Ok, you have installed a Yii 2 basic or advanced app for the first time and completed the post install steps. You have picked up a few extensions to install for the first time as well. You would already see a composer.lock file in your application root folder.
Here are a few tips on using this file to lock your package versions for future composer updates.
Let us consider you want to lock a specific bootstrap version for this package: yiisoft/yii2-bootstrap. It is assumed you already have installed the yiisoft\yii2-bootstrap extension for the first time.
STEP 1: Editing composer.lock
You would see an entry similar to this in your composer.lock file in your Yii 2 app root:
Now, to make the extension dependent on a specific bootstrap version (say 3.0 only), you can now change the following line in your composer.lock file:
STEP 2: Future Composer Updates
You can repeat step 1 for locking dependencies for all your extensions (e.g. kartik-v/yii2-widgets, or any extension). But do a check on extension compatibility for each dependency version though.
The only thing to ensure is that future updates to packages through composer should now be done this way:
The above command installs/updates/removes everything to the state of the composer.lock file.
Info: The difference is you are not using php composer.phar update for updating if you want everything as per your composer.lock settings.