[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-claude-code-source-map-leak-zh":3,"article-related-claude-code-source-map-leak-zh":28,"series-tools-52c91db3-2295-4dbc-bee5-7ad01a191ae6":83},{"id":4,"slug":5,"title":6,"content":7,"summary":8,"source":9,"source_url":10,"author":11,"image_url":12,"cover_image":12,"category":13,"language":14,"translated_content":11,"related_article_id":15,"keywords":16,"key_takeaways":11,"views":25,"created_at":26,"published_at":27,"topic_cluster_id":11},"52c91db3-2295-4dbc-bee5-7ad01a191ae6","claude-code-source-map-leak-zh","Claude Code 源碼地圖外洩怎麼回事","\u003Cp>59.8 MB。這不是圖片，也不是模型權重。這是 \u003Ca href=\"https:\u002F\u002Fwww.npmjs.com\u002Fpackage\u002F@anthropic-ai\u002Fclaude-code\" target=\"_blank\" rel=\"noopener\">@anthropic-ai\u002Fclaude-code\u003C\u002Fa> 2.1.88 帶上的 source map。\u003C\u002Fp>\u003Cp>講白了，就是打包時把不該公開的東西一起丟上 \u003Ca href=\"https:\u002F\u002Fwww.npmjs.com\u002F\" target=\"_blank\" rel=\"noopener\">npm\u003C\u002Fa>。這次不是伺服器被入侵，也不是 LLM 參數外流。問題很單純，卻很刺眼。\u003C\u002Fp>\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fanthropics\u002Fclaude-code\" target=\"_blank\" rel=\"noopener\">Claude Code\u003C\u002Fa> 是 Anthropic 的終端機開發工具。它貼近 repo、指令列和本機環境。這種產品一旦包錯檔，外界看到的就不只是程式碼，還有產品怎麼想事情。\u003C\u002Fp>\u003Ch2>source map 到底會洩漏什麼\u003C\u002Fh2>\u003Cp>source map 的用途很正常。它讓壓縮後的 JavaScript 能對回原始碼。開發者在除錯時很愛它，真的很好用。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775127825554-v0ol.png\" alt=\"Claude Code 源碼地圖外洩怎麼回事\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>但問題也很直接。你一旦把 source map 送進公開套件，就可能把原始函式名、檔案結構、註解、feature f\u003Ca href=\"\u002Fnews\u002Fsolanas-2026-push-institutions-ai-and-fixes-zh\">la\u003C\u002Fa>g，甚至內部路徑一起送出去。這些東西單看一個沒什麼，拼起來就很有料。\u003C\u002Fp>\u003Cp>這次的檔案有 59.8 MB。這個大小很誇張。它通常代表映射了大量原始碼，不是隨便一個小工具檔。\u003C\u002Fp>\u003Cp>對開發者來說，這種檔案像是產品剖面圖。你可以看出它怎麼切模組、怎麼包裝 API、怎麼處理本機資料流。就算沒有密碼，資訊量也夠大了。\u003C\u002Fp>\u003Cul>\u003Cli>套件：\u003Ca href=\"https:\u002F\u002Fwww.npmjs.com\u002Fpackage\u002F@anthropic-ai\u002Fclaude-code\" target=\"_blank\" rel=\"noopener\">@anthropic-ai\u002Fclaude-code\u003C\u002Fa>\u003C\u002Fli>\u003Cli>版本：2.1.88\u003C\u002Fli>\u003Cli>檔案：JavaScript source map\u003C\u002Fli>\u003Cli>大小：59.8 MB\u003C\u002Fli>\u003Cli>發佈位置：公開 \u003Ca href=\"https:\u002F\u002Fwww.npmjs.com\u002F\" target=\"_blank\" rel=\"noopener\">npm\u003C\u002Fa>\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>為什麼這種錯誤老是發生\u003C\u002Fh2>\u003Cp>這種事通常不是駭客劇情。比較像是 release 流程漏了一格。開發環境的設定，跑進了正式發佈流程。然後就上線了。\u003C\u002Fp>\u003Cp>很多團隊都踩過這坑。build 時開了 source map，結果 publish 前沒關。或是 CI\u002FCD 有做壓縮，卻沒做檔案過濾。這些都很常見，也很煩。\u003C\u002Fp>\u003Cp>Anthropic 目前沒有公開說明這個檔案怎麼進去的。至少在這份素材裡沒有。可是一個公開套件出現 59.8 MB 的 debug artifact，本身就足夠讓人皺眉。\u003C\u002Fp>\u003Cblockquote>“The most important thing is to build systems that are resilient to human error.” — Satya Nadella\u003C\u002Fblockquote>\u003Cp>這句話很老派，但很對味。人會犯錯。流程如果不夠硬，就會把錯誤送到全世界面前。\u003C\u002Fp>\u003Cp>對 AI 工具商來說，這件事更敏感。因為使用者常常是工程師。他們會看 diff、查 package、盯 release note。你想混過去，沒那麼容易。\u003C\u002Fp>\u003Ch2>跟其他套件外洩比起來哪裡不一樣\u003C\u002Fh2>\u003Cp>source map 外洩不算罕見。前端圈和 SDK 圈都看過不少次。差別在於，\u003Ca href=\"\u002Fnews\u002Fgpt-5-4-vs-claude-opus-4-6-ai-benchmark-zh\">Clau\u003C\u002Fa>de Code 不是一般網站 bundle。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775127834578-f22y.png\" alt=\"Claude Code 源碼地圖外洩怎麼回事\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>它是開發者工具。它會碰到本機環境、repo、命令執行，還可能牽涉認證與 telemetry。這讓外洩內容的價值更高，也更值得看。\u003C\u002Fp>\u003Cp>如果 source map 裡有模組命名、流程分層、請求處理邏輯，外界就能更清楚理解產品架構。這不是只看個漂亮 UI 而已。這是在看工具怎麼動。\u003C\u002Fp>\u003Cp>下面幾個案例可以對照一下：\u003C\u002Fp>\u003Cul>\u003Cli>\u003Ca href=\"https:\u002F\u002Fnextjs.org\u002Fdocs\u002Fadvanced-features\u002Fsource-maps\" target=\"_blank\" rel=\"noopener\">Next.js\u003C\u002Fa> 文件一直提醒，要管好 production source maps。\u003C\u002Fli>\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.typescriptlang.org\u002F\" target=\"_blank\" rel=\"noopener\">TypeScript\u003C\u002Fa> 和各種 bundler 常預設輸出 map 檔。\u003C\u002Fli>\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.npmjs.com\u002Fpackage\u002F@anthropic-ai\u002Fclaude-code\" target=\"_blank\" rel=\"noopener\">Claude Code\u003C\u002Fa> 這類工具，因為靠近本機工作流，所以更敏感。\u003C\u002Fli>\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.npmjs.com\u002F\" target=\"_blank\" rel=\"noopener\">npm\u003C\u002Fa> 會照單全收。你上傳什麼，它就公開什麼。\u003C\u002Fli>\u003C\u002Ful>\u003Cp>這裡的重點不是炒新聞。重點是產品類型變了。以前 AI 工具比較像雲端服務，現在很多都變成可安裝的開發軟體。那就得接受軟體發佈的老規矩。\u003C\u002Fp>\u003Cp>老規矩很無聊，但很重要。build 乾淨，package 乾淨，release 也要乾淨。少一個步驟，就可能多一個公開風險。\u003C\u002Fp>\u003Ch2>跟競品比，這件事會怎麼被看待\u003C\u002Fh2>\u003Cp>現在開發者 AI 工具很多。\u003Ca href=\"https:\u002F\u002Fwww.cursor.com\u002F\" target=\"_blank\" rel=\"noopener\">Cursor\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fcodeium.com\u002F\" target=\"_blank\" rel=\"noopener\">Codeium\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.jetbrains.com\u002Fai\u002F\" target=\"_blank\" rel=\"noopener\">JetBrains AI\u003C\u002Fa>，都在搶工程師的桌面。大家比的不只功能，還有信任感。\u003C\u002Fp>\u003Cp>這次事件不一定會直接傷到產品功能。可是它會影響工程師對 release 品質的觀感。說真的，開發者最討厭的就是「你連包檔都包不好，還想幫我寫程式？」\u003C\u002Fp>\u003Cp>從資料風險角度看，source map 通常比一般 bundle 更麻煩。一般 bundle 只是壓縮過的程式。source map 卻會把很多原始結構攤開來。\u003C\u002Fp>\u003Cp>可以這樣看差異：\u003C\u002Fp>\u003Cul>\u003Cli>一般 app bundle：主要暴露執行邏輯。\u003C\u002Fli>\u003Cli>source map：可能暴露原始檔名與模組關係。\u003C\u002Fli>\u003Cli>開發者工具：還可能暗示命令流程與本機整合方式。\u003C\u002Fli>\u003Cli>公開 npm 套件：任何人都能下載，不需要繞路。\u003C\u002Fli>\u003C\u002Ful>\u003Cp>如果把這件事放到商業面來看，差別也很明顯。雲端 API 出問題，通常是服務可用性或資料安全。npm 套件出問題，會直接打到工程師對供應鏈的信心。\u003C\u002Fp>\u003Cp>而供應鏈信心很現實。它不會因為你模型很強就自動補回來。你每一次 release，都在累積或消耗這種信任。\u003C\u002Fp>\u003Ch2>這件事放在產業脈絡裡怎麼看\u003C\u002Fh2>\u003Cp>AI 工具現在很像基礎軟體。它們不再只是聊天介面。它們會進 IDE、終端機、CI、甚至本機代理流程。\u003C\u002Fp>\u003Cp>這表示發佈流程要更像傳統軟體公司。該做的檢查一項都不能少。像是產物掃描、檔案白名單、source map 分流、以及 publish 前的 artifact review。\u003C\u002Fp>\u003Cp>很多團隊以前覺得這些是前端團隊的事。現在不是了。只要你有 npm、bundle、build step，就會碰到同樣的問題。\u003C\u002Fp>\u003Cp>這也是為什麼這次事件值得看。它不是單點失誤。它是在提醒大家，AI 產品已經進入軟體供應鏈的老戰場。\u003C\u002Fp>\u003Ch2>接下來該注意什麼\u003C\u002Fh2>\u003Cp>如果你有裝 \u003Ca href=\"https:\u002F\u002Fwww.npmjs.com\u002Fpackage\u002F@anthropic-ai\u002Fclaude-code\" target=\"_blank\" rel=\"noopener\">Claude Code\u003C\u002Fa>，先看版本更新和 release note。確認 2.1.88 有沒有被撤回，或是後續版本有沒有修正。\u003C\u002Fp>\u003Cp>如果你自己也在發 npm 套件，現在就去查 build 設定。看 source map 有沒有被排除。看 publish 指令有沒有把 debug 檔一起送上去。這種事最好在上架前抓到，不要等別人幫你抓。\u003C\u002Fp>\u003Cp>我自己的判斷很直接。這次真正的重點不是 leak 本身，而是 AI 開發工具會越來越像正式基礎軟體。那代表 release 品質會被放大檢視。誰把 packaging 當成產品安全的一部分，誰就比較不容易翻車。\u003C\u002Fp>\u003Cp>你如果是團隊負責人，我會建議現在就做一次 package \u003Ca href=\"\u002Fnews\u002Fclaude-mythos-vs-opus-46-capability-jump-zh\">aud\u003C\u002Fa>it。你如果是使用者，就先別急著追新版本。先看 Anthropic 後續怎麼說，再決定要不要升級。\u003C\u002Fp>","Anthropic 在 Claude Code 2.1.88 不小心送出 59.8 MB source map。這次不是伺服器被打穿，而是 npm 打包失誤，卻足以讓外界看到更多內部實作細節。","venturebeat.com","https:\u002F\u002Fventurebeat.com\u002Ftechnology\u002Fclaude-codes-source-code-appears-to-have-leaked-heres-what-we-know",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775127825554-v0ol.png","tools","zh","071985e7-e9fa-4239-9d04-eda172fdbdbd",[17,18,19,20,21,22,23,24],"Claude Code","source map","npm","Anthropic","資安","套件外洩","開發者工具","JavaScript",7,"2026-04-02T11:03:30.403841+00:00","2026-04-02T11:03:30.314+00:00",{"tags":29,"relatedLang":42,"relatedPosts":46},[30,32,33,34,36,38,39,40],{"name":24,"slug":31},"javascript",{"name":23,"slug":23},{"name":19,"slug":19},{"name":17,"slug":35},"claude-code",{"name":20,"slug":37},"anthropic",{"name":22,"slug":22},{"name":21,"slug":21},{"name":18,"slug":41},"source-map",{"id":15,"slug":43,"title":44,"language":45},"claude-code-source-map-leak-en","Claude Code Source Map Leak: What Happened","en",[47,53,59,65,71,77],{"id":48,"slug":49,"title":50,"cover_image":51,"image_url":51,"created_at":52,"category":13},"9816974a-8337-447e-9b37-0872c5d2ceb9","rigmodels-free-sora-3d-models-zh","RigModels 提供 54 個免費 Sora 3D 模型","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780609680630-4fz6.png","2026-06-04T21:47:30.947861+00:00",{"id":54,"slug":55,"title":56,"cover_image":57,"image_url":57,"created_at":58,"category":13},"d55eb067-d6c5-4f0b-9374-9504ac61e00e","denver-hail-map-209-spotter-reports-zh","Denver 冰雹地圖記錄 209 回報","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780602477218-8rz6.png","2026-06-04T19:47:24.175663+00:00",{"id":60,"slug":61,"title":62,"cover_image":63,"image_url":63,"created_at":64,"category":13},"91822854-0010-478e-b70c-6a624d039703","cloudflare-turns-startup-traffic-into-a-moat-zh","Cloudflare 讓流量變護城河","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780590804649-xc2z.png","2026-06-04T16:32:50.96702+00:00",{"id":66,"slug":67,"title":68,"cover_image":69,"image_url":69,"created_at":70,"category":13},"6ea3977e-ea7f-4d71-9472-08b512f81593","ai-code-review-tools-catch-hard-bugs-zh","AI code review 讓你抓到硬 bug","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780582701702-jnoi.png","2026-06-04T14:17:50.313258+00:00",{"id":72,"slug":73,"title":74,"cover_image":75,"image_url":75,"created_at":76,"category":13},"0342ff17-feea-4e43-81ff-d12c43cc93c0","claude-partner-network-learning-path-launches-zh","Claude 合作夥伴課程上線","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780578178111-1za9.png","2026-06-04T13:02:27.319581+00:00",{"id":78,"slug":79,"title":80,"cover_image":81,"image_url":81,"created_at":82,"category":13},"1a92ac0a-75ea-4877-874d-4a309cd0085b","nvidia-research-gpu-template-zh","NVIDIA 研究頁把 GPU 資源變模板","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780567412863-e8oq.png","2026-06-04T10:02:58.043845+00:00",[84,89,94,99,104,109,114,119,124,129],{"id":85,"slug":86,"title":87,"created_at":88},"855cd52f-6fab-46cc-a7c1-42195e8a0de4","surepath-real-time-mcp-policy-controls-zh","SurePath 推出即時 MCP 政策控管","2026-03-26T07:57:40.77233+00:00",{"id":90,"slug":91,"title":92,"created_at":93},"9b19ab54-edef-4dbd-9ce4-a51e4bae4ebb","mcp-in-2026-the-ai-tool-layer-teams-use-zh","2026 年 MCP：團隊真的在用的 AI 工具層","2026-03-26T08:01:46.589694+00:00",{"id":95,"slug":96,"title":97,"created_at":98},"af9c46c3-7a28-410b-9f04-32b3de30a68c","prompting-in-2026-what-actually-works-zh","2026 提示工程，真正有用的是什麼","2026-03-26T08:08:12.453028+00:00",{"id":100,"slug":101,"title":102,"created_at":103},"05553086-6ed0-4758-81fd-6cab24b575e0","garry-tan-open-sources-claude-code-toolkit-zh","Garry Tan 開源 Claude Code 工具包","2026-03-26T08:26:20.068737+00:00",{"id":105,"slug":106,"title":107,"created_at":108},"042a73a2-18a2-433d-9e8f-9802b9559aac","github-ai-projects-to-watch-in-2026-zh","2026 必看 20 個 GitHub AI 專案","2026-03-26T08:28:09.619964+00:00",{"id":110,"slug":111,"title":112,"created_at":113},"a5f94120-ac0d-4483-9a8b-63590071ac6a","claude-code-vs-cursor-2026-zh","Claude Code 與 Cursor 深度對比：202…","2026-03-26T13:27:14.279193+00:00",{"id":115,"slug":116,"title":117,"created_at":118},"0975afa1-e0c7-4130-a20d-d890eaed995e","practical-github-guide-learning-ml-2026-zh","2026 機器學習入門 GitHub 實用指南","2026-03-27T01:16:49.712576+00:00",{"id":120,"slug":121,"title":122,"created_at":123},"bfdb467a-290f-4a80-b3a9-6f081afb6dff","aiml-2026-student-ai-ml-lab-repo-review-zh","AIML-2026：像課綱的學生實驗 Repo","2026-03-27T01:21:51.467798+00:00",{"id":125,"slug":126,"title":127,"created_at":128},"80cabc3e-09fc-4ff5-8f07-b8d68f5ae545","ai-trending-github-repos-and-research-feeds-zh","AI Trending：把 AI 資源收成一張表","2026-03-27T01:31:35.262183+00:00",{"id":130,"slug":131,"title":132,"created_at":133},"3ce6e6e2-bac5-463e-9f8d-45caabcc61f7","awesome-ai-for-science-research-tools-map-zh","AI 科研工具清單，開始像地圖了","2026-03-27T01:46:50.521945+00:00"]