How about following idea?:
- We keep a separate repository for project dependencies only
but that repository contains only composer.json and composer.lock.
- We maintain that repository on each environment like dev, staging, production
- In project repository, we have vendor directory which has a soft link to
vendor directory of dependency repository's vendor directory.
- On dev, we do composer update on dependency repository,
test everything and if works fine then commit composer.json and composer.lock
- On Staging, Production, we only do composer install
but only when we did composer update on Dev last time
otherwise we don't do anything with dependency repository on each environment.