feat(rsbuild): Enable source map in production

[zatteo]

Source map in production will help debugging in production (especially if we use it with Sentry).

It should slightly increase build time (no issue as it is only some ms during CI) and it will reveal our source code entirely (no issue as we are open source).

More information : https://rsbuild.rs/config/output/source-map

Summary by CodeRabbit

• Chores
  • Enhanced production debugging capabilities to improve error tracking and diagnostics.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The change modifies the Rsbuild configuration file to enable source maps in the build output. The sourceMap property is set to true in the configuration, while the existing polyfill setting (polyfill: 'usage') remains unchanged. No API signatures or exported functions are modified by this change.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: enabling source maps in production builds for the rsbuild configuration.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/enable-source-map

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codescene-delta-analysis]

Gates Failed
Prevent hotspot decline (1 hotspot with Large Method)
Enforce advisory code health rules (1 file with Large Method)

Gates Passed
4 Quality Gates Passed

See analysis details in CodeScene

Reason for failure

Prevent hotspot decline	Violations	Code Health Impact
getRsbuildConfig.js	1 rule in this hotspot	8.93 → 8.93	Suppress

Enforce advisory code health rules	Violations	Code Health Impact
getRsbuildConfig.js	1 advisory rule	8.93 → 8.93	Suppress

Quality Gate Profile: Pay Down Tech Debt
Want more control? Customize Code Health rules or catch issues early with our IDE extension and CLI tool.

[codescene-delta-analysis]

❌ Getting worse: Large Method
getRsbuildConfig increases from 199 to 200 lines of code, threshold = 70

_Suppress

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ea1e051 and 70c4efa.

📒 Files selected for processing (1)

• config/rsbuild-config-cozy-app/getRsbuildConfig.js (1 hunks)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Do not serve source maps to end users; generate and upload to Sentry separately.

Rsbuild documentation explicitly warns: "Do not deploy source maps (.map files) to the public web server or CDN when using values such as source-map or hidden-source-map in production builds. Public source maps will expose your source code and may bring security risks."

Generating source maps may expose them to the public, potentially causing your source code to be leaked, even for open-source projects, as it reveals internal implementation patterns, debug logic, and commented code.

Recommended approach:

1. Generate hidden source maps that aren't referenced in production bundles (e.g., sourceMap: { js: 'source-map' } with hidden-source-map format)
2. Upload source maps to Sentry during CI/CD using @sentry/webpack-plugin (which provides source map and release management support for Sentry), registered via Rsbuild's tools.rspack configuration
3. Delete source maps after upload to prevent exposure

[JF-Cozy]

is the final bundle heavier if we do that?

[zatteo]

Final bundle is the same: it only creates new .map files that are loaded only by browser devtools.

But it adds 14Mo to the tar.gz of the app sent to the registry (from 9.4 to 24Mo). So it is maybe not an issue for users but more on our side. Maybe we should only upload them to Sentry and remove them from the package.

[JF-Cozy]

it only creates new .map files that are loaded only by browser devtools

oh ok so if there is no devtools in the browser, they are not listed in the header of the page?

[zatteo]

it only creates new .map files that are loaded only by browser devtools

oh ok so if there is no devtools in the browser, they are not listed in the header of the page?

Yes, its just adds a magic comment at the top of each js file with the link of the .map file. So that browser tools can read the js file, understand that there is a .map file and use it.

Deep dive for source map internals here https://www.polarsignals.com/blog/posts/2025/11/04/javascript-source-maps-internals