As commented in http://tracker.moodle.org/browse/MDL-36817?focusedCommentId=192879&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-192879 we are ignoring composer.lock, if we include it in Moodle codebase composer installer will use composer.lock versions rather than the versions of composer.json and we will be sure that Moodle works fine with the versions we specified.

Composer docs recommends to include it in the codebase: http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file

With a single phpunit dependency this is not a big problem, but with more dependencies and cross requirements of packages between dependencies the new not-tested minor releases of dependencies can be selected by composer or composer can have trouble to determine the correct version to use.