@Findus23 sure, I've added it

FYI @mattab

btw not sure if important... in WP-Matomo I also exclude some more files that aren't really needed see https://github.com/matomo-org/wp-matomo/blob/develop/.gitattributes eg composer.travis.json and changelogs etc which may include similar results etc? In the end you could probably still sometimes find out what dependency is used depending on readme (as it changes over versions), etc.

also we ship Matomo with the changelog etc see eg https://demo.matomo.org/CHANGELOG.md

fyi @Findus23

Hm, CHANGELOG.md might be useful to keep in the package (but maybe we should add a rule to not publish it).

This would be maybe possible in nginx but don't think in core for apache. That's because we usually don't have an .htaccess file in the root directory and adding one now could break a lot of things as some would be using a custom .htaccess just like we do on the cloud. We could add one though if none exists yet maybe (but then it be hard to make changes to it in the future). I was just bringing it up because it was a concern someone could find out the Matomo version number using this composer file but there be also still many other ways.

Didn't think of that (I'm not that familiar with Apache).
Maybe we really need to think about moving the whole Matomo directory outside of the public web directory (at least optionally).

For that particular case could otherwise change in the build.zip the changelog.md with a link to https://developer.matomo.org/changelog I suppose. Of course it wouldn't be 100% accurate/the same if they upgrade / install an older version that is not the latest.