[Question] Path traversal security of Plug.Static without :only option

[ThePuzzlemaker]

In the documentation for Plug.Static it's mentioned that using :only on Plug.Static plugs mounted at "/" is

useful to avoid file system traversals on every request when this plug is mounted at "/"

What exactly does this mean? Does this refer to the common "path traversal" vulnerability or is this referring to something else?

Thanks.

[josevalim]

No, it is more of an optimization. If you mount a plug at the http path /, every request will try to check if a file exists. Only limits that.