... as including these may (probably will) lead to security issues such as arbitrary code execution.
Remove unneeded folders/files from vendor folder in release package
The build.xml file should take care of deleting any unnecessary files before generating packages.
The composer.json should have a note pointing to build.xml.
The release todo list should contain a point for double checking this.