All versions of
harp are vulnerable to Unauthorized File Access. The package states that it ignores files and directories with names that start with an underscore, such as
_secret-folder. If the underscore character is URL encoded the server delivers the file.
No fix is currently available. Consider using an alternative module until a fix is made available.