This change is part of the Composer initiative.
As part of an ongoing effort to make Drupal and Composer more happy together, we introduce drupal/core-vendor-hardening, aka The Vendor Hardening Plugin.
This is a Composer plugin which removes extraneous directories from the Composer-managed vendor directory, and also places .htaccess and web.config files within the vendor directory as a best-faith effort to keep HTTP servers from allowing access to it.
See the documentation here: https://www.drupal.org/docs/develop/using-composer/using-drupals-vendor-...
Drupal core has used Drupal\Core\Composer\Composer::vendorTestCodeCleanup() as part of a Composer script to remove these directories from the vendor directory within the main drupal/drupal package.
As of this writing, we're still using that script. However, the plan is to switch over to this new plugin within #2982680: Add composer-ready project templates to Drupal core
See also: #3086277: Add a composer plugin to clean up Drupal test directories
What is it?
The vendor cleanup plugin exists to mitigate security concerns where Drupal sites (or really, any PHP project managed by Composer) place the vendor directory within the HTTP-accessible docroot.
Alternately, you could use the vendor cleanup plugin to cut down on disk space requirements in your project.
How does it work?
Require drupal/core-vendor-hardening in your composer.json file. It will clean up various test code directories within the vendor directory.
The vendor cleanup plugin is also configurable from within the composer.json extra field. You can specify paths which should be removed, per package, like this:
"extra": {
"drupal-core-vendor-hardening": {
"vendor/package": ["test", "documentation"]
}
}
This configuration will be merged with the hard-coded package information within the plugin.
