- Exactly the same build on all environment, so we can just promote instead of rebuild each time.
- Preferably source maps because debugging on test might be useful.
- No source maps on production, though.
- Always generate source maps, but as hidden = the minified source doesn't contain a reference to the source map
- Use the
SourceMapheader to disclose the location of the source map - SourceMap is sent only when the environment variable associated to the resource type exists and is non empty.
If we really want we can point the production SourceMap to a server
that is only accessible to people within our org (www-preview) or even
put it behind authorization.
We might still need a thing to prevent source maps from being published to production (will complicate the CI a bit).
- our source code is closed source
- source maps make it easier to find attack vectors
- yes, but google recommends it! Do as they do (google.com => F12 => sources => nope!). Not as they say.
https://developer.mozilla.org/en-US/docs/Tools/Debugger/How_to/Use_a_source_map
Hidden source maps
- esbuild
--sourcemap=external: https://esbuild.github.io/api/#sourcemap - webpack
hidden-source-map: https://webpack.js.org/configuration/devtool/ - angular
[PROJECT_NAME].architect.build.configurations.production.sourceMap.hidden: https://blog.mgechev.com/2019/02/06/5-angular-cli-features/#hidden-source-maps
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/SourceMap - even Safari supports it