productionBrowserSourceMaps: false is not working - a way to disable the sourcemaps

[anonymouscatcher]

Is there an existing issue for this?

• I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
• I have reviewed the documentation https://docs.sentry.io/
• I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases

How do you use Sentry?

Sentry Saas (sentry.io)

Which package are you using?

@sentry/nextjs

SDK Version

"@sentry/nextjs": "^7.16.0",

Framework Version

18

Link to Sentry event

No response

Steps to Reproduce

next.config.js

module.exports = {
  ...withSentryConfig(defaultConfig, sentryWebpackPluginOptions),
  productionBrowserSourceMaps: false
};

Expected Result

I'm looking for a way to disable sourcemaps in production, next js has an option to flag the source maps but it I don't know why sentry forces to enable and upload my source code, I just want a way to disable source map for security concerns. this shouldn't be too hard achieve since it's related to security and exposing source code to public. it's hours I'm looking for this to solve it.
Also something about hideSourceMaps option, I don't know what this supposed to do but I tried this feature as well and it still load my ***.js.map files in network tab and you can easily open any files you like in console tab.

Actual Result

.

[lforst]

Hi, sentry generates source maps so it can resolve the stack trace of the minified code in the Sentry issue interface.

The Next.js SDK will upload the source maps automatically - this can be disabled via options.

hideSourceMaps simply removes the //# sourceMappingURL=*.js.map comment from the bottom of the generated JS files "hiding" where they live on the server.

I recommend you delete the source maps with a simple script after the normal next build process completes - that way you still get resolved stack traces on Sentry but do not share them publicly. We currently do not have a way to do this automatically but we want to provide functionality for this in the future.

[anonymouscatcher]

@lforst thanks for quick reply, this is too bad because we have limitations to decide to expose source maps or not, also after adding hideSourceMaps to next config I see a warning related to invalid root options.

   ...other options. 
    sentry: {
      hideSourceMaps: true
    }

So weird that no one even looked/reviewed this file https://github.com/vercel/next.js/blob/canary/examples/with-sentry/next.config.js, because I'm using latest versions and I see this warning.

[lforst]

What is the exact warning you're seeing and what Next.js version are you using?

[lobsterkatie]

Related:
getsentry/sentry-cli#1318
#4489

[lobsterkatie]

@alirezavlz Are you talking about this warning: #5449? That should have been fixed by #5473.

[github-actions]

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Backlog or Status: In Progress, I will leave it alone ... forever!

---

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

[dalalRohit]

for me, the issue was happening because of using next-compose-plugins package to configure plugins together.

removed the package and got it working like this

const nextConfig = {
 ...
 sentry: {
    hideSourceMaps: true,
  },
};


module.exports = withSentryConfig(withPWA(withBundleAnalyzer(nextConfig)), { silent: true });

[denis-sokolov]

Related issue focused on the Webpack plugin scenario with a few workarounds mentioned: getsentry/sentry-webpack-plugin#174.