If you don’t run grunt on your server, you don’t need to have node_modules on there. You could also lock down node_modules so that it’s not publicly accessible if you need it on the server.
I haven’t used Wordfence before, is there a way to ignore that message?
In this specific case, it’s not a big deal. That’s just a text file which happens to contain that domain. It’s a well known list actually maintained by Mozilla I believe. More info here: http://publicsuffix.org/. One of the Node modules (tough-cookie) uses it.
However, it may a good idea to keep that node_modules directory off your production servers if possible. Or deny access to it from your web server. Off the top of my head, I don’t think anything in there could cause issues. It contains JavaScript code since its all node modules, but your web server wouldn’t execute it.
Got it. Ben and Swalkinshaw - I really appreciate the feedback from the pros.
*Note to anyone else: I safely removed the node_modules folder from production as I’m not using Grunt on the actual production servers.
Just got into WordPress late last year, and decided to go with Roots. Just finished my 14th site using Roots. Love everything about it. The community was also a deciding factor early on.