Right now our update.sh script, which is used for deployment, runs 'composer update'. This command gets the latest versions of dependencies and updates the composer.lock file. This is not appropriate for deployment because it could potentially change which versions of packages are installed. Instead, we should use install, which will install only what is specified in composer.lock, ensuring we deploy only what we've tested.  https://getcomposer.org/doc/03-cli.md#update  https://getcomposer.org/doc/03-cli.md#install
This has been pushed to dev, stage and prod. Note: In order to see the effect of this change, git pull needs to be run on command line prior to running tools/update.sh (because update.sh itself needs to be updated prior to being run).