In the current tarball download of LTS version 1.27  the composer.json lists library "ruflin/elastica" as a requirement. Therefore it is part of the vendor/ directory. I believe this is not needed, as the "ruflin/elastica" library is not required by MediaWiki core, but only by "Extension:CirrusSearch" (which again is not part of the tarball release). There might be other unnecessary requirements.
Currently the tarball bundles the mediawiki/vendor git repository, which is a collection of all the libraries that MediaWiki core requires plus anything required for usage on the Wikimedia cluster.
Originally the process of building the tarballs would run composer at release time to just pull in the minimum MW dependencies, however that was non ideal because there wasn't really a review process to see which code composer just pulled in, it required network access (making security releases more difficult), and it was non-deterministic.
So we switched to using mediawiki/vendor, which pulled in a few extra dependencies, but overall made the process safer.
Short of maintaining a separate repo for just the core dependencies (mostly seems like a hastle), I don't know of any other solutions. Note that we're also shipping the pear mail stuff in mediawiki/vendor to make it easier for people to configure their mail stuff even though it's not a core dependency as it's optional).
@Legoktm Thanks for the explanation. I understand now why there is the mediawiki/vendor repo . The problem with this approach is that in some cases (outdated versions of) core libraries take precedence over libraries that are shipping with extensions. E. g. I am using "ruflin/elastica" in version 5.x in my extension. Now when a user installs it on a tarball MediaWiki it will break, because the 2.3 version of MW core is being loaded.
I believe it would be better to have only actual dependencies in the tarball. Maintaining a seperate repo for core dependencies as you suggest sounds like a good idea.
In this case I don't think using the tarball is appropriate then. Since the user needs to run composer anyways to get the 5.x version of elastica, they should use composer to fetch all of MediaWiki core's dependencies too.