update.php will check that composer dependencies are at the correct versions (using CheckComposerLockUpToDate).
The Installer apparently doesn't, as we noticed during @Addshore's live hackathon demo.
update.php:
// Check external dependencies are up to date if ( !$this->hasOption( 'skip-external-dependencies' ) ) { $composerLockUpToDate = $this->runChild( CheckComposerLockUpToDate::class ); $composerLockUpToDate->execute(); } else { $this->output( "Skipping checking whether external dependencies are up to date, proceed at your own risk\n" ); }