Problem/Motivation
Currently the VendorHarderingPlugin is only able to process packages installed in the vendor directory. That very strongly limits it's usage. It would be nice if it could harden Composer packages in any directories. For instance Drupal core ships with 4 MB demo_umami installation profile. Given it's a demo profile why should any Drupal site have it on production?
Proposed resolution
Process all packages regardless of their location.
$composer = $event->getComposer();
$installation_manager = $composer->getInstallationManager();
$package_path = $installation_manager->getInstallPath($package);