Remove composer.lock from library

[haeber]

Hi, we are using actively AWS Security Inspector that looks into the vendors for usages of unsecure vendors. For month it's complaining about a CVE-2024-51736 - symfony/process Package Vulnerability because of an old locked version of symfony/process v4.3.4 in your composer.lock.

My idea would be to remove the composer.lock completely from this library and only rely on composer.json. This is a common pattern across most composer libraries and would of course calm down such false security alarms.

Thanks in advance & Kind Rergards
Thomas

[widmogrod]

Hi @haeber your proposal sounds acceptable. Please create PR and assign it to me for review.

[haeber]

Hi, I added a PR, feel free to review it. I've seen there is some composer.lock cache thingy in CI config. I am not sure how this may behave now.

[widmogrod]

Thank you for your contribution.