[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-claude-code-source-map-leak-zh":3,"tags-claude-code-source-map-leak-zh":33,"related-lang-claude-code-source-map-leak-zh":46,"related-posts-claude-code-source-map-leak-zh":50,"series-tools-52c91db3-2295-4dbc-bee5-7ad01a191ae6":87},{"id":4,"title":5,"content":6,"summary":7,"source":8,"source_url":9,"author":10,"image_url":11,"keywords":12,"language":21,"translated_content":10,"views":22,"is_premium":23,"created_at":24,"updated_at":24,"cover_image":11,"published_at":25,"rewrite_status":26,"rewrite_error":10,"rewritten_from_id":27,"slug":28,"category":29,"related_article_id":30,"status":31,"google_indexed_at":32,"x_posted_at":10,"tweet_text":10,"title_rewritten_at":10,"title_original":10,"key_takeaways":10,"topic_cluster_id":10,"embedding":10,"is_canonical_seed":23},"52c91db3-2295-4dbc-bee5-7ad01a191ae6","Claude Code 源碼地圖外洩怎麼回事","\u003Cp>59.8 MB。這不是圖片，也不是模型權重。這是 \u003Ca href=\"https:\u002F\u002Fwww.npmjs.com\u002Fpackage\u002F@anthropic-ai\u002Fclaude-code\" target=\"_blank\" rel=\"noopener\">@anthropic-ai\u002Fclaude-code\u003C\u002Fa> 2.1.88 帶上的 source map。\u003C\u002Fp>\u003Cp>講白了，就是打包時把不該公開的東西一起丟上 \u003Ca href=\"https:\u002F\u002Fwww.npmjs.com\u002F\" target=\"_blank\" rel=\"noopener\">npm\u003C\u002Fa>。這次不是伺服器被入侵，也不是 LLM 參數外流。問題很單純，卻很刺眼。\u003C\u002Fp>\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fanthropics\u002Fclaude-code\" target=\"_blank\" rel=\"noopener\">Claude Code\u003C\u002Fa> 是 Anthropic 的終端機開發工具。它貼近 repo、指令列和本機環境。這種產品一旦包錯檔，外界看到的就不只是程式碼，還有產品怎麼想事情。\u003C\u002Fp>\u003Ch2>source map 到底會洩漏什麼\u003C\u002Fh2>\u003Cp>source map 的用途很正常。它讓壓縮後的 JavaScript 能對回原始碼。開發者在除錯時很愛它，真的很好用。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775127825554-v0ol.png\" alt=\"Claude Code 源碼地圖外洩怎麼回事\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>但問題也很直接。你一旦把 source map 送進公開套件，就可能把原始函式名、檔案結構、註解、feature f\u003Ca href=\"\u002Fnews\u002Fsolanas-2026-push-institutions-ai-and-fixes-zh\">la\u003C\u002Fa>g，甚至內部路徑一起送出去。這些東西單看一個沒什麼，拼起來就很有料。\u003C\u002Fp>\u003Cp>這次的檔案有 59.8 MB。這個大小很誇張。它通常代表映射了大量原始碼，不是隨便一個小工具檔。\u003C\u002Fp>\u003Cp>對開發者來說，這種檔案像是產品剖面圖。你可以看出它怎麼切模組、怎麼包裝 API、怎麼處理本機資料流。就算沒有密碼，資訊量也夠大了。\u003C\u002Fp>\u003Cul>\u003Cli>套件：\u003Ca href=\"https:\u002F\u002Fwww.npmjs.com\u002Fpackage\u002F@anthropic-ai\u002Fclaude-code\" target=\"_blank\" rel=\"noopener\">@anthropic-ai\u002Fclaude-code\u003C\u002Fa>\u003C\u002Fli>\u003Cli>版本：2.1.88\u003C\u002Fli>\u003Cli>檔案：JavaScript source map\u003C\u002Fli>\u003Cli>大小：59.8 MB\u003C\u002Fli>\u003Cli>發佈位置：公開 \u003Ca href=\"https:\u002F\u002Fwww.npmjs.com\u002F\" target=\"_blank\" rel=\"noopener\">npm\u003C\u002Fa>\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>為什麼這種錯誤老是發生\u003C\u002Fh2>\u003Cp>這種事通常不是駭客劇情。比較像是 release 流程漏了一格。開發環境的設定，跑進了正式發佈流程。然後就上線了。\u003C\u002Fp>\u003Cp>很多團隊都踩過這坑。build 時開了 source map，結果 publish 前沒關。或是 CI\u002FCD 有做壓縮，卻沒做檔案過濾。這些都很常見，也很煩。\u003C\u002Fp>\u003Cp>Anthropic 目前沒有公開說明這個檔案怎麼進去的。至少在這份素材裡沒有。可是一個公開套件出現 59.8 MB 的 debug artifact，本身就足夠讓人皺眉。\u003C\u002Fp>\u003Cblockquote>“The most important thing is to build systems that are resilient to human error.” — Satya Nadella\u003C\u002Fblockquote>\u003Cp>這句話很老派，但很對味。人會犯錯。流程如果不夠硬，就會把錯誤送到全世界面前。\u003C\u002Fp>\u003Cp>對 AI 工具商來說，這件事更敏感。因為使用者常常是工程師。他們會看 diff、查 package、盯 release note。你想混過去，沒那麼容易。\u003C\u002Fp>\u003Ch2>跟其他套件外洩比起來哪裡不一樣\u003C\u002Fh2>\u003Cp>source map 外洩不算罕見。前端圈和 SDK 圈都看過不少次。差別在於，\u003Ca href=\"\u002Fnews\u002Fgpt-5-4-vs-claude-opus-4-6-ai-benchmark-zh\">Clau\u003C\u002Fa>de Code 不是一般網站 bundle。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775127834578-f22y.png\" alt=\"Claude Code 源碼地圖外洩怎麼回事\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>它是開發者工具。它會碰到本機環境、repo、命令執行，還可能牽涉認證與 telemetry。這讓外洩內容的價值更高，也更值得看。\u003C\u002Fp>\u003Cp>如果 source map 裡有模組命名、流程分層、請求處理邏輯，外界就能更清楚理解產品架構。這不是只看個漂亮 UI 而已。這是在看工具怎麼動。\u003C\u002Fp>\u003Cp>下面幾個案例可以對照一下：\u003C\u002Fp>\u003Cul>\u003Cli>\u003Ca href=\"https:\u002F\u002Fnextjs.org\u002Fdocs\u002Fadvanced-features\u002Fsource-maps\" target=\"_blank\" rel=\"noopener\">Next.js\u003C\u002Fa> 文件一直提醒，要管好 production source maps。\u003C\u002Fli>\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.typescriptlang.org\u002F\" target=\"_blank\" rel=\"noopener\">TypeScript\u003C\u002Fa> 和各種 bundler 常預設輸出 map 檔。\u003C\u002Fli>\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.npmjs.com\u002Fpackage\u002F@anthropic-ai\u002Fclaude-code\" target=\"_blank\" rel=\"noopener\">Claude Code\u003C\u002Fa> 這類工具，因為靠近本機工作流，所以更敏感。\u003C\u002Fli>\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.npmjs.com\u002F\" target=\"_blank\" rel=\"noopener\">npm\u003C\u002Fa> 會照單全收。你上傳什麼，它就公開什麼。\u003C\u002Fli>\u003C\u002Ful>\u003Cp>這裡的重點不是炒新聞。重點是產品類型變了。以前 AI 工具比較像雲端服務，現在很多都變成可安裝的開發軟體。那就得接受軟體發佈的老規矩。\u003C\u002Fp>\u003Cp>老規矩很無聊，但很重要。build 乾淨，package 乾淨，release 也要乾淨。少一個步驟，就可能多一個公開風險。\u003C\u002Fp>\u003Ch2>跟競品比，這件事會怎麼被看待\u003C\u002Fh2>\u003Cp>現在開發者 AI 工具很多。\u003Ca href=\"https:\u002F\u002Fwww.cursor.com\u002F\" target=\"_blank\" rel=\"noopener\">Cursor\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fcodeium.com\u002F\" target=\"_blank\" rel=\"noopener\">Codeium\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.jetbrains.com\u002Fai\u002F\" target=\"_blank\" rel=\"noopener\">JetBrains AI\u003C\u002Fa>，都在搶工程師的桌面。大家比的不只功能，還有信任感。\u003C\u002Fp>\u003Cp>這次事件不一定會直接傷到產品功能。可是它會影響工程師對 release 品質的觀感。說真的，開發者最討厭的就是「你連包檔都包不好，還想幫我寫程式？」\u003C\u002Fp>\u003Cp>從資料風險角度看，source map 通常比一般 bundle 更麻煩。一般 bundle 只是壓縮過的程式。source map 卻會把很多原始結構攤開來。\u003C\u002Fp>\u003Cp>可以這樣看差異：\u003C\u002Fp>\u003Cul>\u003Cli>一般 app bundle：主要暴露執行邏輯。\u003C\u002Fli>\u003Cli>source map：可能暴露原始檔名與模組關係。\u003C\u002Fli>\u003Cli>開發者工具：還可能暗示命令流程與本機整合方式。\u003C\u002Fli>\u003Cli>公開 npm 套件：任何人都能下載，不需要繞路。\u003C\u002Fli>\u003C\u002Ful>\u003Cp>如果把這件事放到商業面來看，差別也很明顯。雲端 API 出問題，通常是服務可用性或資料安全。npm 套件出問題，會直接打到工程師對供應鏈的信心。\u003C\u002Fp>\u003Cp>而供應鏈信心很現實。它不會因為你模型很強就自動補回來。你每一次 release，都在累積或消耗這種信任。\u003C\u002Fp>\u003Ch2>這件事放在產業脈絡裡怎麼看\u003C\u002Fh2>\u003Cp>AI 工具現在很像基礎軟體。它們不再只是聊天介面。它們會進 IDE、終端機、CI、甚至本機代理流程。\u003C\u002Fp>\u003Cp>這表示發佈流程要更像傳統軟體公司。該做的檢查一項都不能少。像是產物掃描、檔案白名單、source map 分流、以及 publish 前的 artifact review。\u003C\u002Fp>\u003Cp>很多團隊以前覺得這些是前端團隊的事。現在不是了。只要你有 npm、bundle、build step，就會碰到同樣的問題。\u003C\u002Fp>\u003Cp>這也是為什麼這次事件值得看。它不是單點失誤。它是在提醒大家，AI 產品已經進入軟體供應鏈的老戰場。\u003C\u002Fp>\u003Ch2>接下來該注意什麼\u003C\u002Fh2>\u003Cp>如果你有裝 \u003Ca href=\"https:\u002F\u002Fwww.npmjs.com\u002Fpackage\u002F@anthropic-ai\u002Fclaude-code\" target=\"_blank\" rel=\"noopener\">Claude Code\u003C\u002Fa>，先看版本更新和 release note。確認 2.1.88 有沒有被撤回，或是後續版本有沒有修正。\u003C\u002Fp>\u003Cp>如果你自己也在發 npm 套件，現在就去查 build 設定。看 source map 有沒有被排除。看 publish 指令有沒有把 debug 檔一起送上去。這種事最好在上架前抓到，不要等別人幫你抓。\u003C\u002Fp>\u003Cp>我自己的判斷很直接。這次真正的重點不是 leak 本身，而是 AI 開發工具會越來越像正式基礎軟體。那代表 release 品質會被放大檢視。誰把 packaging 當成產品安全的一部分，誰就比較不容易翻車。\u003C\u002Fp>\u003Cp>你如果是團隊負責人，我會建議現在就做一次 package \u003Ca href=\"\u002Fnews\u002Fclaude-mythos-vs-opus-46-capability-jump-zh\">aud\u003C\u002Fa>it。你如果是使用者，就先別急著追新版本。先看 Anthropic 後續怎麼說，再決定要不要升級。\u003C\u002Fp>","Anthropic 在 Claude Code 2.1.88 不小心送出 59.8 MB source map。這次不是伺服器被打穿，而是 npm 打包失誤，卻足以讓外界看到更多內部實作細節。","venturebeat.com","https:\u002F\u002Fventurebeat.com\u002Ftechnology\u002Fclaude-codes-source-code-appears-to-have-leaked-heres-what-we-know",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775127825554-v0ol.png",[13,14,15,16,17,18,19,20],"Claude Code","source map","npm","Anthropic","資安","套件外洩","開發者工具","JavaScript","zh",1,false,"2026-04-02T11:03:30.403841+00:00","2026-04-02T11:03:30.314+00:00","done","e0479307-0829-4fa5-8a24-46567b383ee0","claude-code-source-map-leak-zh","tools","071985e7-e9fa-4239-9d04-eda172fdbdbd","published","2026-04-08T09:00:52.693+00:00",[34,36,37,38,40,42,43,44],{"name":20,"slug":35},"javascript",{"name":19,"slug":19},{"name":15,"slug":15},{"name":13,"slug":39},"claude-code",{"name":16,"slug":41},"anthropic",{"name":18,"slug":18},{"name":17,"slug":17},{"name":14,"slug":45},"source-map",{"id":30,"slug":47,"title":48,"language":49},"claude-code-source-map-leak-en","Claude Code Source Map Leak: What Happened","en",[51,57,63,69,75,81],{"id":52,"slug":53,"title":54,"cover_image":55,"image_url":55,"created_at":56,"category":29},"d058a76f-6548-4135-8970-f3a97f255446","why-gemini-api-pricing-is-cheaper-than-it-looks-zh","為什麼 Gemini API 定價其實比看起來更便宜","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778869845081-j4m7.png","2026-05-15T18:30:25.797639+00:00",{"id":58,"slug":59,"title":60,"cover_image":61,"image_url":61,"created_at":62,"category":29},"68e4be16-dc38-4524-a6ea-5ebe22a6c4fb","why-vidhub-huiyuan-hutong-bushi-quan-shebei-tongyong-zh","為什麼 VidHub 會員互通不是「買一次全設備通用」","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778789450987-advz.png","2026-05-14T20:10:24.048988+00:00",{"id":64,"slug":65,"title":66,"cover_image":67,"image_url":67,"created_at":68,"category":29},"7a1e174f-746b-4e82-a0e3-b2475ab39747","why-buns-zig-to-rust-experiment-is-right-zh","為什麼 Bun 的 Zig-to-Rust 實驗是對的","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778767879127-5dna.png","2026-05-14T14:10:26.886397+00:00",{"id":70,"slug":71,"title":72,"cover_image":73,"image_url":73,"created_at":74,"category":29},"e742fc73-5a65-4db3-ad17-88c99262ceb7","why-openai-api-pricing-is-product-strategy-zh","為什麼 OpenAI API 定價是產品策略，不是註腳","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778749859485-chvz.png","2026-05-14T09:10:26.003818+00:00",{"id":76,"slug":77,"title":78,"cover_image":79,"image_url":79,"created_at":80,"category":29},"c757c5d8-eda9-45dc-9020-4b002f4d6237","why-claude-code-prompt-design-beats-ide-copilots-zh","為什麼 Claude Code 的提示設計贏過 IDE Copilot","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778742645084-dao9.png","2026-05-14T07:10:29.371901+00:00",{"id":82,"slug":83,"title":84,"cover_image":85,"image_url":85,"created_at":86,"category":29},"4adef3ab-9f07-4970-91cf-77b8b581b348","why-databricks-model-serving-is-right-default-zh","為什麼 Databricks Model Serving 是生產推論的正確預設","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778692245329-a2wt.png","2026-05-13T17:10:30.659153+00:00",[88,93,98,103,108,113,118,123,128,133],{"id":89,"slug":90,"title":91,"created_at":92},"de769291-4574-4c46-a76d-772bd99e6ec9","googles-biggest-gemini-launches-in-2026-zh","Google 2026 最大 Gemini 盤點","2026-03-26T07:26:39.21072+00:00",{"id":94,"slug":95,"title":96,"created_at":97},"855cd52f-6fab-46cc-a7c1-42195e8a0de4","surepath-real-time-mcp-policy-controls-zh","SurePath 推出即時 MCP 政策控管","2026-03-26T07:57:40.77233+00:00",{"id":99,"slug":100,"title":101,"created_at":102},"9b19ab54-edef-4dbd-9ce4-a51e4bae4ebb","mcp-in-2026-the-ai-tool-layer-teams-use-zh","2026 年 MCP：團隊真的在用的 AI 工具層","2026-03-26T08:01:46.589694+00:00",{"id":104,"slug":105,"title":106,"created_at":107},"af9c46c3-7a28-410b-9f04-32b3de30a68c","prompting-in-2026-what-actually-works-zh","2026 提示工程，真正有用的是什麼","2026-03-26T08:08:12.453028+00:00",{"id":109,"slug":110,"title":111,"created_at":112},"05553086-6ed0-4758-81fd-6cab24b575e0","garry-tan-open-sources-claude-code-toolkit-zh","Garry Tan 開源 Claude Code 工具包","2026-03-26T08:26:20.068737+00:00",{"id":114,"slug":115,"title":116,"created_at":117},"042a73a2-18a2-433d-9e8f-9802b9559aac","github-ai-projects-to-watch-in-2026-zh","2026 必看 20 個 GitHub AI 專案","2026-03-26T08:28:09.619964+00:00",{"id":119,"slug":120,"title":121,"created_at":122},"a5f94120-ac0d-4483-9a8b-63590071ac6a","claude-code-vs-cursor-2026-zh","Claude Code 與 Cursor 深度對比：202…","2026-03-26T13:27:14.279193+00:00",{"id":124,"slug":125,"title":126,"created_at":127},"0975afa1-e0c7-4130-a20d-d890eaed995e","practical-github-guide-learning-ml-2026-zh","2026 機器學習入門 GitHub 實用指南","2026-03-27T01:16:49.712576+00:00",{"id":129,"slug":130,"title":131,"created_at":132},"bfdb467a-290f-4a80-b3a9-6f081afb6dff","aiml-2026-student-ai-ml-lab-repo-review-zh","AIML-2026：像課綱的學生實驗 Repo","2026-03-27T01:21:51.467798+00:00",{"id":134,"slug":135,"title":136,"created_at":137},"80cabc3e-09fc-4ff5-8f07-b8d68f5ae545","ai-trending-github-repos-and-research-feeds-zh","AI Trending：把 AI 資源收成一張表","2026-03-27T01:31:35.262183+00:00"]