Minified production JavaScript produces stack traces like a.b is not a function at t (main.abc123.js:1:4821) — unactionable without the corresponding source map. When source maps are not uploaded to the error tracking service, every production stack trace requires a manual deobfuscation step that most teams skip, leaving errors effectively uninvestigated. ISO 25010 reliability.fault-tolerance depends on diagnostic capability; without readable stack traces, fault isolation time increases dramatically. Exposing source maps publicly (via productionBrowserSourceMaps: true) solves the readability problem but exposes your full source code to anyone with DevTools.
Low because the defect slows diagnosis rather than causing failures directly — but unreadable production stack traces systematically increase mean time to resolution for every incident.
Upload source maps to your error tracking service during the build — never serve them publicly. With Next.js and Sentry, withSentryConfig handles the upload automatically.
// next.config.ts
import { withSentryConfig } from '@sentry/nextjs'
export default withSentryConfig(
{ /* your next config */ },
{
org: process.env.SENTRY_ORG,
project: process.env.SENTRY_PROJECT,
// Source maps uploaded to Sentry, not served publicly:
sourcemaps: { disable: false },
}
)
Verify by triggering a deliberate error in staging and confirming the Sentry stack trace shows original filenames and line numbers, not minified identifiers.
ID: error-resilience.graceful-degradation-shutdown.source-maps-error-tracking
Severity: low
What to look for: Count all source map configurations. Enumerate whether source maps are uploaded to the error tracking service (Sentry, Bugsnag) and not exposed publicly. For production deployments, check whether source maps are uploaded to the error tracking service or hosted separately with restricted access. Verify minified code in stack traces is readable and maps back to original source.
Pass criteria: Source maps are uploaded to error tracking service (or hosted separately) with restricted access; stack traces show readable source code and line numbers, not minified code. Source maps must be uploaded to at least 1 error tracking service and must not be publicly accessible (no productionBrowserSourceMaps: true).
Fail criteria: No source maps uploaded to error tracking service; stack traces show minified variable names and unreadable code.
Skip (N/A) when: The application is not minified/bundled or has no error tracking service.
Cross-reference: For error tracking service, see error-tracking-service.
Detail on fail: "No source maps uploaded to Sentry. Stack traces show minified code (e.g., 'a.b.c is not a function')" or "Source maps present but not restricted — sensitive code structure exposed"
Remediation: Upload source maps to your error tracking service. With Sentry and Next.js:
// next.config.js — source maps for Sentry only
const { withSentryConfig } = require('@sentry/nextjs')
module.exports = withSentryConfig({ productionBrowserSourceMaps: false })
// next.config.ts
const withSourceMaps = require('@next/bundle-analyzer')({
enabled: process.env.ANALYZE === 'true',
})
export default withSourceMaps({
productionBrowserSourceMaps: true,
sentry: {
disableServerWebpackPlugin: false,
disableClientWebpackPlugin: false,
},
})
// In your Sentry init:
Sentry.init({
dsn: process.env.SENTRY_DSN,
// Sentry automatically uploads source maps during Next.js build
})