Sometimes tech people forget to disable source-maps in production, especially when using the create-react-app project.
This might sound too basic, but I've looked this mistake so many times in private production projects.
The create-react-app build command is not production ready, before publishing your project you should remove source-maps. However, this applies to any private web project, so, be careful and take a look at your production code maybe you are leaking the whole codebase.
Related issue: https://github.com/facebook/create-react-app/issues/2005