Skip to content

Source map leak scanner

Check if your app is publishing source maps that reveal your code

Source maps make debugging easier, but if they ship to production they let anyone reconstruct your original source, including comments and any secret that was hard-coded.

A sample of what you might see

warningReachable source map

A .js.map file is publicly reachable, so your original source can be reconstructed by anyone.

{ "file": "main.•••.js.map", "reachable": true }

Illustrative, redacted. We never store your data.

The scan checks whether your bundle references reachable .map files. It reads only what is already public.

JavaScript and TypeScript apps today. The scan is passive and outside-in. How the scanner stays safe.

Questions

Are source maps always a problem?

Not always, but shipping them to production is usually unintended and can leak code and secrets. The safe default is to not publish them.

How do I stop publishing source maps?

It is a build-config change for most frameworks. We can make and prove that change in a reviewable pull request.

Which check do I need?

Related