Description

TL;DR: When installing symfony/rate-limiter only for login throttling, the recipe https://github.com/symfony/recipes/tree/main/symfony/lock installs stuff that's not needed.
Suggestion: Drop the recipe and instead inform people on https://symfony.com/doc/5.4/rate_limiter.html about this config file (lock.yaml).

Full story:
While following https://symfony.com/doc/5.4/security.html#limiting-login-attempts, I needed to do composer require symfony/rate-limiter. This (silently) created the file config/packages/lock.yaml and added LOCK_DSN to my .env. Both are not needed, since https://symfony.com/doc/5.4/rate_limiter.html#using-locks-to-prevent-race-conditions says:

The login throttling doesn't use any lock since Symfony 5.3 to avoid extra load.

So I'm suggesting to delete the recipe, and on https://symfony.com/doc/5.4/rate_limiter.html or https://symfony.com/doc/5.4/lock.html explain how to configure the lock.

Alternatively, you could maybe remove symfony/lock from symfony/rate-limiters composer.json https://github.com/symfony/rate-limiter/blob/6.1/composer.json#L20 and tell the user in the resulting exception message to install it - just like security recommends to install symfony/rate-limiter (see above) only when login_throttling is enabled.

Example

No response