I could use some feedback related to
https://gerrit.wikimedia.org/r/#/c/215815/1 ("Use composer install, not
composer update").
Composer strongly recommends committing both composer.json and
composer.lock to the repository
(
https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file).
This means the user can install the exact dependencies tested by the
last developer who updated composer.lock (the goal is that you will only
commit composer.lock if the dependency set works).
Can you comment at
https://gerrit.wikimedia.org/r/#/c/215815/1 on why
Wikibase does not commit it?
Thanks,
Matt Flaschen