My team of five developers and I have been working on a large ecosystem, but we’ve hit a roadblock. We’re unsure about the next steps because it seems we might not be allowed to encrypt our scripts ourselves, particularly since JavaScript cannot be encrypted with escrow.
The main question is: are we really not allowed to handle script obfuscation on our own? Are there better practices we should follow to protect our code despite ESCROW’s limitations?
No you are not.
Why exactly? there is no other way to ‘encrypt’ a resource written in JS and selling the complete source will lead to the resource being posted for free.
It’s not allowed to obfuscate your JS code to ensure the safety of the users.
Yeah, I get that. But there is no other alternative.
Then there isn’t much to discuss. If you don’t want to post your code openly just don’t release it - as the author(s) you have the exclusive right to do what you want with your code 
Escrow is being updated and worked on consistently, however JS protection isn’t the highest priority from what I know.
We were told two years ago that ESCROW for JS would be released “soon.”
Not releasing our project is not an option. We all worked our asses off on this project, and releasing it to the public won’t be possible without some kind of barrier to prevent buyers from spreading the code.
On top of that, I know I am not the only one upset by this. Many developers are choosing not to release their scripts because there is no proper way to encrypt them at the moment.
As far as I know, there is no way to encrypt the js you can use obfuscators though that won’t stop people from copying the code. However, since it’s a FiveM script, they won’t be able to do much with the js alone, so I don’t think you should worry. Although I understand you perfectly, I would also prefer to be able to encrypt it (sorry for my English, I’m from Spain).
Nope as stated above.
Ummm what? What does it being a FiveM script have to do with what people can do with it? I think you are forgetting the fact that you can use JS for client and server stuff not just UI.
I just checked releases rules, and you are right, my mistake.
Write it in Lua
The output of Webpack/Vite of large projects when bundled and minified is pretty much unusable for everyone who wants to have your source code.
can’t I obfuscate on top of it and implement an authorization system until ESCROW for JS is out? rewriting so much code from JS to LUA isn’t an option.
Escrow is the only allowed solution, you may not use your own obfuscators or some custom auth system - that’s clearly against the rules here. If you got straight logic you should be doing it in Lua anyway under normal circumstances, TBH, unless you have a reason not to.
Saying the only allowed option is ESCROW when it clearly isn’t an option is absurd. If I could encrypt using ESCROW I would, I simply can’t.
3 years passed since the release of ESCROW. Why not provide a clear statement regarding ESCROW for JS? I don’t get them honestly.