Missing .npmignore Source Map Rule

• Entity ID: ent-20260419-b1c2d3e4f5a0
• Type: decision
• Scope: shared
• Status: active
• Aliases: npmignore-gap, second-line-defense-gap, no-map-exclusion

Description

Second defense that should have caught the source map leak but was absent: Claude Code's npm publish pipeline had no .npmignore (or package.json 'files' exclusion) rule rejecting .map files. Either the Bun sourcemap fix OR an npmignore .map rule alone would have blocked the leak; both were absent simultaneously. Post-incident recommendation elevates a mandatory pre-publish CI gate running npm pack --dry-run and failing on any .map file in the artifact. Classifies as a latent process defect hidden behind an equally latent bundler bug — a two-factor failure.

Key claims

• Two-factor failure: either defense alone would have prevented the leak

Relations

• Source Map Leak (March 31, 2026) --[caused]--> Missing .npmignore Source Map Rule

Sources

src-20260409-09a1b2325b23