Please change that, as somebody is going to try that out and will delete the whole vendor folder ...

What is so bad about removing the vendor/ folder? This is done during a regular Magento deployment anyway over and over again, and when setting up a development environment. And it should not contain any manual modifications, because all information is retained in composer.json anyway. Why is this a problem?

I don't see any problems removing the vendor/ directory as well, although I can imagine removing the composer.lock file could mean that the settings of secured modules on a specific version in that file would be lost, don't you think?

True, removing the composer.lock file is always a major change to your composer environment, just like composer upgrade is. But the entire purpose of the replace packages is turn the strategy of all packages inside out. So it is kind of the same thing as running composer upgrade anyway. Unfortunately, this is the nature of the beast (aard van het beestje :)).

I'm closing this issue, because it is not addressing a real issue. It seems rather to be opened because of a distaste of mentioning something that is considered in general a bad practice with composer. True. But replacements in composer are not a general practice, therefore different procedures apply.