How are you deploying this so that the vendor folder isn't exposed to the public?

I feel having the vendor folder within the theme directory is asking for trouble as there could be any number of scripts inside packages that’ll cause a lot of security issues.

How are people deploying Sage themes to avoid this problem?

That’s explained in this guide: https://roots.io/guides/remove-theme-source-files-on-deploy/

That guide only shows how to avoid deploying your original assets. Not how to hide the composer vendor directory.

Composer packages have weird and wonderful scripts hidden away in the vendor folder that really shouldn’t be exposed to the public.

Perhaps these may help you for those folders: https://roots.io/docs/sage/9.x/installation/#server-configuration (suggested on Slack by @TangRufus)

Thanks for link but the guide only blocks certain files, I might be able to adjust the configuration to block access to the vendor folder. However if the default deployment of Sage allows access to the vendor folder I can’t use the project in it’s current form. It’s too much of a security risk.

To do it at the server level you can add the following line to your nginx config

location ~ /(vendor|assets/styles|assets/scripts) {deny all; return 404;}

Ofcourse this is only useful if you have access to the server your site is running on and you’re using nginx.

Thanks for bringing this up (and to @Log1x for pointing this out to the team while I’ve been AFK on here)!

I made an issue on the Sage repo so that this doesn’t get lost:

X-post: https://github.com/roots/sage/issues/2438#issuecomment-609569729

This topic was automatically closed after 42 days. New replies are no longer allowed.