Webpack css-loader source map shows server paths even in production

Setting sourceMap: true with the webpack css-loader always results in some private server paths getting displayed in the resulting js bundle, as well as a lot of other code. E.g.

{"version":3,"sources":["/private/path/to/project/flexboxgrid2.css"],"names":[],"mappings":"AAAA;EACE;BLAH BLAH BLAH..."}

This occurs even when the project's devtool is set to source-map, which I thought meant all source map code was moved to an external source map file, rather than inline.

This is annoying because

  1. it means our js bundles have different fingerprints depending on which server they were generated on, which messes with our assets pipeline.

  2. anyone can see the internal directory structure of our production servers, which isn't great.

The only solution is to turn off source maps for css-loader.

Is there any way to keep source maps turned on but have the above code not included in the js?