Your NPM Package Is Leaking Source Code (Here's How to Fix It)

Last week the dev community had a field day when someone discovered that a major CLI tool had accidentally shipped source map files in their NPM package. The .js.map files were sitting right there in the published tarball, and anyone who ran npm pack on the installed package could reconstruct the entire original TypeScript source. This isn't a new class of bug. It happens more often than you'd think, and it's probably happening in your packages right now. What Are Source Maps and Why Should You Care? When you compile TypeScript to JavaScript, or bundle your code with tools like esbuild, webpack, or rollup, the output is often minified or otherwise transformed. Source map files ( .js.map ) act as a Rosetta Stone — they map the compiled output back to the original source. That's great for debugging. It's terrible when those files ship to production or end up in your published NPM package. Here's what a source map contains: The complete original source code , including comments Original f