validate: suggest composer update --lock

[glensc]

Suggest more safer composer update --lock command when lock file is not up to date.

[glensc]

...or suggest both commands?

[svenluijten]

Similar to #8332. I guess if it wasn't updated there, we'd want to keep it the same here as well?

[glensc]

I find that people who don't know how composer work, want to bump only one dependency, edit composer.json, then found that project uses lock file, notice composer.lock is not updated, end up bumping all dependencies because composer tells them to run composer update, and then they don't really look composer.lock diff, commit whole lock file, and in the review process, it's typically ignored, because GitHub/GitLab by default hides such large diffs and reivewer sees only bumped dep on composer.json.

[Seldaek]

If it's an education problem then I hope my commit helps educating people in the right direction. update --lock is IMO not the solution to this.

[glensc]

Indeed, if the lock file is out of date because someone used to edit package.json directly to bump a dependency, proper would for them to run composer update <package>.