to only update the composer lock file

  • try 1
> composer update 
this will update all packages and their dependencies, plus updating the lock file

note:
you can pin you main dependencies with exact versions
ie 2.8 instead of ~2 or ^2 or @dev (eek!)

  • try 2
> composer --lock update  
--lock: only updates the lock file hash
but actually, this will update dependencies too, which are not version pinned

  • try 3
> composer --root-reqs --lock update     
--lock: Only updates the lock file hash
   
--root-reqs: Restricts the update to your first degree dependencies
   

and since your first degree dependencies are version locked, right?
only the lock file gets updated.
task accomplished.

End of document. Thanks for reading.