Wouldn't it be better to commit composer.lock to the repository, so that the exact versions of modules are pinned there? Then only the generic dependency (for example: "drupal/field_group": "8.*") can be put in composer.json, and all vendor code can be updated with composer update.
Wouldn't it be better to commit composer.lock to the repository, so that the exact versions of modules are pinned there? Then only the generic dependency (for example:
"drupal/field_group": "8.*"
) can be put in composer.json, and all vendor code can be updated withcomposer update
.