Problem/Motivation

Currently, when building a Drupal website, you can visit core/package.json and core/yarn.lock, which exposes some info about the used versions.

Steps to reproduce

Visit a random Drupal 9 website and go to /core/package.json or /core/yarn.lock. You can now see the content of those 2 files.

Proposed resolution

Block access to those files in .htaccess.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

yarn.lock and package.json are now blocked by Drupal's default web server configuration, sites should update any copies of .htaccess or web.config to incorporate the changes.

Issue fork drupal-3308369

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

JeroenT created an issue. See original summary.

JeroenT’s picture

Status: Active » Needs review
FileSize
830 bytes

cilefen’s picture

Status: Needs review » Needs work

There is also web.config to deal with.

JeroenT’s picture

Status: Needs work » Needs review

@cilefen,
web.config is already included in the list. Or am I missing something?

JeroenT’s picture

cilefen’s picture

Status: Needs review » Needs work

web.config is analogous to .htaccess for IIS and your suggested Apache Web Server access control change must be implemented there too.

JeroenT’s picture

Status: Needs work » Needs review
FileSize
3.61 KB

Ah, I see what you mean now.

Updated the patch.

The last submitted patch, 2: 3308369-2.patch, failed testing. View results

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

nod_’s picture

Status: Needs review » Reviewed & tested by the community

works as intended

  • catch committed 8e78239 on 10.0.x
    Issue #3308369 by JeroenT, cilefen: Block access to yarn.lock and...
  • catch committed 2233484 on 10.1.x
    Issue #3308369 by JeroenT, cilefen: Block access to yarn.lock and...
  • catch committed 398f375 on 9.5.x
    Issue #3308369 by JeroenT, cilefen: Block access to yarn.lock and...
catch’s picture

Version: 10.1.x-dev » 9.5.x-dev
Issue summary: View changes
Status: Reviewed & tested by the community » Fixed

Committed/pushed to 10.1.x and cherry-picked back through to 9.5.x, thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

johnzzon’s picture

Great addition! But what about package-lock.json? Isn't it equivalent of yarn.lock and should also be blocked?

longwave’s picture

This should have been tagged for release notes as it is a change to user modified files, although it only works for package.json due to a bug: #3327115: .htaccess rules broken since yarn.lock got added

xjm’s picture

Issue summary: View changes