[jarofgreen]

I do this.

I know what you are meant to do is check in your composer.json and composer.lock then do a composer install on the server.

But then you have a external dependency on your install process on live servers, which is a terrible idea. To got around this, I've seen companies say "we have our own package mirror". Or you could just check in the vendor folder?

Another reason I do it: My software package is used by people who aren't PHP programmers and I want them to be able to just grab the files and go with no fuss.

I do appreciate having the vendor folder in git takes space and is a pain ... but I think the trade off is worth it.