I keep getting rejected b/c of obfuscated code, please help me find my obfuscated code

I’ve been rejected 3 times now because of obfuscated code. The first 2 times were justified because of my own mistakes, however this most recent rejection is questionable.

Project here: dist.zip

I’ve made sure that my javascript files are not minified and obfuscated. Maybe they are talking about my html/css/map files? Those files are minified, they are not obfuscated. Anyone can put these files into a beautifier and see the source code. Surely they don’t care about minified css right? I also submit the Github link for this project during the review, but they don’t seem to care about that.

I have complaints about the review process in general. They only mentioned “Your Extension appears to contain insecure content. Please make sure all links, images, and requests are HTTPS only.” on the THIRD submission attempt. There are too many submission requirements, you can’t just list the first problem and click “reject”, when there are potentially other problems that would justify a rejection.

EDIT: I had already disabled all UglifyJS options before my most recent submission. I even enabled the beautify option for purposeful formatting.

all your js files are “obfuscated” using webpak

edit: to expand on this, your code should be “human” readable. a function named “+ZMJ” doesn’t convey what the function actually does.

So am I just screwed then? It’s not feasible for me to dig into webpacks code and change the way it works, and I don’t think i can change this behavior thru webpack config.

Can someone who’s successfully submitted an extension built by Webpack help me?

ill take a look, but maybe staff my able to chime in because i just inspected streamlabs extension and they have vue and webpack so it might be something else entirely thats triggering it

I don’t see why you wouldn’t be able to use webpack without obfuscating the code. When in development mode it does the normal bundling process but without uglify/minificaiton or anything like that, and when building for production you can set up the webpack configuration in a similar way and just not do those steps.

module.exports = {
  build: {
    extend (config) {
      config.plugins = config.plugins.filter((plugin) => plugin.constructor.name !== 'UglifyJsPlugin')
1 Like

UglifyJS was not active during my most recent submission.

Here is the config

    new webpack.optimize.UglifyJsPlugin({
      compress: false,
      mangle: false,
      output: { beautify: true },
      sourceMap: true

You can see that i even turned on beautify.

If you examine my js files you can see my original source code underneath all the webpack code.

My Code:

import { START_NEW_VOTE } from '@/store/actions'
import voteResults from '@/components/viewer/VoteResults'

export default {
	name: 'live-config',

Webpack output code:

"7Q9G": function(module, __webpack_exports__, __webpack_require__) {
	"use strict";
	var __WEBPACK_IMPORTED_MODULE_0__store_actions__ = __webpack_require__("mUbh");
	var __WEBPACK_IMPORTED_MODULE_1__components_viewer_VoteResults__ = __webpack_require__("vVR9");
	__webpack_exports__["a"] = {
		name: "live-config",
		methods: {
			startVote: function startVote() {
		components: {
			voteResults: __WEBPACK_IMPORTED_MODULE_1__components_viewer_VoteResults__["a"]

I don’t think the webpack code can be labeled “obfuscated”.

In response to the first poster

to expand on this, your code should be “human” readable. a function named “+ZMJ” doesn’t convey what the function actually does.

These cryptic function names are the module id’s that webpack assigns. They have nothing to do with the twitch extension logic itself, which is what Twitch is concerned about.

If Twitch could just specify which file violated the obfuscation rule, we could all avoid wasting time on speculation.

Did you get it approved im writing my Extension in react +redux and i’m using webpack and i’m getting it kicked back aswell

Nope. A twitch member reached out to me and i was able to ask a lot of questions about webpack and the review process. I’m still waiting for a response. I’ll post in this thread once i get one.

Just a general comment. When I write software for enterprise clients, they use a third party service, such as Veracode, to inspect the code. I only submit obfuscated code and they are somehow able to verify if a web page or application is safe. I can also submit binaries, without debugging symbols, and they can perform security scans and validate software for large enterprises. Is Twitch really reading files line by line as a security process? That seems error prone to say the least.

1 Like