Modern Single Page Applications (SPAs) rely heavily on bundlers like Webpack, Vite, and Parcel to package dependencies and business logic. However, the transition from development to production can leave sensitive information, leading to an information disclosure. In this workshop, I will dissect the internal structure of JavaScript bundles and the associated Source Map standard. We will look specifically at how the devtool configuration in webpack.config.js impacts the final artifact and why developers frequently leave full source recovery enabled by mistake.