Protect a plugin or theme with composer installed packages from direct access

I am new to WP development and recently had to write child themes and plugins to provide extended functionality for existing plugins.

For those tasks I installed composer dependencies in both, themes and plugins. I am not sure if this is best practice, but I needed access to certain libraries in a short amount of time.

Now I am not sure how to protect those folders from direct access best. We should protect the vendor files from direct access, right? Is it enough to have a .htaccess in the vendor folder?

Like this:

/vendor/.htaccess

Order allow,deny
Deny from all