Configuration files composer.lock and package-lock.json exposed to the Internet

[llucasti]

Hi!

We've had a vulnerability scan done on a Nextcloud instance and it reported the following as a Medium vulnerability.
Is there something that can be done in the app code to avoid exposing these files? Or is it a Nextcloud issue?

Description
One or more configuration files were found. These files may expose sensitive
information that could help a malicious user to prepare more advanced attacks. It's recommended to remove or restrict
access to this type of files from production systems.

Impact
These files may disclose sensitive information. This information can be used to launch further attacks.

Recommendation
Remove or restrict access to all configuration files acessible from internet.

Details
Development configuration files:
https://nextcloud-url/apps/terms_of_service/composer.lock
composer.lock => Composer lock file. Composer is a dependency manager for PHP.
https://nextcloud-url/apps/terms_of_service/package-lock.json
package-lock.json => npm file. This file keeps track of the exact version of every pa

[GretaD]

Hello,
Thank you for your report, but this is not a security issue because version disclosure of the app can be done via other ways (comparing Js files, etc) and then checking the public repo.