Comment by saghm
2 months ago
They also weren't supposed to be leaking the code itself either. I don't know enough about JS tooling, but is it possible that this might just be the pre-stripped version?
2 months ago
They also weren't supposed to be leaking the code itself either. I don't know enough about JS tooling, but is it possible that this might just be the pre-stripped version?
That’s what a source map is. It’s included in debug builds so that browser debuggers (and others) can step through the original code, comments and all, instead of the compiled javascript (which back in the day could become an undecipherable mess of callbacks if you were transpiling async/await to the legacy Promise API).
Unfortunately in many bundlers making a mistake like this is as easy as an agent deleting “process.env[‘ENV’] === ‘debug’” which they’ll gladly do if you point them at a production or staging environment and ask them to debug the stripped/compiled/minified code.
I see. I had read that it was a source map that was leaked here specifically, but my vague understanding of the term was mostly that it might be a way to trace back JavaScript lines to the TypeScript it compiled from, since I don't have much of an understanding of all of the other various steps that are part of a JavaScript build nowadays.
I think I still disagree with the parent comment premise that "they probably thought minifying was enough", since it sounds likely they were doing all of those other steps. The issue seems like insufficient auditing of the build process (especially if agents were involved, which seems likely for Anthropic) rather than not doing all of the usual JS build stuff.