Despite the recommended Nginx configuration explicitly denying files under vendor/
, Matomo ends up serving up the vendor/composer/installed.json
file due to a separate vendor/.htaccess
config blurb:
# Allow to serve static files which are safe
<Files ~ "\.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$">
Require all granted
</Files>
which is generated by this code.
It would be preferable to keep that file private since it reveals exact versions of packages installed on a server. For example: https://demo.matomo.cloud/vendor/composer/installed.json
At least in the nginx config this was intentional. I ordered the blocks so that in ~ ^/(config|tmp|core|lang)
every request is blocked while in ~ ^/(libs|vendor|plugins|misc/user|node_modules)
the static files you list are allowed.
I don't think the composer/installed.json is any issue as everyone can also see it publicly on this repository or download it from the matomo.zip. But it might not be necessary to share the vendor/ directory, so you can try out to move it to the other block (or change the .htaccess) and see if anything breaks.
We could simply exclude it from the release zip as discussed (also similar files) and in general any composer.json
, installed.json
, package json
...
actually composer.json
and package.json
are already removed. Seems only installed.json
is missing. Will prepare a PR to fix this.