Margin Notes
A privacy-first analytics dashboard built as a single-page app. The production bundle ships with something the build pipeline forgot to strip.
The Scenario
Margin Notes is a cookie-free web analytics tool used by independent publishers and product teams who don't want to feed visitor data to ad networks. The dashboard is a compact SPA that loads one minified bundle and talks to a small JSON API. The most recent deploy shipped straight from the CI runner without the usual production flag — something downstream of the bundler is now visible to anyone who looks.
Challenge Intel
Synopsis
A deployed SPA bundle ships its sourcemap alongside the minified file, which reveals an unlinked diagnostic route.
What It Is
The Express server serves a pre-built SPA from /public. The bundle at /assets/app.min.js loaded normally; however, the CI pipeline also published /assets/app.min.js.map. The minified file ends with the standard //# sourceMappingURL=app.min.js.map comment. Loading the map (or just fetching it directly) restores the readable source, which contains a diagnostic constant DIAG_ROUTE = "/console/v2/diag". That route is live on the server but unlinked from any UI; hitting it returns the contents of the FLAG environment variable.
Who It's For
Players comfortable with browser dev tools who haven't yet practiced reversing a deployed bundle from its sourcemap.
Skills You'll Practice
- Spotting the //# sourceMappingURL trailer in a minified bundle
- Reconstructing original source from a published .js.map
- Finding unlinked routes from recovered source
What You'll Gain
- A concrete reason to gate sourcemap publication behind a production flag
- Practice walking from a static asset leak to a live unauth endpoint
Ready to hack Margin Notes?
Upgrade to Pro to unlock this challenge and the full library.