How about following idea?:
– We keep a separate repository for project dependencies only
but that repository contains only composer.json and composer.lock.
– We maintain that repository on each environment like dev, staging, production
– In project repository, we have vendor directory which has a soft link to
vendor directory of dependency repository’s vendor directory.
– On dev, we do composer update on dependency repository,
test everything and if works fine then commit composer.json and composer.lock
– On Staging, Production, we only do composer install
but only when we did composer update on Dev last time
otherwise we don’t do anything with dependency repository on each environment.