we should not provide one in the package but developers should commit
them when starting a new project so that all share the same versions
and only explicit composer update command will change that.
Escpecially important when deploying to production.
