Sourcemap Explorer
Free · No sign-up · Three tools, one extension

Learn from real-world frontends. Unzip their source, decompile what's missing, and see their stack.

A browser extension that detects exposed JavaScript sourcemaps, rebuilds the original project tree as a single .zip, decompiles minified bundles back into readable JSX when no map is shipped, and identifies every framework, library, hosting provider and CMS plugin running on the page. All locally, no backend.

A free, open alternative to Wappalyzer and BuiltWith for finding out what technology a website is using — no API key, no sign-up, nothing to install beyond the extension.

Add to Chrome — it's freeSee how it works

Works on Chromium-based browsers. Firefox support coming soon.

The problem

Every site ships its code to your browser. Good luck reading it or knowing what it's made of.

Modern frontends are compiled, minified, and hashed into oblivion before they hit your browser. Even when the team ships sourcemaps, nobody gives you the tools to actually read them — or to tell the site's real stack apart from the trackers running on top.

Minified soup

You open DevTools and stare at `a.b=c.d(e,f)`. Readable code is nowhere.

Hashed everything

Filenames like `main-9a7f2c.js` hide the structure. Good luck mapping features to files.

Framework abstractions

React, Vue, Svelte — the thing the browser runs is nothing like the thing the team wrote.

DevTools only go so far

Pretty-print helps line wrapping. It does not restore the project tree you wanted to study.

Docs lie, code doesn't

Blog posts explain what a team aspired to ship. Production bundles show what actually runs.

Closed-source, open output

Most companies ship sourcemaps by accident. The knowledge is already public — you just can't read it.

Stack-guessing is a wild west

`<meta name="generator">` lies, script names are hashed, and SPAs time out most scanners. You infer the stack from a blog post screenshot.

Your tracker is not your stack

Detectors look at every `<script src>` and happily report GTM's internals as the site's stack. A page with a pixel suddenly 'uses' lodash.

The answer

Their sourcemap is your syllabus. Sourcemap Explorer finds it, rebuilds the original tree, and — in the same popup — tells you the exact framework, library and CMS plugin versions behind the page.

Three tools, one extension

A file reader, a decompiler, and a fingerprint scanner — sharing the same sourcemap pipeline.

Install once. Files reconstructs the project from sourcemaps; Decompile rebuilds it when none was shipped; Stack identifies the tech behind the page. Everything runs locally.

Tool 01

Sourcemap inspector

Find exposed JavaScript sourcemaps, rebuild the original project tree, and export it as a single .zip.

  • Detects SourceMap / X-SourceMap headers + Range-request probe
  • Rebuilds the original src/ tree, deduplicated across bundles
  • Exports a single .zip — no backend, nothing uploaded
  • eTLD+1 grouping: subdomains and CDNs roll up under one project
Tool 02

JSX decompiler

When the team didn't ship sourcemaps, decompile the minified bundles into readable JSX right in the popup.

  • Babel-based pipeline: ~45 modernize passes + JSX recovery from _jsx/createElement
  • Smart-renames hooks, components and utility callsites by fingerprint
  • Webpack/rollup chunk splitter (@mapreedev/unpacker) reconstructs the file tree
  • Worker pool fan-out (up to 8) — output preserved at original host/path.js
Tool 03

Tech-stack detector

Wappalyzer-grade fingerprinting, amplified by the sourcemap data already in memory.

  • Vendored enthec/webappanalyzer DB — 111 categories, ~7.5k techs
  • Exact versions pulled from package.json inside sourcemaps
  • Enumerates WordPress plugins and themes by /wp-content/ slug
  • Ad-hoc npm packages auto-validated against the registry
What it looks like

Three tools, one popup, zero friction.

The whole product fits in your toolbar. Files reconstructs the project, Decompile rebuilds it when no map ships, Stack lists the tech behind the page — one download button covers all of it.

Icon lights up

The toolbar icon turns green the instant a sourcemap is detected on the site you're browsing.

143 files

Virtual file tree

A single click opens the popup — every source file discovered, deduped, merged across bundles. Large trees stay smooth thanks to popup virtualization.

.zip

One-click .zip

Download the full project tree and open it in your editor. No sign-up, no backend, nothing uploaded.

bundle.min.jsn=({c,t})=>r.jsx("div",{c,ch:t})let r=t(),s=r.j;var u=({a,b})=>s("p",{a,c:b})e.exports={n:n, u:u,t:s,r:r}n.displayName="C";u.dn="P"Card.jsxfunction Card({ className, title,}) { return ( <div c={className}> {title} </div> );}

Decompile when no map exists

Hit Decompile and a Babel pipeline modernizes the bundle, recovers JSX, fingerprints hooks and components, and lands files at their original `host/path.js`.

FilesStack 24WEB FRAMEWORKNext.js14.2.3JAVASCRIPTReact18.2.0HOSTINGVercelCSSTailwind CSS3.4.1UIshadcn/ui

Stack tab, same popup

Switch tabs to see every framework, library, CMS, hosting provider and build tool the page ships — with confidence bars and category grouping.

package.json{"name":"react","version":"18.2.0""main":"index.js","deps": {…}}react18.2.0from node_modules/react/package.json

Exact versions from sourcemaps

When a sourcemap bundles `node_modules/<pkg>/package.json`, we parse it and show the precise semver instead of guessing from a minified URL.

How it works

Four steps, most of them we handle for you.

You browse. The extension reads sourcemaps, fingerprints the stack, and is ready to decompile the bundles in the background. The popup just shows you what it found.

01

Install

Add the extension from the Chrome Web Store. Zero configuration.

02

Browse

Visit any site you'd like to study. We scan every script the page loads.

03

Preview or decompile

Open the popup: Files for the reconstructed tree, Stack for the techs detected, Decompile to rebuild any bundle that didn't ship a map — Babel pipeline, JSX recovery, original paths preserved.

04

Download

One click exports a .zip mirroring the original project — sourcemap files and decompiled output side by side. Copy the stack summary to paste into a doc or issue.

Features

Small surface area, serious engineering under the hood.

Every optimization exists because a real site broke the naive version. A dozen systems covering the sourcemap pipeline, the JSX decompiler and the stack detector. Click any row to dig in.

Detection edge

Where Wappalyzer-class tools fall short, our sourcemap layer picks up.

Same fingerprint schema, much of the same data. The difference is everything we read once the maps are in memory — original source, package.json, import graph.

Version accuracy

Regex guessing on minified URLs, often just a major.

Exact semver pulled from package.json inside the sourcemap.

WordPress plugins & themes

'WordPress detected' and that's it.

Full plugin + theme enumeration by /wp-content/<slug>/ folder.

Libraries missing from their DB

Silently ignored.

Auto-reported as ad-hoc after an npm registry check, cached 30 days.

Trackers polluting results

GTM / Pixel / GA internals show up as the site's own stack.

Third-party hosts isolated — trackers never contribute to the host.

Libraries hidden by bundlers

Invisible at runtime, so invisible to the detector.

Matched against node_modules/**, imports, and original source content.

DOM false positives (PayPal, Apple Sign-in, CAS)

Any page with a matching selector fires the rule.

Object-form DOM rules with attribute/text constraints are skipped unless strictly verifiable.

Privacy & performance

Nothing leaves your browser that doesn't need to. Nothing runs when the page still does.

Two non-negotiables baked into the codebase from day one: no backend, and no overhead on page load.

Privacy

Everything happens in your browser. The extension has no backend — not for storage, not for telemetry, not for analytics, not for error reporting. There is nothing to sign up for.

Complete list of outbound requests

  • .js / .css / .map fetched from the site you're already browsing — needed to parse sourcemaps.
  • Anonymous HEAD to registry.npmjs.org to confirm an extracted package name exists. No cookies, no referrer, credentials: "omit". Only the package name is sent, results cached locally for 30 days.

That's the whole network footprint.

Performance

Zero overhead on page load. Heavy work — sourcemap fetching, DOM harvesting, stack detection — is deferred until load + requestIdleCallback, queued per-tab behind the first user gesture.

  • Range requests read the last 4 KB of each script first. 99% of files never get downloaded in full.
  • Concurrency-capped fetches (6 in flight) drain 250 ms after tabs.onUpdated complete — or instantly when you open the popup.
  • WeakMap<Bundle> caches make stack detection incremental: only the new bundle gets scanned, the rest is reused.
  • Decompile fans out across up to 8 Web Workers in an offscreen document; CSS/JSON pass through without parsing.
  • Storage writes coalesce: index every 200 ms, per-bundle batches every 80 ms — no 30 separate storage.local.set per page.
  • Popup tree virtualizes once it crosses 1k rows; switching tabs reads a tiny per-eTLD+1 index, not every bundle you've ever seen.
  • Anti-flicker stack: detection merges monotonically — you never see a half-empty tab flash to empty then refill.
Reliability

Signal over noise. The detector ships with its own safety rails.

Every false positive we've seen in the wild is addressed at the rule-engine level — not papered over with confidence thresholds.

npm-verified ad-hoc

Every package found outside the built-in rule set is checked against the npm registry (anonymous HEAD) before it shows up. Bundler aliases and private monorepo packages stay filtered. Results cached 30 days.

Third-party isolation

A curated list of ~90 tracker / analytics / ads / embed hosts — GA, GTM, Pixel, Hotjar, reCAPTCHA, Stripe Checkout, YouTube embeds — never contribute their internal libraries to the current site's stack.

Transitive skip list

Known internals like goober (bundled by react-hot-toast) are hidden from the top-level view, so you don't see transitive noise reported as site choices. Drop-in rules stay surgical.

Custom rules, your overrides

Options page lets you add, edit, export and import fingerprint rules as JSON. User rules override built-ins by key — perfect for correcting a false positive on your own site or adding an in-house framework.

Stack pages

Every detection is now a research page.

Click any framework, npm package or WordPress plugin in the popup and you land on a deep page on this site — README, versions, official site, GitHub, install command, plugin sections, related techs. All cached at the edge for 30 days.

Live README from the source of truth

We mirror the GitHub README in real time, follow stub-redirect READMEs in monorepos (vercel/next.js → packages/next/README.md), and render sponsors blocks, badge pictures and HTML tables faithfully.

Versions, license, install — straight from npm

Latest semver, recent release dates, license, peer dependencies, install command. For frameworks with a canonical npm package (next-js → next, vue-js → vue), the tech page inherits all of it automatically.

WordPress plugins with full sections

Description, installation, FAQ and changelog pulled from the wp.org plugin directory and rendered with the same typography as the rest of the site. Active install counts, ratings, contributors and tags included.

Smart icon cascade

Favicon of the official site → first square image in the README → GitHub owner avatar → emerald cube placeholder. When the npm package has no homepage, we infer it from the README by mining non-noise hostnames.

Implies / requires / excludes graph

Wappalyzer relationships become cross-links — open Next.js and jump to React, Webpack or the deps it usually rides with. The whole catalogue (~7,500 techs) is reachable on demand, even outside our curated list.

ISR with 30-day revalidate

Curated items pre-rendered at build time, the long tail resolved on first hit and cached for a month. No 404s on obscure plugins, no upfront cost on 7k+ pages.

Try one

Same template across techs, npm packages, and WordPress plugins.

Browse the catalogue
techNext.jsnpmreactnpm@tanstack/query-corewpWooCommercetechTailwind CSSnpmzod

The web is your textbook. Start reading.

Install once. Every site you study becomes a folder of real, readable source — recovered from the map or decompiled when there isn't one — plus a full breakdown of the stack behind it.

Add to ChromeExplore features
FAQ

Questions we get before the install.

Short, honest answers.

Contact

Something on your mind?

Questions, feedback, found a site we can't parse yet — we'd love to hear it.

Emailhello@mapree.dev
Response timeUsually within 48 hours

We only use your email to reply. Nothing else.