IIRC, one of the reasons we switched away from cargoHash was that the output of cargo vendor was not guaranteed to remain stable (see e.g. Recompute all cargoSha256/cargoHash · Issue #121994 · NixOS/nixpkgs · GitHub, `cargoHash` might be different on linux and darwin systems · Issue #308089 · NixOS/nixpkgs · GitHub). We would probably need to work with upstream to add more checks to ensure this cannot happen again.
As another example, Composer vendor directory was not reproducible in the past until @drupol fixed it. Not sure how much Composer upstream cares about this use case and how well it is tested to prevent regressions but so far introduces vendorHash in mkComposerRepository appears to have been stable.
Also relevant is the now closed RFC109: Nixpkgs Generated Code Policy