Any legitimate security concern with making JavaScript source map public?

Question

I am using bug tracking software to report any errors that occur in a web browser but the code on my production site is minified. As a result, debugging is near impossible (variable names are changed, etc.).

I want to put a full source map file in production so I can debug these errors but have heard some concerns about privacy/security in doing this. Since minified JavaScript can be un-minifed and reverse engineered without a source map, I am wondering if this is a legitimate concern. All I can see is that it would just make that process faster.

Is there a legitimate security concern for putting a sourcemap into the public domain?

Answer 1

As opposed to what others are saying, there is a security aspect to it.

You are right in that it is possible to analyse (un-minify, etc.) the source without the source map too. It will never be 100% secure as you know. However, security is about capabilities and effort, and the risk that comes from these. It's about your threat model and attacker model.

A real world attacker often doesn't have unlimited resources, but has limited knowledge of your software. So while strictly speaking an obfuscated Javascript code without a source map is technically equivalent to the actual source code because it can be inspected when run on the client anyway, in the real world there is a significant difference in the effort, skill and resources needed for this.

So while I'm not at all advocating security by obscurity, and I firmly think your code should be secure against an attacker that has the source code, this will not always be the case in reality, there will be vulnerabilities, and those will be easier to discover for an attacker if source maps are available.