Is enabling full source maps in production a wise default?

[searls]

This ticket is about the default production configuration (both the webpack & uglify settings) in this file:

webpacker/package/environments/production.js

Line 30 in 50aaf77

result.devtool = 'source-map'

In my experience in (mostly Node.js-based) static asset compilation ecosystems, I haven't run across very many cases where full source maps are, by default, generated and pushed to production servers. I presume the reason for this is because that modern JS build toolchains provide a sort of accidental benefit of code obfuscation, and well-generated source maps can actually make it very easy to rip off someone else's source.

The webpack docs don't actually justify this statement, but they say this much about using the source-map setting in production:

You should configure your server to disallow access to the Source Map file for normal users!

I've looked through the repo and was curious if there was much discussion/justification for enabling full source-maps in production by default and whether it'd be fair to revisit the issue in a thread here.

Curious to hear your thoughts & thanks for your time! ✨

[searls]

One other benefit of moving to a more restricted source code default would be shorter asset precompile build times. I noticed this was enabled by default when I saw source map compilation took a few seconds on a relatively small app.

[gauravtiwari]

Sourcemaps are super useful for error reporting, as well as for analysing bundle size from dependencies. Whether one chooses to deploy them or not is their choice, but producing them is useful. Producing proper stack traces is another thing to consider in production with things like Rollbar or Sentry.

Please note, source maps are only downloaded if devtool is open, so the normal user won't see it unless someone opens the devtool. In terms of exposing the source code, I guess an uglified js file can be easily beautified :)

If you wish to remove sourcemaps though, this is how you can do it:

// config/webpack/production.js
const merge = require('webpack-merge')
const environment = require('./environment')

const config = environment.toWebpackConfig()
config.devtool = 'none'

module.exports = config

[searls]

I don't disagree at all that sourcemaps are useful. I only opened this issue because it's a surprising default to enable it in production, for these reasons:

1. Most other static asset compilation tools don't build and bundle sourcemaps for production by default (most people I ran this by before opening the issue were surprised to learn this default)
2. Just like most teams/companies writing production Rails apps would be surprised if all their Ruby source listings were being published on every request, I think it's fair to assume most companies wouldn't be pleased to discover after-the-fact that they'd been "leaking" their own deobfuscated front-end source code.
3. It comes at a non-trivial build cost, and is the slowest part of my rake assets:precompile (as best as I can tell from watching stdout)

The more I've thought about this, the more I feel that a more limited setting like 'nosources-source-map' is more appropriate, as it gives something like Rollbar or Sentry, because it will produce what's needed for proper stack traces without blatting out all of your source code.

[javan]

Thanks, @searls! I think nosources-source-map would make a better production default given all the reasons you outlined. Want to open a PR and reference this to-do?

[gauravtiwari]

@searls Thanks, makes sense 👍

[searls]

You got it, @javan. Opened #770

[ezuk]

Sorry to comment on a closed issue - but how do I actually enable source maps now, for tools like HoneyBadger? Any tips? Thank you!

[gauravtiwari]

@ezuk ^_^

// config/webpack/production.js
const merge = require('webpack-merge')
const environment = require('./environment')

const config = environment.toWebpackConfig()
config.devtool = 'sourcemap'

module.exports = config

[dhh]

I was just made aware of this thread, and would like us to revert. I fully understand and respect the reasons for why some might feel the necessity to obfuscate their code, but I don't think it's a good default, and I don't think it sends a good message.

I've learned so much from View Source over the years. From structure, to CSS, to JS. That has gotten harder with minification and transpiling. That's a real shame. The web has given us so much. The default should be to give back, in all the ways we can. View Source is a heritage feature that a framework like Rails should go out of its way to pay tribute to.

So. I'd like the source-maps-by-default restored, but with an easy and documented out for people who don't feel they can or will pay tribute to the web in this fashion. Thanks!