@fmarier
Despite the recommended Nginx configuration explicitly denying files under vendor/, Matomo ends up serving up the vendor/composer/installed.json file due to a separate vendor/.htaccess config blurb:
# Allow to serve static files which are safe
<Files ~ "\.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$">
Require all granted
</Files>which is generated by this code.
It would be preferable to keep that file private since it reveals exact versions of packages installed on a server. For example: https://demo.matomo.cloud/vendor/composer/installed.json
@Findus23
At least in the nginx config this was intentional. I ordered the blocks so that in ~ ^/(config|tmp|core|lang) every request is blocked while in ~ ^/(libs|vendor|plugins|misc/user|node_modules) the static files you list are allowed.
I don't think the composer/installed.json is any issue as everyone can also see it publicly on this repository or download it from the matomo.zip. But it might not be necessary to share the vendor/ directory, so you can try out to move it to the other block (or change the .htaccess) and see if anything breaks.
@tsteur
We could simply exclude it from the release zip as discussed (also similar files) and in general any composer.json, installed.json, package json...
@sgiehl
actually composer.json and package.json are already removed. Seems only installed.json is missing. Will prepare a PR to fix this.