This is an interesting question I have been asked about a few times now and it appears many developers are confused what the answer is. Long story short: Yes, you should commit your composer.lock file.
The composer.lock file is a build metadata file that specifies exact versions of dependencies in your Composer project. It means if someone else in the team pulls down your code, they will get the exact same versions specified.
In the official Composer documentation, it actually says to commit the file in bold.
Commit your application’s composer.lock (along with composer.json) into version control.
This does mean if there are updates and you first pull down the project, you won’t get them. You will need to run a “composer update” to get any updates to a dependency.
Please note, you should commit the composer.lock file only for projects and you should NEVER commit this file for a library someone else is installing, just projects.