Hi all,I have this question: since the introduction of composer in version 2019, if I put a PHP Maker based application with a bunch of composer packages in an internet server, say a shared hosting server, I can be exposing a lot of third party code that comes with these composer packages. It’s not unusual that these packages come with documentation, example scripts and especially testing scripts that can contain undocumented code. This has a high potential of adding an unknown amount of vulnerabilities to my site.
I could try to clean these folders of unneeded files the best I can, but that can be tedious and every time I added a new package or updated the composer scripts I’d have to do it all over again. I’d much rather avoid this altogether, and ensure that the vendor folder isn’t there waiting for a hacker that knows about a specific vulnerability in a composer package that, because of its static location, would just be there for him to find and use.One way to protect against this vulnerabilities would be to move the vendor folder outside of the public_html folder, which would mean that PHP Maker would have to support a custom (relative) folder for the composer’s packages. Is it possible?Safe coding, guys!