Security: Production build generates sourcemaps (exposes source code) #122
Labels
No Label
P0 Critical
P1 High
P2 Medium
P3 Low
accessibility
backend
bug
content
data-integrity
enhancement
frontend
infra
integration
owner
owner-input
performance
performance
phase-7
phase-8
security
seo
ui
ux
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: null/Queue-North-Website#122
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
vite.config.js has
sourcemap: truein the build config. This generates .map files alongside production JS bundles, making the full source code (including components, API logic, validation rules, and internal structure) visible to anyone who opens DevTools.This is a security concern for a production site — it reveals implementation details that could aid in crafting attacks against the forms, API endpoints, and validation logic.
Fix
Either:
sourcemap: trueentirely (default is false, no .map files generated)sourcemap: "hidden"— generates .map files for error tracking services but does not expose them in DevToolsRecommendation: Option B if using an error tracking service like Sentry. Option A otherwise.
Files
sourcemap: trueSeverity
Medium — source code exposure aids attackers but requires DevTools access