Exact composer dependencies

[alganet]

We already discussed something similar to this in the past in #145 and #373.

Originally, I was on the team "no composer.lock". By that time, we only had dev-dependencies, so there wasn't really anything reproducible to lock except the dev environment.

Now, we depend on php-di, the mbstring polyfill and some PSR interfaces. There are real dependencies we have and those have their transitive dependencies and so on.

So, I'm arguing now for introducing composer.lock now. My reasons for this are:

• Reproducibility: we could fully reproduce how a past version behaves. This is currently not possible without some archeology first.
• Accurate SBOM: our SBOM export would not display "Exact versions could not be resolved for some packages" anymore.
• Dependabot workflow: getting PRs with the changelogs for our dependencies is nice. We can know if something changed, what's new and so on.

We could also try an intermediate step first: exact versions of non-dev dependencies on composer.json.

[henriquemoody]

My main concern has always been not being able to catch issues when a new dependency gets released, but since we have dependabot setup, it makes those updates more obvious to us. I'm down for trying with the composer.lock.