Issue
- Observed potential security vulnerabilities where the package.json and config.js files expose sensitive information like file paths, testing configurations, dependencies with versions, build scripts, and the project version.
- The following URLs are accessible:
-
https://domain.com/o/frontend-js-web/package.json
-
https://domain.com/o/frontend-js-web/loader/config.js
-
- Questions:
- How is the package.json used in Liferay Product?
- Can a request to package.json be blocked or if a redirection rule can be applied for this (might be at webserver level).
Environment
- Liferay DXP 7.1
Resolution
- Liferay does not consider exposing third-party libraries, project versions, and client-side build tools in package.json and config.js files a vulnerability.
- The Package.json is being used for AMD to ESM bridges, meaning converting AMD modules to ESM format.
-
Regarding the redirection, it can be applied on a case-by-case basis to avoid any issue in the DXP.
-
For example, target frontend-js-web/package.json specifically and avoid using a blanket *.json redirect.