Problem/Motivation
In Drupal\Core\Composer\Composer::vendorTestCodeCleanup() we attempt to remove test directories from the vendor directory as security mitigation.
The test directory for twig/twig is listed as test, which is accurate up through 1.42.2: https://github.com/twigphp/Twig/tree/v1.42.2
But then in 1.42.3 it's changed to tests: https://github.com/twigphp/Twig/tree/v1.42.3
This leaves behind the tests for twig/twig after an update.
This same issue is present in 8.8.x's vendor hardening plugin: https://git.drupalcode.org/project/drupal/blob/8.8.x/composer/Plugin/Ven...
Proposed resolution
Add tests to the list of directories to remove, so that we attempt to remove both test and tests.