Do you miss that the version numbers of your PHP dependencies are automatically updated in the composer.json file after a composer update?
Just like npm or yarn are updating the version numbers in the package.json file.
Then upgrade to Composer 2.4 and say hi to composer dump.
This version introduced a new command composer bump which will update your composer.json file to the precise version which is pinned in the composer.lock file.
It basically will sync the composer.json with the composer.lock versions and will keep the caret version constraints, so you can still make minor or patch version upgrades.
This will have the effect that the version constraints are hardenend and you will not be able to install versions lower than the currently installed version.
With not updated versions in composer.json file you will not have a precise version base and could install lower versions than actually required.
Another benefit is that you can more easily read the currently installed version number of your dependencies.
Otherwise you would need to grep through the composer.lock file which is much less readable and cumbersome.
Some IDEs like PHPSTORM are helping here though by adding the installed version behind the dependency constraint in the composer.json file in the editor pane (see below).
Before composer bump:
After composer bump:
Note that composer dump is benefical on projects but should be avoided in libraries because it could accidently limit the versions in which can you use the library.
Also it might be a good idea to have a option on composer update to integrate composer bump functionality.