forbid access to server-bundle.json in production (#916)

lib/core/renderer.js

@@ -180,6 +180,11 @@ export default class Renderer extends Tapable {
       if (!this.options.dev && req.url.indexOf(this.options.build.publicPath) === 0) {
         const url = req.url
         req.url = req.url.replace(this.options.build.publicPath, '/')
+        // Forbid access to sensitive data (#916)
+        if (req.url.includes('server-bundle.json')) {
+          res.statusCode = 404
+          return res.end()
+        }
         await this.serveStaticNuxt(req, res)
         /* istanbul ignore next */
         req.url = url
@@ -306,7 +311,7 @@ export default class Renderer extends Tapable {
     if (!jsdom) {
       try {
         jsdom = require('jsdom')
-      } catch (e) /* istanbul ignore next */{
+      } catch (e) /* istanbul ignore next */ {
         console.error('Fail when calling nuxt.renderAndGetWindow(url)') // eslint-disable-line no-console
         console.error('jsdom module is not installed') // eslint-disable-line no-console
         console.error('Please install jsdom with: npm install --save-dev jsdom') // eslint-disable-line no-console