Adding the composer.lock in the repository is a best practice : https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file (cherry picked from commit 0468fb6d8c)
0468fb6d8c