We keep composer.lock in git and our when you start working you run a git pull, composer install and php artisan migrate.
If you need to add a package, add it to composer.json and run a composer update and then commit the new composer.lock and composer.json.
If you get a git conflict on composer.lock, ignore local changes and fetch the latest from git. Then run a composer update and commit in your new lockfile to make sure it includes everything.
On staging and production we always run composer install based on the latest lockfile in git.
Just wanted to add that the reason you should do so is that if you don't include the composer.lock file in your repo you will need to update packages with composer update which consumes much more time than composer install at every run and same versions of packages across all installs are not guaranteed.
Sign in to participate in this thread!
We'd like to thank these amazing companies for supporting us