[Bug]: package.json file is accessible via HTTP

[P4sca1]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

The package.json file is accessible publicly.

Steps to reproduce

GET https://<nextcloud-url>/package.json

Expected behavior

The file should not be publicly available, as it is not needed for website functionality and exposes potentially valuable metadata.

Nextcloud Server version

32

Operating system

None

PHP engine version

Other

Web server

Nginx

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

List of activated Apps

Nextcloud Signing status

Nextcloud Logs

Additional info

I am running Nextcloud on Kubernetes using the nextcloud/helm chart with fpm and nginx.
Nextcloud Image: docker.io/library/nextcloud:32.0.3-fpm
Helm Chart version: nextcloud-8.7.0

[susnux]

Please report this here: https://github.com/nextcloud/helm/issues
This needs to be changed in your nginx config / the provided config.