App Store web has exposed all its source code

Original Article ↗ Hacker News Discussion ↗

Accidental exposure and quick takedown

  • The new web App Store briefly shipped production sourcemaps, effectively exposing its full frontend source.
  • Commenters report Apple removed the sourcemaps within hours; GitHub repos mirroring the code were DMCA’d, including the entire fork network.
  • Mirrors exist in software archives, but several people who grabbed it say the code is “not very interesting.”

Sourcemaps: purpose, learning, and risk

  • One camp argues sourcemaps “should be enabled” in production to aid learning and introspection, echoing the old “view source” culture.
  • Others insist sourcemaps are for debugging: mapping minified/transpiled bundles back to real source for usable stack traces, especially when shipping small bundles.
  • Concerns are raised that sourcemaps can reveal business logic, shared server/client code, or vulnerabilities; others counter that motivated reverse‑engineers can already de-minify code and that exposing source doesn’t make it “open source.”
  • Some say sourcemaps in prod are fine unless you specifically need code obfuscation.

Tech stack: Svelte and JS‑driven UIs

  • People are surprised and excited that the App Store is built with Svelte; Apple Music and Podcasts’ web versions are also reported to use Svelte, with earlier iterations on Ember.
  • Broader discussion notes heavy use of JavaScript UI stacks across platforms (React Native in parts of Windows 11 Start menu, GNOME JS, KDE/QML, React in parts of macOS Settings).
  • Opinions split: some like HTML/CSS/JS as the most familiar, well-documented cross‑platform GUI; others criticize web engines as bloated, layout‑heavy, and ill‑suited compared to native UI frameworks.

Performance and SPA UX debates

  • Several users find apps.apple.com “slow” with 1–2s navigation delays; others say it’s snappy even on old hardware.
  • Critique of SPA patterns: routers often wait for all data before showing the new route, causing perceived slowness.
  • Big subthread on skeleton loaders vs spinners/blank pages:
    • Pro‑skeleton: reduce layout shifts, give immediate feedback, allow partial interaction as data streams in.
    • Anti‑skeleton: feel deceptive, add distraction, can break scrolling, and mask sloppy layout design; some prefer honest blank states or simple spinners.

Code quality and interest

  • Some expected Apple‑grade polish but describe the App Store Connect backend/frontend as surprisingly poor and incoherent compared to historically admired Apple code.
  • Others note parts of the exposed codebase looked clean, with systematic use of intents and dependency injection.

Legal / DMCA discussion

  • Debate over whether DMCA takedown is appropriate when the code was publicly served:
    • One side calls it inappropriate or “entrapment.”
    • Another points out that public availability doesn’t grant redistribution rights; copyright still applies, and DMCA is the standard mechanism.