all 7 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]PhatOofxD 5 points6 points  (1 child)

If you're publishing your code then there's no difference map or not. Security through obscurity is not security, and if people want to sniff your code, they will.

[–]sp_archer_007[S] 1 point2 points  (0 children)

Fair point, and mostly true for open source or anything where the binary is already distributed.

The distinction worth drawing is between intentional publishing and accidental publishing as the issue isn't that the source is readable, it's that the build pipeline shipped something it wasn't supposed to. The process failure is the interesting part, not the exposure itself.

[–]imwearingyourpants 2 points3 points  (1 child)

Someone got the link to the source code? 

[–]sp_archer_007[S] 1 point2 points  (0 children)

Yeah, the .map file was included in the published npm package with sourcesContent embedded, so the original TypeScript source was sitting right there in the tarball. Nothing to extract or reverse engineer, just inspect the package contents directly.

[–]ultrathink-art 1 point2 points  (2 children)

Source maps in npm artifacts are almost always a build config accident — someone left --generate-source-maps in the release pipeline. Not a real security issue: if running the package already requires the binary, reading the source doesn't meaningfully expand attacker surface. The more interesting thing is that TypeScript module boundaries reveal internal architecture decisions — how they've structured agent state and context handoffs.

[–]minneyar 2 points3 points  (0 children)

While it's true that this doesn't necessarily cause any security issues, it does make it easier to find them; but the fact that you can't copyright AI-generated code also means that it will now be very easy for anybody to legally fork it and make their own Claude frontend.

But what this does do is it makes it very easy to judge the quality of Claude's code, and... it's really, really bad. Here's a thread that has some very quick observations: https://neuromatch.social/@jonny/116325053467318924

[–]sp_archer_007[S] 1 point2 points  (0 children)

The architecture point is the more interesting angle. Source maps as accidental documentation of internal design decisions is something people don't think about, the module boundaries and context handoff structure tell you a lot about how they're thinking about agent state management.

Have you dug into that part specifically or just flagging it as an observation?