Example of why composer.lock should be version controlled and workflow of how it can be used.
The reason we put ranges in composer.json is so that we can check for updates in our development environment and test our source code works with it BEFORE it goes into production.
The reason we have specific versions of vendors in composer.lock is so that we can version it and install the application into production environments with the versions we have tested while in development. Because of this we never run composer update on a production environment.
Creating an Application