Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v2 - Don't generate source maps by default #3817

Closed
tomazy opened this issue Feb 2, 2018 · 16 comments
Closed

v2 - Don't generate source maps by default #3817

tomazy opened this issue Feb 2, 2018 · 16 comments
Labels
stale? Issue that may be closed soon due to the original author not responding any more.

Comments

@tomazy
Copy link
Contributor

tomazy commented Feb 2, 2018

Description

Gatsby by default generates very expressive source maps. They include the full, non-minified source code of the site, including all comments like TODO, etc. They also expose absolute paths to the project directory leaking things like user names and naming conventions.

Source maps in general should not be available to anyone willing to open the dev tools in their browser. Access to them should be restricted and this requires some additional adjustments on the web server level.

I suggest we disable the default source map generation in the next version of the project.

See: #3324 (comment)

@monsieurnebo
Copy link
Contributor

monsieurnebo commented Feb 2, 2018

Agreed! A nice way of managing sourcemaps could be a config parameter, such as:

// gatsby-config.js

module.exports = {

  pathPrefix : "/blog",
  sourceMaps : true,
  // ...

}

It would let users choose when and where use them and would be particulary useful on multi-environments development (develop, staging, etc...).

@fk fk added type: documentation An issue or pull request for improving or updating Gatsby's documentation Feature Request and removed type: documentation An issue or pull request for improving or updating Gatsby's documentation labels Feb 2, 2018
@jquense
Copy link
Contributor

jquense commented Feb 2, 2018

I don't think not generating source maps the right approach. For every production app I've made we've wanted them either to load when devtools were opened or to upload to sentry for clearer error tracking. I think if you don't want them in your uploaded site that's more of publishing concern than a building on?

@KyleAMathews
Copy link
Contributor

Instead of disabling sourcemaps by default — how about instead we a) investigate using relative paths, removing comments and otherwise making them more tidy by default and b) add a plugin to easily disable producing source maps by modifying the webpack config which also conveniently would speed up builds some.

@monsieurnebo
Copy link
Contributor

@KyleAMathews I cannot see the advantage of a plugin instead of a basic gatsby-config parameter? 🤔

@KyleAMathews
Copy link
Contributor

@monsieurnebo mainly because we avoid config options at (almost) all costs :-)

Adding config is a much weightier decision vs. a plugin. Also plugins are much more flexible than config.

@monsieurnebo
Copy link
Contributor

monsieurnebo commented Feb 8, 2018

@KyleAMathews Ok! Would this plugin's purpose be only to disable sourcemaps via webpack configuration? Isn't that a bit overkill?

@KyleAMathews
Copy link
Contributor

@monsieurnebo that's how a config option would work so it's the same thing

@siakaramalegos
Copy link
Contributor

siakaramalegos commented Aug 21, 2018

I'm struggling how to disable source maps for production since the default Webpack set up is to leave out the devtool option, but Gatsby v2 is enabling it. If someone has found a way to disable them for production, I would love to know how until either a setting or a plugin is created. I've tried coming up with a way based on the old version and the new docs, but it doesn't work:

// gatsby-node.js
exports.onCreateWebpackConfig = ({ actions, stage }) => {
  if (stage === 'build-javascript') {
    // turn off source-maps
    actions.setWebpackConfig({
      devtool: false
    })
  }
};

edit: added an SO question here

@siakaramalegos
Copy link
Contributor

So it looks like that might actually work. Either my finder wasn't refreshing the file list or the /public/folder was holding on to old sourcemap files.

@github0013
Copy link
Contributor

This solved removing source map in v2.
#6289

yarn add gatsby-plugin-no-sourcemaps@next
  plugins: [
    "gatsby-plugin-no-sourcemaps",
  ]

@BillyWM
Copy link

BillyWM commented Sep 26, 2018

Neither is working for me. workbox, used by gatsby-plugin-offline is still generating maps for all its files, so apparently all parts in the pipeline don't necessarily respect this setting.

(I did an rm -rf public && gatsby build. This isn't a problem of lingering files. It's definitely regenerating them)

edit: I guess the workbox-build dependency just comes this way.

@gatsbot gatsbot bot added the stale? Issue that may be closed soon due to the original author not responding any more. label Jan 16, 2019
@gatsbot
Copy link

gatsbot bot commented Jan 16, 2019

Old issues will be closed after 30 days of inactivity. This issue has been quiet for 20 days and is being marked as stale. Reply here or add the label "not stale" to keep this issue open!

@gatsbot
Copy link

gatsbot bot commented Jan 27, 2019

This issue is being closed due to inactivity. Is this a mistake? Please re-open this issue or create a new issue.

@gatsbot gatsbot bot closed this as completed Jan 27, 2019
junhobaik added a commit to junhobaik/junhobaik.github.io that referenced this issue Jun 30, 2019
source-map 관련 버전, 의존성 오류로 보임.
webpack-contrib/babel-minify-webpack-plugin#68

gatsby에서 socurcemap을 비활성화하는 플러그인을 이용한 해결
gatsbyjs/gatsby#3817
@j127
Copy link
Contributor

j127 commented Sep 3, 2020

I think having sourcemaps on by default in production is dangerous. There must be countless people out there who think their code comments, environment variable names, and source code are private because the output was minified, without realizing that everything is public. It seems like a security/privacy risk, because most people will assume that only the compiled version will be visible in production.

@fzyzcjy
Copy link

fzyzcjy commented Aug 26, 2021

hi, any updates?

This was referenced Sep 5, 2021
@ankurparihar
Copy link

Why do we need to develop and maintain separate plugin for a simple config option, which by the way should be a default setting in production?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
stale? Issue that may be closed soon due to the original author not responding any more.
Projects
None yet
Development

No branches or pull requests