npm install https://<package-url> --save-dev

yarn add https://<package-url> --dev

Installing Globally

@preemptive/jsdefender-cli also works as a system-wide/global CLI. To install it globally:

npm install <package-directory>/preemptive-jsdefender-core-{version}.tgz <package-directory>/preemptive-jsdefender-cli-{version}.tgz -g

yarn global add <package-absolute-directory>/preemptive-jsdefender-core-{version}.tgz <package-absolute-directory>/preemptive-jsdefender-cli-{version}.tgz

Note: Due to Yarn limitations you must specify the absolute path of the package to be able to install it globally.

Note: If you have not done so already, you must add the output of the yarn global bin command to your path to be able to run global Yarn packages.

Note: The Yarn Team considers global installation of a package as a bad practice in most cases.

After that you can use the jsdefender command everywhere in your system like you would use it as a local dev package.