.htaccess: Deny access to CHANGELOG.md, composer.json, composer.lock

See discussion in #343

.htaccess

@@ -5,7 +5,8 @@
     RewriteCond %{REQUEST_FILENAME} !-f
     RewriteCond %{REQUEST_FILENAME} !-d
     RewriteRule ^(.*)$ index.php?$1 [L,QSA]
-    RewriteRule ^(.git|config|content|content-sample|lib|vendor)/.*$ index.php?$0 [L,QSA]
+    RewriteRule ^(\.git|config|content|content-sample|lib|vendor)(/.*)?$ index.php?$0 [L,QSA]
+    RewriteRule ^(CHANGELOG.md|composer.(json|lock)) index.php?404 [L]
 
     <IfModule mod_env.c>
         SetEnv PICO_URL_REWRITING 1

CHANGELOG.md

@@ -8,7 +8,8 @@ Released: -
 * [Changed] Improve documentation
 * [Changed] Add CSS rules for definition lists to default theme
 * [Changed] Always use `on404Content...` execution path when serving a `404.md`
-* [Changed] Deny access to `.git` directory (`.htaccess` file)
+* [Changed] Deny access to `.git` directory, `CHANGELOG.md`, `composer.json`
+            and `composer.lock` (`.htaccess` file)
 * [Changed] Use Pico's `404.md` to deny access to `.git`, `config`, `content`,
 *           `content-sample`, `lib` and `vendor` dirs (`.htaccess` file)
 * [Fixed] #342: Fix responsiveness in default theme