Skip to content

Disable source maps in production builds to prevent TypeScript source exposure#89

Merged
olgahaha merged 2 commits intomainfrom
copilot/fix-source-maps-deployment
Apr 16, 2026
Merged

Disable source maps in production builds to prevent TypeScript source exposure#89
olgahaha merged 2 commits intomainfrom
copilot/fix-source-maps-deployment

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 17, 2026
edited
Loading

Source maps were unconditionally generated and included in the npm package, making the original TypeScript source fully readable via jsDelivr CDN (/npm/@numbersprotocol/capture-eye@latest/dist/capture-eye.bundled.js.map).

Changes

  • rollup.config.js: Conditionally generate source maps based on MODE env var — consistent with the pattern already used by web-dev-server.config.js and web-test-runner.config.js:

    // Before
sourcemap: true,
// After
sourcemap: process.env.MODE !== 'prod',

  • .github/workflows/production-release.yml: All three build jobs (publish-github, publish-npm, publish-s3) now invoke MODE=prod npm run build, ensuring no .js.map files are produced or included in published artifacts.

dev-release.yml (staging) is intentionally unchanged — the staging deploy script only uploads the .js file, and source maps remain useful there for debugging.

Original prompt

This section details on the original issue you should resolve

<issue_title>[Security][Medium] Source maps always deployed to CDN, exposing original TypeScript source and embedded secrets</issue_title>
<issue_description>## Summary

The Rollup build configuration has sourcemap: true unconditionally, meaning .js.map files are generated and deployed alongside the production bundle to the CDN. This exposes the original TypeScript source code, including all hardcoded constants, API endpoints, and the cryptographic material in interaction-tracker.ts.

Affected Files

  • rollup.config.js, line 13:

    output: {
  file: 'dist/capture-eye.bundled.js',
  format: 'esm',
  sourcemap: true,  // Always enabled, even for production
},

  • scripts/deploy-release.sh and scripts/deploy-staging.sh: These deploy the entire dist/ directory to S3, which includes the .map files.

Impact

  • Original TypeScript source is fully readable by anyone who downloads the source map from the CDN
  • Internal API structure, endpoint URLs, and code organization are exposed
  • The AES-GCM encryption material in interaction-tracker.ts is more easily discoverable (though it is already in the minified bundle, source maps make it trivial)
  • Potential attackers gain a clearer understanding of the codebase for vulnerability research

Suggested Approach

Option A (Recommended): Conditionally disable source maps for production builds:

output: {
  file: 'dist/capture-eye.bundled.js',
  format: 'esm',
  sourcemap: process.env.MODE !== 'prod',
},

Option B: Strip .map files from the deploy scripts before uploading to S3:

find dist -name '*.map' -delete

Option C: Upload source maps to a private location for debugging, but exclude them from the public CDN deployment.</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

@numbers-official
Fix: Disable source maps for production builds to prevent source expo…
d1beb2f 
…sure

Co-authored-by: numbers-official <181934381+numbers-official@users.noreply.github.com>
Copilot AI changed the title [WIP] [Security] Fix source maps deployment to prevent exposure of secrets Disable source maps in production builds to prevent TypeScript source exposure Mar 17, 2026
Copilot AI requested a review from numbers-official March 17, 2026 13:16
numbers-official
numbers-official reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@numbers-official numbers-official left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated Code Review (Heartbeat Deep Check)

Reviewed 2 files changed (rollup.config.js, .github/workflows/production-release.yml). No regression risks, bugs, or security concerns found.

The approach is sound: conditionally disabling source maps based on MODE=prod keeps dev-time debugging intact while preventing TypeScript source exposure in production bundles. The workflow changes consistently set the environment variable across all three deployment jobs (GitHub Packages, NPM, S3/CDN).

LGTM from automated review — still requires human approval before merge.

@olgahaha olgahaha marked this pull request as ready for review April 16, 2026 07:30
@olgahaha olgahaha merged commit 6d63db6 into main Apr 16, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@numbers-official numbers-official numbers-official left review comments

Assignees

@numbers-official numbers-official

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security][Medium] Source maps always deployed to CDN, exposing original TypeScript source and embedded secrets

3 participants

@numbers-official @olgahaha