Adding composer.lock to the repository

[mlocati]

What about adding to the repository the composer.lock file? That way we are sure about the dependencies being used.

[KorvinSzanto]

I'm on the fence with this. I think we would do better making sure we support the entire range of composer dependencies we allow because we still have the composer global installation style which could have any version allowed by our composer.json file.

I think a good strategy could be to phase out the composer global based install first and part of that I think needs to be some actions that test the phar directly.