Despite the recommended Nginx configuration explicitly denying files under
vendor/, Matomo ends up serving up the
vendor/composer/installed.json file due to a separate
vendor/.htaccess config blurb:
# Allow to serve static files which are safe <Files ~ "\.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$"> Require all granted </Files>
which is generated by this code.
It would be preferable to keep that file private since it reveals exact versions of packages installed on a server. For example: https://demo.matomo.cloud/vendor/composer/installed.json
At least in the nginx config this was intentional. I ordered the blocks so that in
~ ^/(config|tmp|core|lang) every request is blocked while in
~ ^/(libs|vendor|plugins|misc/user|node_modules) the static files you list are allowed.
I don't think the composer/installed.json is any issue as everyone can also see it publicly on this repository or download it from the matomo.zip. But it might not be necessary to share the vendor/ directory, so you can try out to move it to the other block (or change the .htaccess) and see if anything breaks.
We could simply exclude it from the release zip as discussed (also similar files) and in general any
package.json are already removed. Seems only
installed.json is missing. Will prepare a PR to fix this.