Problem/Motivation

Currently, when building a Drupal website, you can visit core/package.json and core/yarn.lock, which exposes some info about the used versions.

Steps to reproduce

Visit a random Drupal 9 website and go to /core/package.json or /core/yarn.lock. You can now see the content of those 2 files.

Proposed resolution

Block access to those files in .htaccess.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

yarn.lock and package.json are now blocked by Drupal's default web server configuration, sites should update any copies of .htaccess or web.config to incorporate the changes.

CommentFileSizeAuthor
#9 3308369-9.patch3.61 KBjeroent
#7 3308369-7.patch1.72 KBjeroent
#2 3308369-2.patch830 bytesjeroent

Issue fork drupal-3308369

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

JeroenT created an issue. See original summary.

jeroent’s picture

jeroent
Primary language Dutch
Location 🇧🇪
commented
Status: Active » Needs review
StatusFileSize
new 3308369-2.patch830 bytes

JeroenT opened merge request !2736

JeroenT opened merge request !2737

cilefen’s picture

cilefen commented
Status: Needs review » Needs work

There is also web.config to deal with.

jeroent’s picture

jeroent
Primary language Dutch
Location 🇧🇪
commented
Status: Needs work » Needs review

@cilefen,
web.config is already included in the list. Or am I missing something?

jeroent’s picture

jeroent
Primary language Dutch
Location 🇧🇪
commented
StatusFileSize
new 3308369-7.patch1.72 KB
cilefen’s picture

cilefen commented
Status: Needs review » Needs work

web.config is analogous to .htaccess for IIS and your suggested Apache Web Server access control change must be implemented there too.

jeroent’s picture

jeroent
Primary language Dutch
Location 🇧🇪
commented
Status: Needs work » Needs review
StatusFileSize
new 3308369-9.patch3.61 KB

Ah, I see what you mean now.

Updated the patch.

The last submitted patch, 2: 3308369-2.patch, failed testing. View results

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

nod_’s picture

nod_
Primary language French
Location Lille
commented
Status: Needs review » Reviewed & tested by the community

works as intended

  • catch committed 8e78239 on 10.0.x 
    Issue #3308369 by JeroenT, cilefen: Block access to yarn.lock and...
  • catch committed 2233484 on 10.1.x
    Issue #3308369 by JeroenT, cilefen: Block access to yarn.lock and...
  • catch committed 398f375 on 9.5.x
    Issue #3308369 by JeroenT, cilefen: Block access to yarn.lock and...
catch’s picture

catch
he/him
Primary language English
commented
Version: 10.1.x-dev » 9.5.x-dev
Issue summary: View changes
Status: Reviewed & tested by the community » Fixed

Committed/pushed to 10.1.x and cherry-picked back through to 9.5.x, thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

johnzzon’s picture

johnzzon
Primary language Swedish
Location Gothenburg 🇸🇪
commented

Great addition! But what about package-lock.json? Isn't it equivalent of yarn.lock and should also be blocked?

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Issue tags: +9.5.0 release notes, +10.0.0 release notes

This should have been tagged for release notes as it is a change to user modified files, although it only works for package.json due to a bug: #3327115: .htaccess rules broken since yarn.lock got added

xjm’s picture

xjm
she/her
Primary language English
commented
Issue summary: View changes