Security: Production build generates sourcemaps (exposes source code) #122

Closed
opened 2026-05-17 21:27:06 -05:00 by null · 0 comments
Owner

Problem

vite.config.js has sourcemap: true in the build config. This generates .map files alongside production JS bundles, making the full source code (including components, API logic, validation rules, and internal structure) visible to anyone who opens DevTools.

This is a security concern for a production site — it reveals implementation details that could aid in crafting attacks against the forms, API endpoints, and validation logic.

Fix

Either:

  • A) Remove sourcemap: true entirely (default is false, no .map files generated)
  • B) Set sourcemap: "hidden" — generates .map files for error tracking services but does not expose them in DevTools

Recommendation: Option B if using an error tracking service like Sentry. Option A otherwise.

Files

  • vite.config.js — line with sourcemap: true

Severity

Medium — source code exposure aids attackers but requires DevTools access

## Problem vite.config.js has `sourcemap: true` in the build config. This generates .map files alongside production JS bundles, making the full source code (including components, API logic, validation rules, and internal structure) visible to anyone who opens DevTools. This is a security concern for a production site — it reveals implementation details that could aid in crafting attacks against the forms, API endpoints, and validation logic. ## Fix Either: - A) Remove `sourcemap: true` entirely (default is false, no .map files generated) - B) Set `sourcemap: "hidden"` — generates .map files for error tracking services but does not expose them in DevTools Recommendation: Option B if using an error tracking service like Sentry. Option A otherwise. ## Files - vite.config.js — line with `sourcemap: true` ## Severity Medium — source code exposure aids attackers but requires DevTools access
null closed this issue 2026-05-17 21:53:57 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/Queue-North-Website#122
No description provided.