Source map files (.map) are being included in CodePush releases due to Sentry instructions

[kit2o]

Description

At Revopush, we conducted an analysis and anonymously observed a significant number of bundles containing .map files inside CodePush releases.

This negatively affects both:

• Clients, who end up downloading unnecessary data
• Security, since .map files expose extended information

We discovered that .map files are included in CodePush releases because of the Sentry documentation, which suggests placing both the build and sourcemap into the same folder.

For example, the following command:

code-push-standalone release-react \
  "${APP_NAME}" \
  "${PLATFORM}" \
  --deploymentName "${DEPLOYMENT_NAME}" \
  --outputDir ./build \
  --sourcemapOutput ./build

For Android it is important to have CodePush as a root dir for --outputDir to support JTW signing

code-push-standalone release-react \
  "${APP_NAME}" \
  "${PLATFORM}" \
  --deploymentName "${DEPLOYMENT_NAME}" \
  --outputDir ./build/CodePush \
  --sourcemapOutput ./build

To avoid .map files being shipped in CodePush releases, the --sourcemapOutput path should point to a directory different from the build folder.

We’ve updated the instructions on our website: https://docs.revopush.org/cicd/sentry

We recommend updating the official instructions to prevent .map files from being unintentionally included in CodePush releases.

[linear]

RN-327 Source map files (.map) are being included in CodePush releases due to Sentry instructions

[antonis]

Thank you for reporting and the suggested solution 🙇 We will investigate this and iterate back.

[kit2o]

Hey @antonis do you have any updates on this?

[antonis]

Thank you for bumping this issue. This is in our backlog and we will ship a fix soon.