Sourcemaps enabled in production by default (security issue)

[lentrup]

• I have tried upgrading by running bundle update vite_ruby.
• I have read the troubleshooting section before opening an issue.

Description

vite-plugin-ruby has a backwards sourcemap default that enables sourcemaps in production and disables them in development. This is a security vulnerability that exposes application source code in production builds.

The plugin sets build.sourcemap: !isLocal in src/index.ts (~line 155), which results in:

• Production mode (!isLocal = true): ✗ Sourcemaps ENABLED - exposes source code
• Development mode (!isLocal = false): ✗ Sourcemaps DISABLED - breaks debugging
• Test mode (!isLocal = false): ✗ Sourcemaps DISABLED

This is the opposite of Vite's secure default (build.sourcemap: false).

Security Impact:

• .js.map and .css.map files publicly accessible in production
• sourceMappingURL comments present in minified bundles
• Complete unminified source code visible in browser DevTools
• Business logic, API endpoints, and implementation details exposed

Root Cause:

In vite-plugin-ruby/src/index.ts:

const isLocal = config.mode === "development" || config.mode === "test";
const build = {
  emptyOutDir: ...,
  sourcemap: !isLocal,  // ← BUG: true in production, false in dev!
  ...userConfig.build,
  // ...
}

The logic appears inverted - !isLocal enables sourcemaps when NOT in local development.

Reproduction

Minimal reproduction:

1. Create a fresh Rails app with vite_ruby (default config)
2. Use default vite.config.ts with NO explicit build.sourcemap setting:

// vite.config.ts - using plugin defaults
import { defineConfig } from 'vite'
import RubyPlugin from 'vite-plugin-ruby'

export default defineConfig({
  plugins: [RubyPlugin()],
  build: {
    // NO sourcemap config - inherits plugin default
  }
})

3. Build for production:

rm -rf public/vite
RAILS_ENV=production NODE_ENV=production bin/vite build

4. Check for sourcemap exposure:

find public/vite/assets -name "*.js.map"
grep -r "sourceMappingURL" public/vite/assets/*.js

Expected: No sourcemap files, no sourceMappingURL comments
Actual: Sourcemap files present, comments pointing to them

5. Check development build:

rm -rf public/vite-dev
RAILS_ENV=development NODE_ENV=development bin/vite build
find public/vite-dev/assets -name "*.js.map"

Expected: Sourcemap files present for debugging
Actual: No sourcemap files (debugging broken)

Vite Ruby Info

bin/vite present?: true
vite_ruby: 3.9.1
vite_rails: 3.0.19
rails: 7.2.2.1
ruby: ruby 3.3.7 (2025-01-15 revision be31f993d7) [arm64-darwin24]
node: v20.12.2
yarn: 4.1.1

installed packages:
metarina@0.1.0
├─┬ vite-plugin-ruby@5.1.1
│ └── vite@5.4.21 deduped
└── vite@5.4.21

Proposed Fix

Option 1: Remove the default (recommended)

Let Vite's default apply (sourcemap: false):

const isLocal = config.mode === "development" || config.mode === "test";
const build = {
  emptyOutDir: ...,
  // REMOVE: sourcemap: !isLocal,
  ...userConfig.build,  // User can still override
  // ...
}

Option 2: Invert the logic

Enable sourcemaps only in development:

const isLocal = config.mode === "development" || config.mode === "test";
const build = {
  emptyOutDir: ...,
  sourcemap: config.mode === 'development',  // Only in dev
  ...userConfig.build,
  // ...
}

Current Workaround

Users must explicitly override in vite.config.ts:

export default defineConfig(({ mode }) => ({
  build: {
    sourcemap: mode === 'development'  // Override plugin default
  }
}))

Impact

This affects all vite_ruby users who don't explicitly set build.sourcemap in their config. Production applications unknowingly expose their complete source code.

References

• Vite docs: https://vitejs.dev/config/build-options.html#build-sourcemap (default: false)
• vite-plugin-ruby source: https://github.com/ElMassimo/vite_ruby/blob/main/vite-plugin-ruby/src/index.ts#L155

---

Happy to submit a PR if you'd like! This appears to be an unintentional logic inversion.

[KieranP]

I got caught by this too. The core issue is that when sourcemaps are turned on, by default Rollup (which powers Vite) also includes the original raw source code inside the map.

You can turn it off manually using sourcemapExcludeSources: true (see https://rollupjs.org/configuration-options/#output-sourcemapexcludesources). With sourcemap: true, sourcemapExcludeSources: true, the source maps are pretty minimal with no original source code exposure and fairly safe for production (they still contain file names, so just don't include secrets in the file names and you'll be fine 😄 )

I agree that sourcemaps should probably be off by default, and if turned on, vite_ruby should probably automatically set sourcemapExcludeSources: true for security reasons. If someone then wants to change sourcemapExcludeSources: false, and expose their code, that is there choice 😓

As for development, sourcemap: !isLocal, does seem odd, but this is within the build config block, which only gets used when building hashed assets, and that doesn't (usually) need to be done in development. In development, it uses a different process to compile the assets, so the sourcemaps are being created as expected in development.

[lentrup]

@KieranP Good call on the build config scope , you're right that bin/vite dev handles sourcemaps independently, so dev debugging isn't actually broken. The concern is strictly production builds.

Worth noting the auto_build edge case though: if the dev server isn't running and Rails triggers vite build in development, the plugin default gives sourcemap: false for that build.

Agreed that defaulting to sourcemapExcludeSources: true would be a sensible safety net if production sourcemaps stay on.

[KieranP]

Vite 8 was released and it doesn't support the sourcemapExcludeSources option anymore (rolldown/rolldown#5554) :-(