npm log file publicly accessible (npm-debug.log)
Description
npm, the default package manager for Node.js, creates a log file named npm-debug.log in the current working directory whenever errors occur during package operations. This file has been found to be publicly accessible via the web server, exposing potentially sensitive information about the application's dependencies, file system paths, environment details, and error messages that should remain private.
Remediation
Immediately restrict public access to the npm-debug.log file through your web server configuration. For Apache, add a deny rule in your .htaccess or virtual host configuration. For Nginx, add a location block to deny access:
Apache (.htaccess):
<Files "npm-debug.log">
Require all denied
</Files>Nginx:
location ~* npm-debug\.log$ {
deny all;
return 404;
}Additionally, remove any existing npm-debug.log files from publicly accessible directories and configure npm to suppress log file creation by using the --loglevel silent flag:
npm install <package-name> --loglevel silentConsider adding
npm-debug.log to your .gitignore file to prevent accidental commits to version control.