Block package-lock.json files in the .htaccess

Created on 25 July 2023, over 1 year ago

Problem/Motivation

In the .htaccess file, multiple files with potential sensitive information are blocked. For example: package.json, composer.json and composer.lock.
One could argue that the file should not be included on production in the first place, which is fair enough, but the same argument could be made for composer.lock.

Steps to reproduce

- Create a package.json file in the webroot (as a control)
- Create a package-lock.json file in the webroot
- Navigate to both files in Drupal
- The package.json file should return a 403, whilst package-lock.json is accessible over the web

Proposed resolution

Add package-lock.json in the FilesMatch section of the .htaccess.

Remaining tasks

Review the patch.

User interface changes

None

API changes

None

Data model changes

None

Release notes snippet

Make package-lock.json files inaccessible over the web.

📌 Task
Status

Active

Version

11.0 🔥

Component
Other 

Last updated 2 days ago

Created by

🇳🇱Netherlands Dobefu

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024