Can the executable be decompiled to get back the source

[adnan-kamili]

I was checking the error log and stack trace contained file names with line numbers. Is our source code in compiled form and safe, and node_modules in the source form? I have set private: true in package.json

[igorklopov]

Pass -d to pkg command line to see if a file was placed with source code or not. As as rule, node_modules goes with sources as there are permissive licenses and no private: true in packages there. Top-level code (your code) goes without source if you use private: true

[FarhadMohseni]

by the unclear explanation of the others , her is a dirty way to do that , you can open the file with a Hex editor (HxD for example ) and search for the strings , pick the ones you want and modify that in another file .

[o0101]

or in a nix/darwin shell just type:

$ strings my-pkg-binary | less

or

$ strings my-pkg-binary | grep <something i care about> | less

[jseparovic]

Pass -d to pkg command line to see if a file was placed with source code or not. As as rule, node_modules goes with sources as there are permissive licenses and no private: true in packages there. Top-level code (your code) goes without source if you use private: true

@igorklopov It seems that if there are packages that are private and unlicensed in node_modules the sources are still revealed. Why would there be such a restriction that private packages in node_modules cannot be hidden?

[o0101]

It may simply be an oversight-- I'm not one of the authors-- but people would generally think that stuff you install from npm would be public. Even though it sounds like you and I both know that's not true because you can publish private packages up there that only you can access.