Webpack-Processed JS Bundles/Obfuscated JS Code in WordPress Plugin Repository
-
I am seeking clarification on an important matter regarding the distribution of JavaScript files in plugins hosted on the WordPress Plugin Repository.
I recently encountered a popular WordPress plugin that only provides JavaScript code in the form of webpack-processed bundles. While the bundled code is technically unminified, it remains practically unreadable and unmodifiable due to its bundled nature. The original, human-readable source code and the associated build tools (e.g., webpack configuration) are not provided within the plugin package nor were they provided to me when I kindly requested them from the plugin author privately.
My understanding of the WordPress Plugin Repository Guidelines is that all code should be open and accessible, facilitating ease of modification and understanding. Specifically, guideline #4 states:
We require developers to provide public, maintained access to their source code and any build tools in one of the following ways:
- Include the source code in the deployed plugin
- A link in the readme to the development location
Additionally, the plugin in question is licensed under the GPL v2, which mandates the provision of the full, human-readable source code, including any scripts used for compilation and installation. Specifically:
The source code for a work means the preferred form of the work for making modifications to it.
GNU General Public License, version 2The source JavaScript files of the plugin in question, which are undoubtedly the “preferred form of the work for making modifications” are not shipped with the plugin but they are referenced in the code.
Given these points, I would like to seek an official stance from the WordPress community and moderators on the following:
- Is it permissible for a plugin distributed through the WordPress Plugin Repository to provide only webpack-processed bundles of JavaScript without including the original source code and build tools?
- Does the distribution of such bundled JavaScript files align with the requirement of making the code “readily available and easily accessible” as per the WordPress Plugin Repository Guidelines?
- How should cases where only bundled JavaScript is provided, with no access to the original source code, be handled in terms of compliance with the guidelines and GPL license?
Additional Concerns:
Plugins distributed in this manner are extremely difficult to fork or maintain. If the original plugin author decides to abandon the project, other developers would have to rebuild the original JavaScript files from scratch. This situation is harmful to the WordPress ecosystem, as it leaves users without support and potentially critical updates. Ensuring that all code is accessible and modifiable is essential for the longevity and health of the plugin community.
I believe that clear guidance on this matter will help maintain the integrity and openness of the WordPress ecosystem, ensuring that all users and developers can benefit from transparent and modifiable code.
-
@vodavodas A support forum topics about the Plugin Guidelines does is not as thing for popular opinion or a vote.
You could et 10 replies here and unless the plugins team agrees none of them matter. Also this is a GPL topic and we close those when found. I am closing this topic as well. GPL topics never go well and are almost never productive.
Send an email to the plugins team via
plugins[at]wordpress.orgor ask in the #pluginreview WordPress Slack channel.To use that channel you need a Slack account. You can obtain one via these instructions.
https://make.wordpress.org/chat/
Also, no files on the WordPress plugin repo should ever be obfuscated and please report those plugins that do that to that email address as well.
- The topic ‘Webpack-Processed JS Bundles/Obfuscated JS Code in WordPress Plugin Repository’ is closed to new replies.