Block package-lock.json files in the .htaccess

Created on 25 July 2023, about 1 year ago

Problem/Motivation

In the .htaccess file, multiple files with potential sensitive information are blocked. For example: package.json, composer.json and composer.lock.
One could argue that the file should not be included on production in the first place, which is fair enough, but the same argument could be made for composer.lock.

Steps to reproduce

- Create a package.json file in the webroot (as a control)
- Create a package-lock.json file in the webroot
- Navigate to both files in Drupal
- The package.json file should return a 403, whilst package-lock.json is accessible over the web

Proposed resolution

Add package-lock.json in the FilesMatch section of the .htaccess.

Remaining tasks

Review the patch.

User interface changes

None

API changes

None

Data model changes

None

Release notes snippet

Make package-lock.json files inaccessible over the web.

📌 Task

Status

Active

Version

11.0 🔥

Component

Other →

Last updated less than a minute ago

Created by

🇳🇱Netherlands Dobefu

Live updates comments and jobs are added and updated live.

.htaccess

Comments & Activities

Issue created by @Dobefu
Comment about 1 year ago →
🇳🇱Netherlands Dobefu
Comment about 1 year ago →
🇺🇸United States cilefen

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024