unknown

Anthropic accidentally shipped a 59.8 MB source map in version 2.1.88 of the Claude Code npm package, exposing 512,000+ lines of TypeScript source across 1,900 files. This was the second such incident, with a similar leak occurring in February 2025. The post explains what was exposed (CLI architecture, agent logic, prompt patterns, unreleased features) and what was not (model weights, user data, secrets). It provides concrete prevention steps for DevOps teams: using the `files` whitelist in package.json, disabling source maps in production builds, running `npm pack --dry-run` in CI to catch unwanted files, adding pipeline checks for Docker images via multi-stage builds, and enabling npm provenance. The key lesson from Claude Code's creator Boris Cherny is to automate the fix in the pipeline rather than adding manual checklist steps that humans will eventually miss.

Claude Code Source Leaked via npm Source Maps: Lessons for Every DevOps Team

Bobby Iliev

<p>But coding was solved by llms years ago. How this situation could possibly happen? Are you saying anthropic can’t use its own tool to ship apps securely?</p>
