Composer.json on live site?

Is the file composer.json required for a live site, is it recommended to include the file in a live site?

No, it’s not required (unless you install via composer) but it doesn’t hurt either.

1 Like

a readable composer.json together with a composer.lock file could be exploited to see which packages are installed and if there are vulnerabilties with them.

for example an offline tool like this can be used to find issues.