When installing this via composer the repo's composer.lock file is included. This usually contains outdated versions, some of which have published security vulnerabilities. While this file is not used in a composer install outside of this project, it's clutter that doesn't need to be there, and if running SensioLab's vulnerability checker on all composer.lock files it will be flagged up as a false positive match.
I think it would be better to remove the composer.lock file from releases so that when someone installs via composer they do not inherit this file.
When installing this via composer the repo's composer.lock file is included. This usually contains outdated versions, some of which have published security vulnerabilities. While this file is not used in a
composer installoutside of this project, it's clutter that doesn't need to be there, and if running SensioLab's vulnerability checker on all composer.lock files it will be flagged up as a false positive match.I think it would be better to remove the composer.lock file from releases so that when someone installs via composer they do not inherit this file.