I'm using UglifyJS to minify and uglify my sources, and Sentry to report errors from my production environment.
In order to get errors from Sentry, in a readable manner, I need to add source-map
Is it safe to do it in production servers, or the source-maps files should only exist on staging environment?
Is there a way to secure them on production environment?
Most JavaScript and CSS sources are usually minified and source maps serve as a memory map to the compressed files. It's generally a good practice to minify and combine your assets (Javascript & CSS) when deploying to production.
There's nothing wrong in removing the source maps via a post build script. But if you can prevent generating the source maps in the first place, then it will save you a few seconds of build time.
But source maps have long been seen merely as a local development tool. Not something you ship to production, although people have also been doing that, such that live debugging would be easier. That in itself is a great reason to ship source maps.
A source map is a file that maps from the transformed source to the original source, enabling the browser to reconstruct the original source and present the reconstructed original in the debugger. To enable the debugger to work with a source map, you must: generate the source map.
Searching for a possible solution to this, and if someone is not specifically using Sentry, I got to this blog post (ironically a Sentry blog post):
https://blog.sentry.io/2015/10/29/debuggable-javascript-with-source-maps.html
Where there is an interesting idea: "private source maps". It implies generating the source maps in someplace that is not accessible from the internet (such as your company VPN), so only you or your team can access the source maps files.
Quoting the "Private Source Maps" section of the post:
[...] all of our examples assume that your source maps are publicly available, and served from the same server as your executing JavaScript code. In which case, any developer can use them to obtain your original source code.
To prevent this, instead of providing a publicly-accessible sourceMappingURL, you can instead serve your source maps from a server that is only accessible to your development team. For example, a server that is only reachable from your company’s VPN.
//# sourceMappingURL: http://company.intranet/app/static/app.min.js.map
When a non-team member visits your application with developer tools open, they will attempt to download this source map but get a 404 (or 403) HTTP error, and the source map will not be applied.
Seems like a good idea to me!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With