Just a few corrections here because while the information here was correct it is a bit outdated.

For option 3, we added a --lock flag so you can do composer update --lock which is completely equivalent but more official and self-documenting. The 'nothing' bit was just a hack :)

Regarding the hash in composer.lock, if you use a somewhat modern composer (mid 2015?) then you have two hashes, somethiing like:

"hash": "0ee0bf8ffe9d48c12da02d17953d292c",
"content-hash": "38c3888b59eb9d18e5f471c6fedaa85b",

The first is the good old hash for BC, but the second is actually a smarter hash that only looks at the properties that influence dependency resolution, and ignores all whitespace. So these days when you do get a "lock file out of date" warning, it is usually a fact and it means you forgot to update. So in general I would say option 3 is not so necessary anymore, as if you did a meaningful change you probably *want* to update.