Sourcemap Explorer
Add to Chrome
Free · No sign-up · Two tools, one extension

Learn from real-world frontends. Unzip their source and see their stack.

A browser extension that detects exposed JavaScript sourcemaps, rebuilds the original project tree into a single .zip, and identifies every framework, library, hosting provider and CMS plugin running on the page. All locally, no backend.

Add to Chrome — it's freeSee how it works

Works on Chromium-based browsers. Firefox support coming soon.

The problem

Every site ships its code to your browser. Good luck reading it or knowing what it's made of.

Modern frontends are compiled, minified, and hashed into oblivion before they hit your browser. Even when the team ships sourcemaps, nobody gives you the tools to actually read them — or to tell the site's real stack apart from the trackers running on top.

Minified soup

You open DevTools and stare at `a.b=c.d(e,f)`. Readable code is nowhere.

Hashed everything

Filenames like `main-9a7f2c.js` hide the structure. Good luck mapping features to files.

Framework abstractions

React, Vue, Svelte — the thing the browser runs is nothing like the thing the team wrote.

DevTools only go so far

Pretty-print helps line wrapping. It does not restore the project tree you wanted to study.

Docs lie, code doesn't

Blog posts explain what a team aspired to ship. Production bundles show what actually runs.

Closed-source, open output

Most companies ship sourcemaps by accident. The knowledge is already public — you just can't read it.

Stack-guessing is a wild west

`<meta name="generator">` lies, script names are hashed, and SPAs time out most scanners. You infer the stack from a blog post screenshot.

Your tracker is not your stack

Detectors look at every `<script src>` and happily report GTM's internals as the site's stack. A page with a pixel suddenly 'uses' lodash.

The answer

Their sourcemap is your syllabus. Sourcemap Explorer finds it, rebuilds the original tree, and — in the same popup — tells you the exact framework, library and CMS plugin versions behind the page.

Two tools, one extension

A file reader and a fingerprint scanner — sharing the same sourcemap pipeline.

Install once. The Files tab reconstructs the project; the Stack tab identifies the tech behind it. Both work on every site you visit, both run entirely in your browser.

Tool 01

Sourcemap inspector

Find exposed JavaScript sourcemaps, rebuild the original project tree, and export it as a single .zip.

  • Detects SourceMap / X-SourceMap headers + Range-request probe
  • Rebuilds the original src/ tree, deduplicated across bundles
  • Exports a single .zip — no backend, nothing uploaded
  • eTLD+1 grouping: subdomains and CDNs roll up under one project
Tool 02

Tech-stack detector

Wappalyzer-grade fingerprinting, amplified by the sourcemap data we already have in memory.

  • Vendored enthec/webappanalyzer DB — 111 categories, thousands of techs
  • Exact versions pulled from package.json inside sourcemaps
  • Enumerates WordPress plugins and themes by /wp-content/ slug
  • Ad-hoc npm packages auto-validated against the registry
What it looks like

Two tools, one popup, zero friction.

The whole product fits in your toolbar. A Files tab for the reconstructed project, a Stack tab for the tech behind the page — and a single download button.

Icon lights up

The toolbar icon turns green the instant a sourcemap is detected on the site you're browsing.

143 files

Virtual file tree

A single click opens the popup — every source file discovered, deduped, merged across bundles.

.zip

One-click .zip

Download the full project tree and open it in your editor. No sign-up, no backend, nothing uploaded.

FilesStack 24WEB FRAMEWORKNext.js14.2.3JAVASCRIPTReact18.2.0HOSTINGVercelCSSTailwind CSS3.4.1UIshadcn/ui

Stack tab, same popup

Switch tabs to see every framework, library, CMS, hosting provider and build tool the page ships — with confidence bars and category grouping.

package.json{"name":"react","version":"18.2.0""main":"index.js","deps": {…}}react18.2.0from node_modules/react/package.json

Exact versions from sourcemaps

When a sourcemap bundles `node_modules/<pkg>/package.json`, we parse it and show the precise semver instead of guessing from a minified URL.

example.comNext.jsReactVercelTailwindGTMPixelGAThird-party scripts never reach the site's stack

Trackers stay out of the stack

A curated block list of tracker/analytics/ads hosts means GTM, Pixel and GA never contribute their internal libraries to the current site's stack.

How it works

Four steps, most of them we handle for you.

You browse, the extension reads the sourcemaps and fingerprints in the background, the popup shows you what it found.

01

Install

Add the extension from the Chrome Web Store. Zero configuration.

02

Browse

Visit any site you'd like to study. We scan every script the page loads.

03

Preview

Click the icon to open the popup: Files tab shows the reconstructed project tree, Stack tab lists every framework, library and CMS plugin detected.

04

Download

One click exports a .zip mirroring the original project, ready to open in your editor. Copy the stack summary to paste into a doc or issue.

Features

Small surface area, serious engineering under the hood.

Every optimization exists because a real site broke the naive version. Eight systems covering the sourcemap pipeline and the stack detector. Click any row to dig in.

Detection edge

Where Wappalyzer-class tools fall short, our sourcemap layer picks up.

Same fingerprint schema, much of the same data. The difference is everything we read once the maps are in memory — original source, package.json, import graph.

Version accuracy

Regex guessing on minified URLs, often just a major.

Exact semver pulled from package.json inside the sourcemap.

WordPress plugins & themes

'WordPress detected' and that's it.

Full plugin + theme enumeration by /wp-content/<slug>/ folder.

Libraries missing from their DB

Silently ignored.

Auto-reported as ad-hoc after an npm registry check, cached 30 days.

Trackers polluting results

GTM / Pixel / GA internals show up as the site's own stack.

Third-party hosts isolated — trackers never contribute to the host.

Libraries hidden by bundlers

Invisible at runtime, so invisible to the detector.

Matched against node_modules/**, imports, and original source content.

DOM false positives (PayPal, Apple Sign-in, CAS)

Any page with a matching selector fires the rule.

Object-form DOM rules with attribute/text constraints are skipped unless strictly verifiable.

Privacy & performance

Nothing leaves your browser that doesn't need to. Nothing runs when the page still does.

Two non-negotiables baked into the codebase from day one: no backend, and no overhead on page load.

Privacy

Everything happens in your browser. The extension has no backend — not for storage, not for telemetry, not for analytics, not for error reporting. There is nothing to sign up for.

Complete list of outbound requests

  • .js / .css / .map fetched from the site you're already browsing — needed to parse sourcemaps.
  • Anonymous HEAD to registry.npmjs.org to confirm an extracted package name exists. No cookies, no referrer, credentials: "omit". Only the package name is sent, results cached locally for 30 days.

That's the whole network footprint.

Performance

Zero overhead on page load. Heavy work — sourcemap fetching, DOM harvesting, stack detection — is deferred until load + requestIdleCallback, queued per-tab behind the first user gesture.

  • Range requests read the last 4 KB of each script first. 99% of files never get downloaded in full.
  • Lazy storage hydration: per-eTLD+1 index, only the bundles for the current site are loaded into memory.
  • Popup expedite: open the popup before the queue drains and pending work is flushed immediately.
  • Anti-flicker stack: detection merges monotonically — you never see a half-empty tab flash to empty then refill.
Reliability

Signal over noise. The detector ships with its own safety rails.

Every false positive we've seen in the wild is addressed at the rule-engine level — not papered over with confidence thresholds.

npm-verified ad-hoc

Every package found outside the built-in rule set is checked against the npm registry (anonymous HEAD) before it shows up. Bundler aliases and private monorepo packages stay filtered. Results cached 30 days.

Third-party isolation

A curated list of ~90 tracker / analytics / ads / embed hosts — GA, GTM, Pixel, Hotjar, reCAPTCHA, Stripe Checkout, YouTube embeds — never contribute their internal libraries to the current site's stack.

Transitive skip list

Known internals like goober (bundled by react-hot-toast) are hidden from the top-level view, so you don't see transitive noise reported as site choices. Drop-in rules stay surgical.

Custom rules, your overrides

Options page lets you add, edit, export and import fingerprint rules as JSON. User rules override built-ins by key — perfect for correcting a false positive on your own site or adding an in-house framework.

The web is your textbook. Start reading.

Install once. Every site you study becomes a folder of real, readable source — and a full breakdown of the stack behind it.

Add to ChromeExplore features
FAQ

Questions we get before the install.

Short, honest answers.

Contact

Something on your mind?

Questions, feedback, found a site we can't parse yet — we'd love to hear it.

Emailhello@mapree.dev
Response timeUsually within 48 hours

We only use your email to reply. Nothing else.