Excellent post! I’m thinking of using the same technique for some projects where I can’t control the deployment process and the service just pulls from the source repository.

In many cases, running the composer install, update, or require commands with the –prefer-dist option will download the package’s source from the preferred distribution package (usually a zip file, if it’s a standard package hosted on GitHub). This distribution package does not include the .git folder. This method works well for stable packages with tagged releases.

The opposite of this option is –prefer-source, which downloads the package source straight from the repository.

There are obviously caveats to using both of these options, for packages that do not follow the standard patterns, so the best bet is to go with your recommendation of adding vendor/.git.