Description
I'm not sure I'd classify this as a "security issue" as it's somewhat context sensitive, but I feel it deserves some consideration.
Webpacker uses the WebpackAssetsManifest plugin to communicate the generated filenames from webpack back to Rails for use in view helpers (javascripts_packs_with_chunks_tag etc). This manifest file will contain entrypoint information about all packs present in app/javascript/packs, and will be served on the web at /packs/manifest.json.
This could be considered a leak of private information if a user has multiple packs and expects that packs are only visible on "private" pages that include them using a view helper.
While obviously it's good practice to avoid committing anything sensitive into any JS file, there are degrees of sensitivity and a single Rails app commonly serves multiple audiences (e.g. users/admins). It might be fine for an authenticated admin to receive some information in a JS bundle that should not be exposed to all users. Currently a user (or security researcher) can trivially view the manifest.json and download all assets for all packs.
As far as I can tell, nothing in the default webpacker setup relies on being able to fetch manifest.json from the client, so I would propose that webpacker should change it's defaults to generate/read that file from another directory (e.g. /config/webpack/manifest.json).
What are your thoughts?