Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

The package.json and config.js files are accessible via URLs

Written By

Madhusudan Sharma

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • Observed potential security vulnerabilities where the package.json and config.js files expose sensitive information like file paths, testing configurations, dependencies with versions, build scripts, and the project version. 
  • The following URLs are accessible:

    1. https://domain.com/o/frontend-js-web/package.json

    2. https://domain.com/o/frontend-js-web/loader/config.js

  • Questions:
    1. How is the package.json used in Liferay Product?
    2. Can a request to package.json be blocked or if a redirection rule can be applied for this (might be at webserver level).

Environment

  • Liferay DXP 7.1

Resolution

  • Liferay does not consider exposing third-party libraries, project versions, and client-side build tools in package.json and config.js files a vulnerability.
  • The Package.json is being used for AMD to ESM bridges, meaning converting AMD modules to ESM format.

  • Regarding the redirection, it can be applied on a case-by-case basis to avoid any issue in the DXP.

  • For example, target frontend-js-web/package.json specifically and avoid using a blanket *.json redirect.

     

Additional Information

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?