What happened
A missing .npmignore rule shipped a ~59.8 MB source map — about 512,000 lines of unobfuscated TypeScript across ~1,900 files — inside a published npm package. A bundler bug kept emitting maps even when disabled, and nothing stripped them before publish.
Would Stateward catch it? Yes.
Yes. Stateward’s source-map exposure detector flags exactly this in the pull request: a committed *.map artifact and a build config emitting production maps. The map would have been caught as CWE-540 before the package was ever published — the disable flag you can’t trust is replaced by a check on the real artifact.
Stateward’s source-map detector flags it in the pull request, before it ever ships: a committed *.map artifact, a stray //# sourceMappingURL= in a shipped bundle, and build configs that emit production maps across Vite, webpack, Next.js, Create React App, Vue and Rollup. It skips disabled maps and .d.ts.map files, so it doesn’t cry wolf.
Built to be trusted with your code
Read-only & ephemeral
Stateward can comment, but never pushes, merges or stores your keys.
EU-sovereign hosting
Code and security data stay EU-hosted via Citadea — built for NIS2, DORA and the CRA.
Whole-codebase aware
Reasons over your call graph and trust boundaries, not just the diff.
Stateward is in beta and onboarding design partners. Built by Yggdrasil Digital.